Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1503720
MD5:	722a21a12025094cefd6de00ab539383
SHA1:	00c7867204dcb23a342cdbcb915d042919569a05
SHA256:	88327e1bf9762bc4429d9799ada169121b27b1e59c4f3d7fcfda877065bf1038
Tags:	exe
Infos:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of debugger detection

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Maps a DLL or memory area into another process

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sleep loop found (likely to delay execution)

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 5052 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 722A21A12025094CEFD6DE00AB539383)

msedge.exe (PID: 5252 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password MD5: BF154738460E4AB1D388970E1AB13FAB)

msedge.exe (PID: 7060 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2096 --field-trial-handle=2044,i,12484681974237658777,1687954805475692513,262144 --disable-features=TranslateUI /prefetch:3 MD5: BF154738460E4AB1D388970E1AB13FAB)

msedge.exe (PID: 7056 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: BF154738460E4AB1D388970E1AB13FAB)

msedge.exe (PID: 7444 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2444 --field-trial-handle=2244,i,13084584308620272339,12385267225017742810,262144 --disable-features=TranslateUI /prefetch:3 MD5: BF154738460E4AB1D388970E1AB13FAB)

msedge.exe (PID: 8532 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=5584 --field-trial-handle=2244,i,13084584308620272339,12385267225017742810,262144 --disable-features=TranslateUI /prefetch:8 MD5: BF154738460E4AB1D388970E1AB13FAB)

msedge.exe (PID: 8540 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6264 --field-trial-handle=2244,i,13084584308620272339,12385267225017742810,262144 --disable-features=TranslateUI /prefetch:8 MD5: BF154738460E4AB1D388970E1AB13FAB)

identity_helper.exe (PID: 8620 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=4708 --field-trial-handle=2244,i,13084584308620272339,12385267225017742810,262144 --disable-features=TranslateUI /prefetch:8 MD5: F8CEC3E43A6305AC9BA3700131594306)

identity_helper.exe (PID: 8632 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=4708 --field-trial-handle=2244,i,13084584308620272339,12385267225017742810,262144 --disable-features=TranslateUI /prefetch:8 MD5: F8CEC3E43A6305AC9BA3700131594306)

msedge.exe (PID: 8912 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5 MD5: BF154738460E4AB1D388970E1AB13FAB)

msedge.exe (PID: 9156 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2892 --field-trial-handle=2268,i,12884952612469409044,15485051548793608583,262144 /prefetch:3 MD5: BF154738460E4AB1D388970E1AB13FAB)

msedge.exe (PID: 8848 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=4320 --field-trial-handle=2268,i,12884952612469409044,15485051548793608583,262144 /prefetch:8 MD5: BF154738460E4AB1D388970E1AB13FAB)

msedge.exe (PID: 7652 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5 MD5: BF154738460E4AB1D388970E1AB13FAB)

msedge.exe (PID: 9196 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=3104 --field-trial-handle=2592,i,12348527883109594420,1140331440356557210,262144 /prefetch:3 MD5: BF154738460E4AB1D388970E1AB13FAB)

cleanup

HTTP traffic detected: POST /dns-query HTTP/1.1Host: chrome.cloudflare-dns.comConnection: keep-aliveContent-Length: 128Accept: application/dns-messageAccept-Language: *User-Agent: ChromeAccept-Encoding: identityContent-Type: application/dns-message

Source: file.exe, 00000000.00000002.3362729660.0000000000E50000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3362729660.0000000000E39000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.c
Source: data_10.6.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection?placement=88000360&nct=1&fmt=json&ADEFAB=1&OPSYS=WIN10&locale=e
Source: data_10.6.dr	String found in binary or memory: https://azureedge.net
Source: Reporting and NEL0.6.dr	String found in binary or memory: https://bzib.nelreports.net/api/report?cat=bingbusiness
Source: Web Data.5.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Web Data.5.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Web Data.5.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Web Data.5.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Web Data.5.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: data_10.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?assetgroup=Arbit
Source: data_10.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtrac
Source: data_10.6.dr	String found in binary or memory: https://msn.com
Source: Web Data.5.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Top Sites.5.dr	String found in binary or memory: https://www.office.com/
Source: Top Sites.5.dr	String found in binary or memory: https://www.office.com/Office

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 20.197.71.89:443 -> 192.168.2.6:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.6:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.6:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.197.71.89:443 -> 192.168.2.6:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.6:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.197.71.89:443 -> 192.168.2.6:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.197.71.89:443 -> 192.168.2.6:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.6:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.197.71.89:443 -> 192.168.2.6:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.197.71.89:443 -> 192.168.2.6:49763 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0073EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0073EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0073ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0073ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_0073EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0072AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0072AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00759576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00759576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.2102889414.0000000000782000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_77c75c4f-1
Source: file.exe, 00000000.00000000.2102889414.0000000000782000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_e0ee6e84-e
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_83d92822-c
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_e352fc7a-f

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0072D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0072D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00721201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00721201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0072E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0072E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006C8060	0_2_006C8060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00732046	0_2_00732046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00728298	0_2_00728298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006FE4FF	0_2_006FE4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006F676B	0_2_006F676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00754873	0_2_00754873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006CCAF0	0_2_006CCAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006ECAA0	0_2_006ECAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006DCC39	0_2_006DCC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006F6DD9	0_2_006F6DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006DB119	0_2_006DB119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006C91C0	0_2_006C91C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006E1394	0_2_006E1394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006E781B	0_2_006E781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006D997D	0_2_006D997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006C7920	0_2_006C7920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006E7A4A	0_2_006E7A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006E7CA7	0_2_006E7CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0074BE44	0_2_0074BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006F9EEE	0_2_006F9EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006CBF40	0_2_006CBF40

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 006DF9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 006E0A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 006C9CB3 appears 31 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.evad.winEXE@73/297@12/11

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007337B5 GetLastError,FormatMessageW,

0_2_007337B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007210BF AdjustTokenPrivileges,CloseHandle,		0_2_007210BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007216C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_007216C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007351CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_007351CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0074A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0074A67C

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0073648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0073648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006C42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_006C42A2

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk

Jump to behavior

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

File created: C:\Users\user\AppData\Local\Temp\d33544c0-992b-4e13-a336-462b7ef1ccff.tmp

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Login Data.5.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: file.exe

ReversingLabs: Detection: 21%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2096 --field-trial-handle=2044,i,12484681974237658777,1687954805475692513,262144 --disable-features=TranslateUI /prefetch:3
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2444 --field-trial-handle=2244,i,13084584308620272339,12385267225017742810,262144 --disable-features=TranslateUI /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=5584 --field-trial-handle=2244,i,13084584308620272339,12385267225017742810,262144 --disable-features=TranslateUI /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6264 --field-trial-handle=2244,i,13084584308620272339,12385267225017742810,262144 --disable-features=TranslateUI /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=4708 --field-trial-handle=2244,i,13084584308620272339,12385267225017742810,262144 --disable-features=TranslateUI /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=4708 --field-trial-handle=2244,i,13084584308620272339,12385267225017742810,262144 --disable-features=TranslateUI /prefetch:8
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2892 --field-trial-handle=2268,i,12884952612469409044,15485051548793608583,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=4320 --field-trial-handle=2268,i,12884952612469409044,15485051548793608583,262144 /prefetch:8
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=3104 --field-trial-handle=2592,i,12348527883109594420,1140331440356557210,262144 /prefetch:3
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2096 --field-trial-handle=2044,i,12484681974237658777,1687954805475692513,262144 --disable-features=TranslateUI /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2444 --field-trial-handle=2244,i,13084584308620272339,12385267225017742810,262144 --disable-features=TranslateUI /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=5584 --field-trial-handle=2244,i,13084584308620272339,12385267225017742810,262144 --disable-features=TranslateUI /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6264 --field-trial-handle=2244,i,13084584308620272339,12385267225017742810,262144 --disable-features=TranslateUI /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=4708 --field-trial-handle=2244,i,13084584308620272339,12385267225017742810,262144 --disable-features=TranslateUI /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=4708 --field-trial-handle=2244,i,13084584308620272339,12385267225017742810,262144 --disable-features=TranslateUI /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2892 --field-trial-handle=2268,i,12884952612469409044,15485051548793608583,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=4320 --field-trial-handle=2268,i,12884952612469409044,15485051548793608583,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=3104 --field-trial-handle=2592,i,12348527883109594420,1140331440356557210,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006C42DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006E0A76 push ecx; ret

0_2_006E0A89

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_514DE308F6F4B9B80A28CF3B7E19969F			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_514DE308F6F4B9B80A28CF3B7E19969F			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006DF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_006DF98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00751C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00751C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-94750

Source: C:\Users\user\Desktop\file.exe

Window / User API: threadDelayed 6622

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.3 %

Source: C:\Users\user\Desktop\file.exe TID: 4340

Thread sleep time: -66220s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe

Thread sleep count: Count: 6622 delay: -10

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0072DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0072DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006FC2A2 FindFirstFileExW,	0_2_006FC2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007368EE FindFirstFileW,FindClose,	0_2_007368EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0073698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0073698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0072D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0072D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0072D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0072D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00739642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00739642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0073979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0073979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00739B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00739B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00735C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00735C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006C42DE

Source: Web Data.13.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: Web Data.13.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: Web Data.13.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: Web Data.13.dr	Binary or memory string: discord.comVMware20,11696487552f
Source: Web Data.13.dr	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: Web Data.13.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: Web Data.13.dr	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: Web Data.13.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: Web Data.13.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: Web Data.13.dr	Binary or memory string: global block list test formVMware20,11696487552
Source: Web Data.13.dr	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: Web Data.13.dr	Binary or memory string: AMC password management pageVMware20,11696487552
Source: Web Data.13.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: Web Data.13.dr	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: Web Data.13.dr	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: Web Data.13.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: Web Data.13.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: Web Data.13.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: Web Data.13.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: Web Data.13.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: Web Data.13.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: Web Data.13.dr	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: Web Data.13.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: Web Data.13.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: Web Data.13.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: Web Data.13.dr	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: Web Data.13.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: Web Data.13.dr	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: Web Data.13.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: Web Data.13.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: Web Data.13.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Users\user\Desktop\file.exe

Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep

graph_0-94850

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0073EAA2 BlockInput,

0_2_0073EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006F2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_006F2622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006C42DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006E4CE8 mov eax, dword ptr fs:[00000030h]

0_2_006E4CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00720B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00720B62

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006F2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_006F2622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006E083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_006E083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006E09D5 SetUnhandledExceptionFilter,	0_2_006E09D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006E0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_006E0C21

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Section loaded: NULL target: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe protection: readonly

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00721201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00702BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00702BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0072B226 SendInput,keybd_event,

0_2_0072B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007422DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_007422DA

Source: C:\Users\user\Desktop\file.exe

0_2_00720B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00721663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00721663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006E0698 cpuid

0_2_006E0698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00738195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00738195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0071D27A GetUserNameW,

0_2_0071D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006FB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_006FB952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006C42DE

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00741204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00741204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00741806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00741806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	15 System Information Discovery	Distributed Component Object Model	Input Capture	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	12 Process Injection	1 Masquerading	LSA Secrets	221 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	2 Valid Accounts	Cached Domain Credentials	22 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	22 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	21%	ReversingLabs
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
https://bzib.nelreports.net/api/report?cat=bingbusiness	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://chrome.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://www.office.com/	0%	Avira URL Cloud	safe
https://www.office.com/Office	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
https://msn.com	0%	Avira URL Cloud	safe
https://www.google.com/favicon.ico	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
s-part-0014.t-0009.t-msedge.net	13.107.246.42	true	false	unknown
chrome.cloudflare-dns.com	162.159.61.3	true	false	unknown
bzib.nelreports.net	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://chrome.cloudflare-dns.com/dns-query	false	URL Reputation: safe	unknown
https://www.google.com/favicon.ico	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.office.com/	Top Sites.5.dr	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	Web Data.5.dr	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Web Data.5.dr	false	URL Reputation: safe	unknown
https://www.office.com/Office	Top Sites.5.dr	false	Avira URL Cloud: safe	unknown
https://bzib.nelreports.net/api/report?cat=bingbusiness	Reporting and NEL0.6.dr	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Web Data.5.dr	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	Web Data.5.dr	false	URL Reputation: safe	unknown
https://msn.com	data_10.6.dr	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Web Data.5.dr	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Web Data.5.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
13.107.246.42	s-part-0014.t-0009.t-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
142.250.65.174	unknown	United States	15169	GOOGLEUS	false
23.55.235.170	unknown	United States	20940	AKAMAI-ASN1EU	false
162.159.61.3	chrome.cloudflare-dns.com	United States	13335	CLOUDFLARENETUS	false
142.251.40.110	unknown	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.65.164	unknown	United States	15169	GOOGLEUS	false
172.64.41.3	unknown	United States	13335	CLOUDFLARENETUS	false
172.253.115.84	unknown	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.4
192.168.2.6

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1503720
Start date and time:	2024-09-03 21:44:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.evad.winEXE@73/297@12/11
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 40 Number of non-executed functions: 315
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.42.16, 74.125.71.84, 13.107.6.158, 204.79.197.239, 13.107.21.239, 2.19.126.143, 2.19.126.152, 142.250.185.227, 172.217.16.195, 2.23.209.156, 2.23.209.135, 2.23.209.133, 2.23.209.140, 2.23.209.131, 2.23.209.132, 2.23.209.130, 2.23.209.154, 2.23.209.143, 20.103.156.88, 192.229.221.95, 217.20.57.23, 199.232.214.172, 142.250.65.163, 142.251.40.195, 142.251.32.99, 142.251.40.227, 142.250.72.99
Excluded domains from analysis (whitelisted): config.edge.skype.com.trafficmanager.net, slscr.update.microsoft.com, a416.dscd.akamai.net, edgeassetservice.afd.azureedge.net, arc.msn.com, iris-de-prod-azsc-v2-weu.westeurope.cloudapp.azure.com, e86303.dscx.akamaiedge.net, ocsp.digicert.com, www.bing.com.edgekey.net, config-edge-skype.l-0007.l-msedge.net, msedge.b.tlu.dl.delivery.mp.microsoft.com, arc.trafficmanager.net, www.gstatic.com, l-0007.l-msedge.net, config.edge.skype.com, www.bing.com, edge-microsoft-com.dual-a-0036.a-msedge.net, client.wns.windows.com, fs.microsoft.com, accounts.google.com, bzib.nelreports.net.akamaized.net, fonts.gstatic.com, ctldl.windowsupdate.com, b-0005.b-msedge.net, www-www.bing.com.trafficmanager.net, edge.microsoft.com, business-bing-com.b-0005.b-msedge.net, fe3cr.delivery.mp.microsoft.com, l-0007.config.skype.com, edgeassetservice.azureedge.net, azureedge-t-prod.trafficmanager.net, business.bing.com, dual-a-0036.a-msedge.net
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
21:45:04	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_514DE308F6F4B9B80A28CF3B7E19969F "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
21:45:12	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_514DE308F6F4B9B80A28CF3B7E19969F "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
13.107.246.42	https://protect-us.mimecast.com/s/FVibCzpzxLsxEMXAhgAOBC	Get hash	malicious	Unknown	Browse	www.mimecast.com/Customers/Support/Contact-support/
	http://border-fd.smartertechnologies.com/	Get hash	malicious	Unknown	Browse	border-fd.smartertechnologies.com/
	https://protect-us.mimecast.com/s/4MrPCrkvgotDWxrNCzxa8p	Get hash	malicious	Unknown	Browse	www.mimecast.com/
162.159.61.3	PO#86637.lzh	Get hash	malicious	FormBook	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	https://static.rock.so/file/mAm512rA~/mAm512rA/2d214e336544c4cd0b1aaafcfffd0f29/HarringtonElectric.pdf	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	LETTER ATTACHED.pdf	Get hash	malicious	HTMLPhisher	Browse
	SIT_COM.PDF	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe	Get hash	malicious	Unknown	Browse
239.255.255.250	https://click.pstmrk.it/3s/click.pstmrk.it%2F3s%2Ft.co%252F9zLRvoTSJ3%2FqhjS%2FdMa3AQ%2FAQ%2Fd8fb46f6-a445-4c1d-95f0-1ad5d4ae249c%2F1%2Fp2EsbVgnTk/qhjS/dsa3AQ/AQ/50295fe4-37d7-4d58-811e-e2de345391e5/1/eOXWkR-X2O	Get hash	malicious	HTMLPhisher	Browse
	https://mggl.clovertix.com/mNwu/	Get hash	malicious	HTMLPhisher	Browse
	https://atpscan.global.hornetsecurity.com/index.php?atp_str=JXO3llrC97LYt_ypBDUoorYJESJf_lVgqG94Q8CbqZFSucjhJ8shDRR62UMpOfWQEisKw1UhsaXC2ei6wkJxZ78OKelMPUchf388beflwplmZ9bsAPTRZu8n2NfDqe2KOq7qiRxW9yxw4ZvRTonwJ07YfeXP0wQbvM2OFZWKje16pzGewsFyDVh5wRpEWnv0S9MgBr6GHEuMWbm1mAAXlTqLCgPJeXvAjfP8eHiPv4oozYP6pyTpRvkqdbjPLuTxQioCKIkn36kINOGd5zWy55BalBA1C-XppBzBxrZorCxNjXPTfp7EqG_ugHFutapq8UvczmG4Izo6I53rM9MZbHlXhpjq_iM6OiP6x3HRdgKt2jAlBNssK8G1	Get hash	malicious	Unknown	Browse
	http://email.mg.a3p.org/c/eJwUyr2OhCAQAOCngZIMM8NfQXGN7zEqihc9jeAlu0-_2f6bM_lCumQb0FEkBNA1F8eJKboQmRMGiinNhJ7GxTKA9XrLCMiQgGwAz2CSdQsuThxYmIIExXCsRugy573qPdfer6boR-GgcBjl79Wu8-7NTOehcJi31vWdf4_nvSkGedandalF9l6_RP9n_AQAAP__rwMw2Q	Get hash	malicious	Unknown	Browse
	http://images.revcontent.com	Get hash	malicious	HTMLPhisher	Browse
	PO#86637.lzh	Get hash	malicious	FormBook	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	https://cwayq.ru/smt/Link.htm	Get hash	malicious	Unknown	Browse
	malicious.html	Get hash	malicious	HTMLPhisher	Browse
	https://www.louisvillesports.org/	Get hash	malicious	Unknown	Browse
23.55.235.170	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Amadey, Stealc	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	GrammarlyInstaller.evxSw76fmxki94ued2mj0c82.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0014.t-0009.t-msedge.net	malicious.html	Get hash	malicious	HTMLPhisher	Browse	13.107.246.42
	https://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=lTCgUqihHkmFBEet2SbJL2ghryGY169Ih8KbdC_V2rZUQUFOTzhQMTZVVVI2V1RWNjNGNFhXRjdWVy4u&d=DwMFAg	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	13.107.246.42
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.42
	PossiblePhishing.html	Get hash	malicious	HTMLPhisher	Browse	13.107.246.42
	https://1drv.ms/o/s!Anj1aub9f0oSf85OHsWb-1KGYts?e=cSo5yQ	Get hash	malicious	Unknown	Browse	13.107.246.42
	https://demo.testfire.net/login.jsp	Get hash	malicious	Unknown	Browse	13.107.246.42
	http://www.porschecentreglasgow.co.uk	Get hash	malicious	Unknown	Browse	13.107.246.42
	https://forms.office.com/e/SK99GFntNY%9C%D1%96%D165qvqrYAVfmSXl6ObkQscukzhydtenmpez65qvqrYAVfmSXl6ObkQs?owla=529Kjosg2d	Get hash	malicious	HTMLPhisher	Browse	13.107.246.42
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.42
	https://pharmakon-my.sharepoint.com/:f:/g/personal/338im_apoteket_dk/EpWA_muYfpxOnnnQ0_fk-tQBEy5E4DvZpPAK2CbbLIvKuA?e=ORDGlm	Get hash	malicious	Unknown	Browse	13.107.246.42
chrome.cloudflare-dns.com	PO#86637.lzh	Get hash	malicious	FormBook	Browse	162.159.61.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	https://static.rock.so/file/mAm512rA~/mAm512rA/2d214e336544c4cd0b1aaafcfffd0f29/HarringtonElectric.pdf	Get hash	malicious	Unknown	Browse	162.159.61.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	https://xz0816.cn/	Get hash	malicious	Unknown	Browse	162.159.61.3
	file.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	file.exe	Get hash	malicious	Unknown	Browse	162.159.61.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASN1EU	PO#86637.lzh	Get hash	malicious	FormBook	Browse	23.59.250.83
	file.exe	Get hash	malicious	Unknown	Browse	23.44.133.38
	https://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=lTCgUqihHkmFBEet2SbJL2ghryGY169Ih8KbdC_V2rZUQUFOTzhQMTZVVVI2V1RWNjNGNFhXRjdWVy4u&d=DwMFAg	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	104.83.5.113
	Pensacola Country Club.pdf	Get hash	malicious	Unknown	Browse	2.16.241.17
	file.exe	Get hash	malicious	Unknown	Browse	23.200.0.42
	https://xop.cjm.mybluehost.me/epubs/2022/AFI/shelves/22Q2-AFI-Motion-Shelf/	Get hash	malicious	Phisher	Browse	2.16.238.162
	http://bestbuy.beautybyjoulexa.com.au/citrix/fxc/bWljaGFlbHNjb2ZpZWxkQGRpc25leS5jb20=	Get hash	malicious	HTMLPhisher	Browse	2.16.241.15
	https://bergtool-my.sharepoint.com/:f:/p/officemgr/EkAEY_TxWUpGjuhgV5jRSO8BD2acB1HjNb72Far_j2tXBg?e=T7fVyK	Get hash	malicious	EvilProxy	Browse	2.16.241.15
	http://partmopspot.info/?utm_campaign=y0rsMyowMImIDv9DTSX69oig88PrjKrJ9agQ3DpV-9I1&t=back4	Get hash	malicious	Unknown	Browse	23.67.131.82
	LETTER ATTACHED.pdf	Get hash	malicious	HTMLPhisher	Browse	2.16.100.168
CLOUDFLARENETUS	https://click.pstmrk.it/3s/click.pstmrk.it%2F3s%2Ft.co%252F9zLRvoTSJ3%2FqhjS%2FdMa3AQ%2FAQ%2Fd8fb46f6-a445-4c1d-95f0-1ad5d4ae249c%2F1%2Fp2EsbVgnTk/qhjS/dsa3AQ/AQ/50295fe4-37d7-4d58-811e-e2de345391e5/1/eOXWkR-X2O	Get hash	malicious	HTMLPhisher	Browse	172.66.0.227
	https://mggl.clovertix.com/mNwu/	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	SecuriteInfo.com.Other.Malware-gen.18317.3179.xlsx	Get hash	malicious	Unknown	Browse	188.114.96.3
	SecuriteInfo.com.Other.Malware-gen.18317.3179.xlsx	Get hash	malicious	Unknown	Browse	188.114.96.3
	SecuriteInfo.com.Other.Malware-gen.18317.3179.xlsx	Get hash	malicious	Unknown	Browse	188.114.96.3
	SecuriteInfo.com.Trojan.GenericKD.73998107.10440.22732.xlsx	Get hash	malicious	Unknown	Browse	188.114.96.3
	Global#U0421h#U0435#U0430ts.exe	Get hash	malicious	LummaC	Browse	104.21.69.149
	https://atpscan.global.hornetsecurity.com/index.php?atp_str=JXO3llrC97LYt_ypBDUoorYJESJf_lVgqG94Q8CbqZFSucjhJ8shDRR62UMpOfWQEisKw1UhsaXC2ei6wkJxZ78OKelMPUchf388beflwplmZ9bsAPTRZu8n2NfDqe2KOq7qiRxW9yxw4ZvRTonwJ07YfeXP0wQbvM2OFZWKje16pzGewsFyDVh5wRpEWnv0S9MgBr6GHEuMWbm1mAAXlTqLCgPJeXvAjfP8eHiPv4oozYP6pyTpRvkqdbjPLuTxQioCKIkn36kINOGd5zWy55BalBA1C-XppBzBxrZorCxNjXPTfp7EqG_ugHFutapq8UvczmG4Izo6I53rM9MZbHlXhpjq_iM6OiP6x3HRdgKt2jAlBNssK8G1	Get hash	malicious	Unknown	Browse	188.114.96.3
	PO#86637.lzh	Get hash	malicious	FormBook	Browse	172.64.41.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
CLOUDFLARENETUS	https://click.pstmrk.it/3s/click.pstmrk.it%2F3s%2Ft.co%252F9zLRvoTSJ3%2FqhjS%2FdMa3AQ%2FAQ%2Fd8fb46f6-a445-4c1d-95f0-1ad5d4ae249c%2F1%2Fp2EsbVgnTk/qhjS/dsa3AQ/AQ/50295fe4-37d7-4d58-811e-e2de345391e5/1/eOXWkR-X2O	Get hash	malicious	HTMLPhisher	Browse	172.66.0.227
	https://mggl.clovertix.com/mNwu/	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	SecuriteInfo.com.Other.Malware-gen.18317.3179.xlsx	Get hash	malicious	Unknown	Browse	188.114.96.3
	SecuriteInfo.com.Other.Malware-gen.18317.3179.xlsx	Get hash	malicious	Unknown	Browse	188.114.96.3
	SecuriteInfo.com.Other.Malware-gen.18317.3179.xlsx	Get hash	malicious	Unknown	Browse	188.114.96.3
	SecuriteInfo.com.Trojan.GenericKD.73998107.10440.22732.xlsx	Get hash	malicious	Unknown	Browse	188.114.96.3
	Global#U0421h#U0435#U0430ts.exe	Get hash	malicious	LummaC	Browse	104.21.69.149
	https://atpscan.global.hornetsecurity.com/index.php?atp_str=JXO3llrC97LYt_ypBDUoorYJESJf_lVgqG94Q8CbqZFSucjhJ8shDRR62UMpOfWQEisKw1UhsaXC2ei6wkJxZ78OKelMPUchf388beflwplmZ9bsAPTRZu8n2NfDqe2KOq7qiRxW9yxw4ZvRTonwJ07YfeXP0wQbvM2OFZWKje16pzGewsFyDVh5wRpEWnv0S9MgBr6GHEuMWbm1mAAXlTqLCgPJeXvAjfP8eHiPv4oozYP6pyTpRvkqdbjPLuTxQioCKIkn36kINOGd5zWy55BalBA1C-XppBzBxrZorCxNjXPTfp7EqG_ugHFutapq8UvczmG4Izo6I53rM9MZbHlXhpjq_iM6OiP6x3HRdgKt2jAlBNssK8G1	Get hash	malicious	Unknown	Browse	188.114.96.3
	PO#86637.lzh	Get hash	malicious	FormBook	Browse	172.64.41.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
MICROSOFT-CORP-MSN-AS-BLOCKUS	SecuriteInfo.com.Other.Malware-gen.18317.3179.xlsx	Get hash	malicious	Unknown	Browse	13.107.246.60
	PO#86637.lzh	Get hash	malicious	FormBook	Browse	94.245.104.56
	file.exe	Get hash	malicious	Unknown	Browse	20.75.60.91
	malicious.html	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	https://docsend.com/view/s/p589qibnit8ety2y	Get hash	malicious	Unknown	Browse	150.171.27.10
	INVCherokeebrick.html	Get hash	malicious	Unknown	Browse	13.107.246.60
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.60
	https://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=lTCgUqihHkmFBEet2SbJL2ghryGY169Ih8KbdC_V2rZUQUFOTzhQMTZVVVI2V1RWNjNGNFhXRjdWVy4u&d=DwMFAg	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	13.107.21.237
	qkkcfptf.exe	Get hash	malicious	Tofsee	Browse	52.101.42.0
	vekvtia.exe	Get hash	malicious	Tofsee	Browse	52.101.8.49

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	https://click.pstmrk.it/3s/click.pstmrk.it%2F3s%2Ft.co%252F9zLRvoTSJ3%2FqhjS%2FdMa3AQ%2FAQ%2Fd8fb46f6-a445-4c1d-95f0-1ad5d4ae249c%2F1%2Fp2EsbVgnTk/qhjS/dsa3AQ/AQ/50295fe4-37d7-4d58-811e-e2de345391e5/1/eOXWkR-X2O	Get hash	malicious	HTMLPhisher	Browse	40.127.169.103 184.28.90.27
	https://mggl.clovertix.com/mNwu/	Get hash	malicious	HTMLPhisher	Browse	40.127.169.103 184.28.90.27
	https://atpscan.global.hornetsecurity.com/index.php?atp_str=JXO3llrC97LYt_ypBDUoorYJESJf_lVgqG94Q8CbqZFSucjhJ8shDRR62UMpOfWQEisKw1UhsaXC2ei6wkJxZ78OKelMPUchf388beflwplmZ9bsAPTRZu8n2NfDqe2KOq7qiRxW9yxw4ZvRTonwJ07YfeXP0wQbvM2OFZWKje16pzGewsFyDVh5wRpEWnv0S9MgBr6GHEuMWbm1mAAXlTqLCgPJeXvAjfP8eHiPv4oozYP6pyTpRvkqdbjPLuTxQioCKIkn36kINOGd5zWy55BalBA1C-XppBzBxrZorCxNjXPTfp7EqG_ugHFutapq8UvczmG4Izo6I53rM9MZbHlXhpjq_iM6OiP6x3HRdgKt2jAlBNssK8G1	Get hash	malicious	Unknown	Browse	40.127.169.103 184.28.90.27
	http://email.mg.a3p.org/c/eJwUyr2OhCAQAOCngZIMM8NfQXGN7zEqihc9jeAlu0-_2f6bM_lCumQb0FEkBNA1F8eJKboQmRMGiinNhJ7GxTKA9XrLCMiQgGwAz2CSdQsuThxYmIIExXCsRugy573qPdfer6boR-GgcBjl79Wu8-7NTOehcJi31vWdf4_nvSkGedandalF9l6_RP9n_AQAAP__rwMw2Q	Get hash	malicious	Unknown	Browse	40.127.169.103 184.28.90.27
	http://images.revcontent.com	Get hash	malicious	HTMLPhisher	Browse	40.127.169.103 184.28.90.27
	PO#86637.lzh	Get hash	malicious	FormBook	Browse	40.127.169.103 184.28.90.27
	file.exe	Get hash	malicious	Unknown	Browse	40.127.169.103 184.28.90.27
	https://cwayq.ru/smt/Link.htm	Get hash	malicious	Unknown	Browse	40.127.169.103 184.28.90.27
	malicious.html	Get hash	malicious	HTMLPhisher	Browse	40.127.169.103 184.28.90.27
	https://www.louisvillesports.org/	Get hash	malicious	Unknown	Browse	40.127.169.103 184.28.90.27
3b5074b1b5d032e5620f69f9f700ff0e	PO#86637.lzh	Get hash	malicious	FormBook	Browse	20.197.71.89
	file.exe	Get hash	malicious	Unknown	Browse	20.197.71.89
	newvideozones.click.ps1	Get hash	malicious	Unknown	Browse	20.197.71.89
	provenotrobot.b-cdn.net.ps1	Get hash	malicious	Unknown	Browse	20.197.71.89
	spam-check1.b-cdn.net.ps1	Get hash	malicious	Unknown	Browse	20.197.71.89
	file.exe	Get hash	malicious	Unknown	Browse	20.197.71.89
	https://www.linkedin.com/redir/redirect?url=https://lookerstudio.google.com/s/o4pSLJjGIwU&urlhash=CUME&trk=article-ssr-frontend-pulse_little-text-block	Get hash	malicious	HTMLPhisher	Browse	20.197.71.89
	https://m.exactag.com/cl.aspx?extProvApi=sixt-crm_newsletter&extProvId=313&extPu=nl_rac_de&extLi=DE_COR_RENT_CRM_B2C_24_CW33_From%20Intermediate%20Push_ONT_NLW_de_DE_Streichpreis_138402&extCr=Footer_rent&extSi=nl_rac_de_2408_DE&url=http%3a%2f%2ftarumian.am/yaer/ZHdhcm5lckBmbGJsYXd5ZXJzLmNvbQ==	Get hash	malicious	Phisher	Browse	20.197.71.89
	Payment_USD305,000A98E8090KDHKS3300.exe	Get hash	malicious	LummaC Stealer, Snake Keylogger, VIP Keylogger	Browse	20.197.71.89

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2958
Entropy (8bit):	5.579727845960525
Encrypted:	false
SSDEEP:	48:YuBqDPEFMsFiHC0af9/4SA4rIkHB+tVdrxPvBTL5VRzwOJkX2oclwlRPA2ERE5:Xq8NkC1f9PA4rbBIZvR5zlJkGocSIHs
MD5:	EFD38DA713CA6FE0FE9B423D3913FB28
SHA1:	F365EEB5216EB341630EAD2640CE9466BA377262
SHA-256:	437B6F3A87E1F90E08112DEDD761774748A6D834F9591405AD3EEB6C9A56D782
SHA-512:	CDD9F7A0FED1EC0696B4CB6C4814214FDC4DDA9830F5A57511BF860B60079499B3B3734A8978B2754A0181521E7E020F15BDD3DBCA08BCCE104B5CFE0A4A79F1
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false},"tab_stabs":{"closed_without_unfreeze_never_unfrozen":0,"closed_without_unfreeze_previously_unfrozen":0,"discard_without_unfreeze_never_unfrozen":0,"discard_without_unfreeze_previously_unfrozen":0},"tab_stats":{"frozen_daily":0,"unfrozen_daily":0}},"hardware_acceleration_mode_previous":true,"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAA3mo1C2vxPS5cYZvb18j1UEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAADxaKctnu6p51QbXzcec0yJJHRCERFOewneC7s2Q8cx4wAAAAAOgAAAAAIAACAAAADDQBNAyQ2e/fxXiNJwYS72m7RtJj6wBI1XfE15Cot+7DAAAAD8uFIVc3Ze0Ct/1F6l1WEnAdCApjj70vDAX/o95QolLMbu9d2jUaun9EdAdjkDztxAAAAAntEefTqjnDveTyCvBwLaSV25PAM0umDaPgRkrlkXEs0DDX9ldkwYyhGd+xYytZ+boi+rs7RJ7Ul3DoTV77Vgcw=="},"policy":{"last_statistics_update":"13369866297339807"},"profile":{"info_ca

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\5ecc7219-59ec-45ec-94b0-5c6bbb753c1e.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2958
Entropy (8bit):	5.579727845960525
Encrypted:	false
SSDEEP:	48:YuBqDPEFMsFiHC0af9/4SA4rIkHB+tVdrxPvBTL5VRzwOJkX2oclwlRPA2ERE5:Xq8NkC1f9PA4rbBIZvR5zlJkGocSIHs
MD5:	EFD38DA713CA6FE0FE9B423D3913FB28
SHA1:	F365EEB5216EB341630EAD2640CE9466BA377262
SHA-256:	437B6F3A87E1F90E08112DEDD761774748A6D834F9591405AD3EEB6C9A56D782
SHA-512:	CDD9F7A0FED1EC0696B4CB6C4814214FDC4DDA9830F5A57511BF860B60079499B3B3734A8978B2754A0181521E7E020F15BDD3DBCA08BCCE104B5CFE0A4A79F1
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false},"tab_stabs":{"closed_without_unfreeze_never_unfrozen":0,"closed_without_unfreeze_previously_unfrozen":0,"discard_without_unfreeze_never_unfrozen":0,"discard_without_unfreeze_previously_unfrozen":0},"tab_stats":{"frozen_daily":0,"unfrozen_daily":0}},"hardware_acceleration_mode_previous":true,"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAA3mo1C2vxPS5cYZvb18j1UEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAADxaKctnu6p51QbXzcec0yJJHRCERFOewneC7s2Q8cx4wAAAAAOgAAAAAIAACAAAADDQBNAyQ2e/fxXiNJwYS72m7RtJj6wBI1XfE15Cot+7DAAAAD8uFIVc3Ze0Ct/1F6l1WEnAdCApjj70vDAX/o95QolLMbu9d2jUaun9EdAdjkDztxAAAAAntEefTqjnDveTyCvBwLaSV25PAM0umDaPgRkrlkXEs0DDX9ldkwYyhGd+xYytZ+boi+rs7RJ7Ul3DoTV77Vgcw=="},"policy":{"last_statistics_update":"13369866297339807"},"profile":{"info_ca

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\67f9a387-887d-47e1-813f-14827f39e251.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	20959
Entropy (8bit):	6.064910749167947
Encrypted:	false
SSDEEP:	384:i6tMGQ7LBjuYXGIgtDAW5u0TDJ2q03X8NBSbIb8GoIEN555LI0K:ZMGQ7FCYXGIgtDAWtJ4nob8GoIUI
MD5:	66D3AB2CEE6692377EAC3839091A55F0
SHA1:	0D1EDF818C357A07D52B1B7B96DB3E7C0E2107FB
SHA-256:	5055D06911726331DECD29D5F2E073D5027EF1D346B24F8502329BBBD44CB78F
SHA-512:	A34822092134063251EDC74ABF3A8633271CB0E06754AA8ED9EB9A6BD4F7DA2A217615E7926EA2C478D8DE010F15988BACBC8EDDFAC6FA636B9C438EF67D375F
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","apps_count_check_time":"13369866299641235","domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5GOJiTA/oXLTdG6qXtmMBDiyS59PvY7eCklyb4QcfFi7tpdwu3VBt1XNorvM4+RiU6+CjD0kb+pHz7rRm3rXSyzABnWdKBG+Ijlx7hEE4QTzo+AB6fnDLLJBpo7PKv8Ob367/KjUg8mcY6CmCjTJCmtsWFOcUf5vj04cw0e1yZe2WAl8svFn5IC43jfc+dLnGrEyDwAicHCxNdhlrVa5LEtTgt5u2lAK02pd198r5dr5VYgHj55jUJZGTtlg0NlA7S5AnvB8l7z3olnPV2vfCLsugvBUH7vTVIe9Y151SnmS2Auyvcr5UGYXBvzT2s0L3fKpCZl+2D91MLf04NPNNUni9BZmDP4Sfjk2Ig7ktgg8r8InfhHz//zSP7e8bquWlsDJ411j

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\68408403-595b-428c-aca4-b0af2d9d44f9.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3335
Entropy (8bit):	5.60108104631701
Encrypted:	false
SSDEEP:	96:0q8NkC1f9PA4rriBIZvROCZJkGocmSDS4S4SDSne4a:/8NbfPqLCfkGol
MD5:	121B48EE0C51560B01B396FAB0782F2B
SHA1:	13CCAC62E8A342C76E11741BB2EB4CF4FCEFE3D0
SHA-256:	20966E3B5DB686D3E97F9635014FF24BE4C0B3E5959666F98E72AF37AB520C07
SHA-512:	A6DC912F79B7E81F194680EA4E33EBB48EEF21AE9A3D9F79F03510F452831B4FF045BB649AA41F4D857D26001D8482A37946CCF03634BF6383AA26FBD318E2E5
Malicious:	false
Preview:	{"dual_user":{"ie_to_edge":{"redirection_mode":0}},"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false},"tab_stabs":{"closed_without_unfreeze_never_unfrozen":0,"closed_without_unfreeze_previously_unfrozen":0,"discard_without_unfreeze_never_unfrozen":0,"discard_without_unfreeze_previously_unfrozen":0},"tab_stats":{"frozen_daily":0,"unfrozen_daily":0}},"hardware_acceleration_mode_previous":true,"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAA3mo1C2vxPS5cYZvb18j1UEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAADxaKctnu6p51QbXzcec0yJJHRCERFOewneC7s2Q8cx4wAAAAAOgAAAAAIAACAAAADDQBNAyQ2e/fxXiNJwYS72m7RtJj6wBI1XfE15Cot+7DAAAAD8uFIVc3Ze0Ct/1F6l1WEnAdCApjj70vDAX/o95QolLMbu9d2jUaun9EdAdjkDztxAAAAAntEefTqjnDveTyCvBwLaSV25PAM0umDaPgRkrlkXEs0DDX9ldkwYyhGd+xYytZ+boi+rs7RJ7Ul3DoTV77Vgcw=="},"policy":{"last_statist

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\7ba7bb5d-56ef-4a07-9bd5-9107e223bd7f.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	70503
Entropy (8bit):	6.071511229224043
Encrypted:	false
SSDEEP:	1536:ZMGQ5XMBGvvQUtqtVpxMG26XTa8qvk/o+5EIx/8a1:ZMrJM83Q6GPXTa8y45x00
MD5:	8496B19C1B44C6A84CA35D8D3FF58A59
SHA1:	6E629AAFCC5D5BA80048D17C6849F7CCE8A4A114
SHA-256:	F00EFACC745DCE48FA50E0D5A3754F174857D062307ADDD4E5FFC9EBCDE3AC9C
SHA-512:	76F6F0E00C028277A021A525AC27DCE128222F634EF3A3D1A5AD4E4F4595FC65F21C391C7488768798B1D36025CB52DF5EE1389F477374CA2D67B542E815468D
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","apps_count_check_time":"13369866299641235","domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5GOJiTA/oXLTdG6qXtmMBDiyS59PvY7eCklyb4QcfFi7tpdwu3VBt1XNorvM4+RiU6+CjD0kb+pHz7rRm3rXSyzABnWdKBG+Ijlx7hEE4QTzo+AB6fnDLLJBpo7PKv8Ob367/KjUg8mcY6CmCjTJCmtsWFOcUf5vj04cw0e1yZe2WAl8svFn5IC43jfc+dLnGrEyDwAicHCxNdhlrVa5LEtTgt5u2lAK02pd198r5dr5VYgHj55jUJZGTtlg0NlA7S5AnvB8l7z3olnPV2vfCLsugvBUH7vTVIe9Y151SnmS2Auyvcr5UGYXBvzT2s0L3fKpCZl+2D91MLf04NPNNUni9BZmDP4Sfjk2Ig7ktgg8r8InfhHz//zSP7e8bquWlsDJ411j

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Ad Blocking\ad881d14-5caa-4810-89dc-8d95abc34f2b.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	107893
Entropy (8bit):	4.640136267101608
Encrypted:	false
SSDEEP:	1536:B/lv4EsQMNeQ9s5VwB34PsiaR+tjvYArQdW+Iuh57P7Q:fwUQC5VwBIiElEd2K57P7Q
MD5:	46EC1899F11FE2F524F4A0ED857B2BF7
SHA1:	830620AD3E3FAC7FE25BD86C291A17AFA245B2CA
SHA-256:	07965BB5BA96950A38D1B7E50D9564F84D383F21D6FB17B6A411925728AF5146
SHA-512:	5496B3873B3C5FA3560593D4E3E9F43F6BFA288C5FC3B879D14269A51938D5DDAD950326D86D8DB606A34F7B235E615237136DB19539A1740CAD9B527BEBAEB2
Malicious:	false
Preview:	{"sites":[{"url":"24video.be"},{"url":"7dnifutbol.bg"},{"url":"6tv.dk"},{"url":"9kefa.com"},{"url":"aculpaedoslb.blogspot.pt"},{"url":"aek-live.gr"},{"url":"arcadepunk.co.uk"},{"url":"acidimg.cc"},{"url":"aazah.com"},{"url":"allehensbeverwijk.nl"},{"url":"amateurgonewild.org"},{"url":"aindasoudotempo.blogspot.com"},{"url":"anorthosis365.com"},{"url":"autoreview.bg"},{"url":"alivefoot.us"},{"url":"arbitro10.com"},{"url":"allhard.org"},{"url":"babesnude.info"},{"url":"aysel.today"},{"url":"animepornx.com"},{"url":"bahisideal20.com"},{"url":"analyseindustrie.nl"},{"url":"bahis10line.org"},{"url":"apoel365.net"},{"url":"bahissitelerisikayetleri.com"},{"url":"bambusratte.com"},{"url":"banzaj.pl"},{"url":"barlevegas.com"},{"url":"baston.info"},{"url":"atomcurve.com"},{"url":"atascadocherba.com"},{"url":"astrologer.gr"},{"url":"adultpicz.com"},{"url":"alleporno.com"},{"url":"beaver-tube.com"},{"url":"beachbabes.info"},{"url":"bearworldmagazine.com"},{"url":"bebegimdensonra.com"},{"url":"autoy

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Ad Blocking\blocklist (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	107893
Entropy (8bit):	4.640136267101608
Encrypted:	false
SSDEEP:	1536:B/lv4EsQMNeQ9s5VwB34PsiaR+tjvYArQdW+Iuh57P7Q:fwUQC5VwBIiElEd2K57P7Q
MD5:	46EC1899F11FE2F524F4A0ED857B2BF7
SHA1:	830620AD3E3FAC7FE25BD86C291A17AFA245B2CA
SHA-256:	07965BB5BA96950A38D1B7E50D9564F84D383F21D6FB17B6A411925728AF5146
SHA-512:	5496B3873B3C5FA3560593D4E3E9F43F6BFA288C5FC3B879D14269A51938D5DDAD950326D86D8DB606A34F7B235E615237136DB19539A1740CAD9B527BEBAEB2
Malicious:	false
Preview:	{"sites":[{"url":"24video.be"},{"url":"7dnifutbol.bg"},{"url":"6tv.dk"},{"url":"9kefa.com"},{"url":"aculpaedoslb.blogspot.pt"},{"url":"aek-live.gr"},{"url":"arcadepunk.co.uk"},{"url":"acidimg.cc"},{"url":"aazah.com"},{"url":"allehensbeverwijk.nl"},{"url":"amateurgonewild.org"},{"url":"aindasoudotempo.blogspot.com"},{"url":"anorthosis365.com"},{"url":"autoreview.bg"},{"url":"alivefoot.us"},{"url":"arbitro10.com"},{"url":"allhard.org"},{"url":"babesnude.info"},{"url":"aysel.today"},{"url":"animepornx.com"},{"url":"bahisideal20.com"},{"url":"analyseindustrie.nl"},{"url":"bahis10line.org"},{"url":"apoel365.net"},{"url":"bahissitelerisikayetleri.com"},{"url":"bambusratte.com"},{"url":"banzaj.pl"},{"url":"barlevegas.com"},{"url":"baston.info"},{"url":"atomcurve.com"},{"url":"atascadocherba.com"},{"url":"astrologer.gr"},{"url":"adultpicz.com"},{"url":"alleporno.com"},{"url":"beaver-tube.com"},{"url":"beachbabes.info"},{"url":"bearworldmagazine.com"},{"url":"bebegimdensonra.com"},{"url":"autoy

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics-spare.pma (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	B5CFA9D6C8FEBD618F91AC2843D50A1C
SHA1:	2BCCBD2F38F15C13EB7D5A89FD9D85F595E23BC3
SHA-256:	BB9F8DF61474D25E71FA00722318CD387396CA1736605E1248821CC0DE3D3AF8
SHA-512:	BD273BF4E10ED6E305ECB7B781CB065545FCE9BE9F1E2968DF22C3A98F82D719855AAFE5FF303D14EA623A5C55E51E924E10033A92A7A6B07725D7E9692B74F5
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics-spare.pma.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	B5CFA9D6C8FEBD618F91AC2843D50A1C
SHA1:	2BCCBD2F38F15C13EB7D5A89FD9D85F595E23BC3
SHA-256:	BB9F8DF61474D25E71FA00722318CD387396CA1736605E1248821CC0DE3D3AF8
SHA-512:	BD273BF4E10ED6E305ECB7B781CB065545FCE9BE9F1E2968DF22C3A98F82D719855AAFE5FF303D14EA623A5C55E51E924E10033A92A7A6B07725D7E9692B74F5
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics\BrowserMetrics-66D76739-1484.pma

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.04050015209550047
Encrypted:	false
SSDEEP:	192:klUjLYiVWK+ggCdl+JtD+FX9XSokgV8vYhXxNEZGKbcRQMYVhHn8y08Tcm2RGOdB:WUjjliqHnhBmQYhH08T2RGOD
MD5:	003A161374551E2BD243B350B445AA4C
SHA1:	811D1E3D828E679C595FD24D81BA02420330ADD0
SHA-256:	DB965FE1274DE7F372665108FB5C3C669EDEEDC3750221F56AEE7F2549A36048
SHA-512:	C7101A70CB40A8CCD06395394FDC8A86E32F34FB80EB7D45195A0370ACB8ECA69EBAF26E74D366EA8C24E97BDFD3F8724023BDA67902EABFA3B5C66A0126A903
Malicious:	false
Preview:	...@..@...@.....C.].....@................a...P..............`... ...i.y.........BrowserMetrics......i.y..Yd. .......A...................v.0.....UV&K.k<................UV&K.k<................UMA.PersistentHistograms.InitResult.....8...i.y.[".................................................i.y.Pq.30...............117.0.2045.55-64..".en-GB...Windows NT..10.0.190452l..x86_64..?........".sjqdfg20,1(.0..8..B.......2.:.M..BU..Be...?j...GenuineIntel... .. ..........x86_64...J....k..^o..J..l.zL.^o..J....\.^o..J.....f.^o..J....?.^o..P.Z...b.INBXj....... .8.@..................................$}.CG....L.T.w..Ucw.}....u.$r....9...>.........."....."...2..."..:............B)..1.3.177.11.. ..RegKeyNotFound2.windowsR...Z..... `O@..$...SF@.......Y@.......Y@.......Y@........?........?.................?.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@................Y@.......Y@.......Y@........?........?z.......................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics\BrowserMetrics-66D76739-1B90.pma

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.451746487386288
Encrypted:	false
SSDEEP:	3072:gKdqLqpr3D+AMejebZHvj3ielrIfgjLHzdHnhOg1HF6la4ASrYaeIzsqxE31J2fC:JppAJDnhOaHX7f6xLJaHKLIow
MD5:	0BFE3C8035F94DD3FEFFE9AFF83C9FB2
SHA1:	7D1D5A3FA0C654FF701D502E9ABB120D22FECE65
SHA-256:	6F1031E001F20DEF1B042BD97FD19E2393A5E280B74A6518211AE08FB61EE9BD
SHA-512:	3E3A63CD2619404677A07EC4405B2CFB9A85C084A54246F7A932F7158A11B3A4D8126566CCF0F578F572D411E5D5DE98AF50F3E9B479155D3242D087E72B8EE9
Malicious:	false
Preview:	...@..@...@.....C.].....@................3...3..............`... ...i.y.........BrowserMetrics......i.y..Yd. .......A...................v.0.....UV&K.k<................UV&K.k<................UMA.PersistentHistograms.InitResult.....8...i.y.[".................................................i.y.Pq.30...............117.0.2045.55-64..".en-GB*...Windows NT..10.0.190452....x86_64..?........".sjqdfg20,1(.0..8..B....(.....10.0.19041.5462.Google Inc. (Google):bANGLE (Google, Vulkan 1.3.0 (SwiftShader Device (Subzero) (0x0000C0DE)), SwiftShader driver-5.0.0)M..BU..Be...?j...GenuineIntel... .. ..............x86_64...J....s..^o..J...W..^o..J..,jp..^o..J.......^o..J../T...^o..J...X.p.^o..J.....p.^o..J...c...^o..J...Y...^o..J.......^o..J..w....^o..J...G.Y.^o..J..A....^o..J....c..^o..J...c=..^o..J....J..^o..J...h8..^o..J..3.(..^o..J.......^o..J..!n...^o..J...S@".^o..J.......^o..J.......^o..J...j.8.^o..J..@....^o..J.......^o..J...b.J.^o..J..G....^o..J..8...^o..J...#...^o..J....k..^o..J..S..O.^o.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	280
Entropy (8bit):	4.19037140046968
Encrypted:	false
SSDEEP:	3:FiWWltl/1XIRTHSRqOFhJXI2EyBl+BVP/Sh/JzveL2GL5/AHWltl:o19XoyRqsx+BVsJDeaGL5/TlX
MD5:	18C19D2CC960B83B14204D9D455D0EFE
SHA1:	134F1489776CC779B5CE0D7A9CFBAF877907F1D1
SHA-256:	6720B0A403B9F706BD2F06C3A98B594B9890E143459AC709A651A4C5B1CC76E2
SHA-512:	3B530963903401EB39F1891DDCFB658B6AF3FE6A3486616A52DACBB60D99D372D18916D8BCCB6E5ED9C3118D7A92576990218A924D2ECFB627686BF94AF3E28C
Malicious:	false
Preview:	sdPC........................&bE...y..t~"1SCRpGKHAwpF5kOwXUUSc/ojBrTkNG2SgkvqW1WE7kI="..................................................................................47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=....................3f57f209-63f9-4c52-b083-400e8c96244f............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\throttle_store.dat

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	20
Entropy (8bit):	3.6219280948873624
Encrypted:	false
SSDEEP:	3:8g6Vvn:8g6Vv
MD5:	9E4E94633B73F4A7680240A0FFD6CD2C
SHA1:	E68E02453CE22736169A56FDB59043D33668368F
SHA-256:	41C91A9C93D76295746A149DCE7EBB3B9EE2CB551D84365FFF108E59A61CC304
SHA-512:	193011A756B2368956C71A9A3AE8BC9537D99F52218F124B2E64545EEB5227861D372639052B74D0DD956CB33CA72A9107E069F1EF332B9645044849D14AF337
Malicious:	false
Preview:	level=none expiry=0.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\077c119b-65df-4da8-9a71-fe29844df7c8.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24800
Entropy (8bit):	5.566476511644343
Encrypted:	false
SSDEEP:	768:iOVdP+WjqW5wWsf4Oc8F1+UoAYDCx9Tuqh0VfUC9xbog/OVPvPID43drwXvN3+pl:iwJ+YqWaWsf5cu1jaq6ym/pbtM
MD5:	D456937F4555915A88110F19F8718EEE
SHA1:	ED9F5F863326CBEF8D2ECC7DD6EA87609AAA02F7
SHA-256:	924E8BF2C9835F80921E93B28E5B6F289F5B0105FD0B8561D0A2BC5804AFC549
SHA-512:	495F62400672E1BD9559C1A5DD427893E91EC863B09018F8413D44D72BC6F695B981F12100017BA2D63318C919C474A5F2B52C1CC923D9617A28E76C760F39C9
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13369866297943856","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13369866297943856","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\19600334-ac7f-47e5-a0a2-ce01bf3a3d1a.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24799
Entropy (8bit):	5.566455670194235
Encrypted:	false
SSDEEP:	768:iOVdP+WjqW5wWsf4dc8F1+UoAYDCx9Tuqh0VfUC9xbog/OVPvPID43drwXvL3+pC:iwJ+YqWaWsfscu1jaq6ym/jbtP
MD5:	D0004272BBF4C31E70A658C934C2D916
SHA1:	14C8B49FD84EF5515D5C0D82276CDCF02CA6397B
SHA-256:	19E494AD0BAFD0C8BC294AB026845BCD8472D152D4B2A4788C18FCA665EA37F5
SHA-512:	81C4DB201AF4713E30D79AF0EBB58D1017E265D6AE528B255C74625F6FD44A09EA4FCF26AB2B545A8570F2F08B0DAF23AC8FC4E6CC90C56B57A31629E710BDFE
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13369866297943856","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13369866297943856","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\2345e4fd-e288-453a-82df-f87c286424c3.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\6807fa09-e136-4e58-a68d-59b5e567cd5f.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6296
Entropy (8bit):	4.97224243860445
Encrypted:	false
SSDEEP:	96:stIqfeis1HKDb9BoS+fq8zeE1cs85eh6Cb7/x+6MhmuecmAeSRdl2MMu/EJ:stI6shKcS+fqkOs88bV+FiA1lPjMJ
MD5:	2860CC53894D772DABB8788A4166FC29
SHA1:	5D4E272CD97454B85020A380EC887EBE4E05ED88
SHA-256:	023E2FCFBA39B9D4C15C0BB39E03AC245A3A81A18B288A48DD3D4A1B54219528
SHA-512:	E80F22B8CAAEC168D90C60E68DF9CD4D88863746405926287AA9919D27FD6EB921D7E45CC598318249497439A4DD54F3E5F31363845C3927670CCCF9F8B88685
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369866298852721","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"domain_diversity":{"last_reporting_timestamp":"13369866298852529"},"download":{"default_directory":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\KioskDownloads\\","directory_upgrade":true},"dual_user":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_versio

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\8daea1ba-59d2-4949-a839-5ca8a22adac4.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6532
Entropy (8bit):	4.981736759635973
Encrypted:	false
SSDEEP:	96:stIqfeis1HKDb9BoS+fq8zeE1cs85eh6Cb7/x+6MhmuecmAeSmQJl2MMu/EJ:stI6shKcS+fqkOs88bV+FiA3lPjMJ
MD5:	DE20190F1BC9E9BBF425F475B6305502
SHA1:	9549493ADEEC6CD9EC6443C1559F14D1530B505E
SHA-256:	41B4307E6F834627F833F7CF2987521521A2FA286501303575C1E52174D66241
SHA-512:	DAD24F65CC46E22F0E5BBDD5E304FE82D53A5635BB60F3EE93E3CD9CEEC647EFDB7F217E66EE7B6A553FD8BF449DD6101A1CD21F30EC7A3EBE9B8E2ECD1BE8F4
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369866298852721","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"domain_diversity":{"last_reporting_timestamp":"13369866298852529"},"download":{"default_directory":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\KioskDownloads\\","directory_upgrade":true},"dual_user":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_versio

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	modified
Size (bytes):	12600
Entropy (8bit):	5.3214664498076
Encrypted:	false
SSDEEP:	192:/AOEH/WCxkD7MDPSYAxmemxb7mngJdv9TXJ4MQmLu5/4eeNdl:oOEOKSXs/J7mGnQmLu5/5eNdl
MD5:	C9AF1624C7DD4AA142670A88E395E3C2
SHA1:	C6DF93DBB494808AF1729CCD2F5ACFA544B7A0EA
SHA-256:	E708582D70767E91CA79210E1554D098CBBDA7AFFEC7B29F0AC95C17A57AE38B
SHA-512:	0A12CBB2415518FADFAD10FC26BB15CC1CA66F8BEEF85B42C11A4018E2FC039A9D6A04645A1AF12FBBD602A85EE2BE62846FF3D40C51623C8431F2FEFF9EC651
Malicious:	false
Preview:	...m.................DB_VERSION.1.Z..................QUERY_TIMESTAMP:arbitration_priority_list4...13369866303385209.$QUERY:arbitration_priority_list4....[{"name":"arbitration_priority_list","url":"https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?assetgroup=ArbitrationService","version":{"major":4,"minor":0,"patch":5},"hash":"2DPW9BV28WrPpgGHdKsEvldNQvD7dA0AAxPa3B/lKN0=","size":11989}]..A./..............'ASSET_VERSION:arbitration_priority_list.4.0.5..ASSET:arbitration_priority_list.]{.. "configVersion": 32,.. "PrivilegedExperiences": [.. "ShorelinePrivilegedExperienceID",.. "SHOPPING_AUTO_SHOW_COUPONS_CHECKOUT",.. "SHOPPING_AUTO_SHOW_LOWER_PRICE_FOUND",.. "SHOPPING_AUTO_SHOW_BING_SEARCH",.. "SHOPPING_AUTO_SHOW_REBATES",.. "SHOPPING_AUTO_SHOW_REBATES_CONFIRMATION",.. "SHOPPING_AUTO_SHOW_REBATES_DEACTIVATED",.. "SHOPPING_AUTO_SHOW_REBATES_BING",.. "SHOPPING_AUTO_SHOW_REBATES_ORGANIC",.. "SHOPPING_AUTO_SHOW_PRICE_HIST

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	311
Entropy (8bit):	5.120044440215392
Encrypted:	false
SSDEEP:	6:PPGV0RM1N723oH+TcwtOEh1ZB2KLllPcFlyq2PN723oH+TcwtOEh1tIFUv:PPGVosaYebOEh1ZFLnP0lyvVaYebOEhp
MD5:	4BA2C1331FD11AED31731BF97E9BF9C6
SHA1:	7FBA0B4AF7A93E5730216CEB5D38C7538602C14A
SHA-256:	076CC9D7F7713155FC2E1244828AA5000C81760DBC6A31BC99761D63A083A119
SHA-512:	923B8D4A8C4E01B57DE6E50A1B38B115F027F990C67FDE8632DF35FB230735BA05E508590208EA30442EF7B07705C4B6F4CC1A2F874104CAECFC73494975D165
Malicious:	false
Preview:	2024/09/03-15:45:02.302 2174 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db since it was missing..2024/09/03-15:45:02.328 2174 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\AssistanceHome\AssistanceHomeSQLite

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	0.3202460253800455
Encrypted:	false
SSDEEP:	6:l9bNFlEuWk8TRH9MRumWEyE4gLueXdNOmWxFxCxmWxYgCxmW5y/mWz4ynLAtD/W4:TLiuWkMORuHEyESeXdwDQ3SOAtD/ie
MD5:	40B18EC43DB334E7B3F6295C7626F28D
SHA1:	0E46584B0E0A9703C6B2EC1D246F41E63AF2296F
SHA-256:	85E961767239E90A361FB6AA0A3FD9DAA57CAAF9E30599BB70124F1954B751C8
SHA-512:	8BDACDC4A9559E4273AD01407D5D411035EECD927385A51172F401558444AD29B5AD2DC5562D1101244665EBE86BBDDE072E75ECA050B051482005EB6A52CDBD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Cache\Cache_Data\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	45056
Entropy (8bit):	0.0442492047888367
Encrypted:	false
SSDEEP:	6:/Fii2mkM/leSTPmB3a4mPoShX+kllhLs/lY:d8EeiP2mPoShD/u
MD5:	D45AF959BA274B310A2F6CB37B47E085
SHA1:	C72415C478F7421FB49F29D3F449DE48274A9156
SHA-256:	5C109AE376B86524E050E7795D2B5F123DA40252EB98F1B83328F56E79BBC87C
SHA-512:	1D092488704720D958BCE7DC47EAE0952365D7D6281AEA3022B482B7F6332AD17FB0E825422335BFE4CAED402D7A655B21FA7C3E14FC26AEFA8B3A498071F6E4
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Cache\Cache_Data\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.09570779144533095
Encrypted:	false
SSDEEP:	24:NfrjbV4XQ3eaPVH2vV4XeaPVHaUAPnQzLIoMmHVIRBNUeSWQzE/lGbK38EWp4:N3bV4A3esWV4XesrAzNUeShET3lWp4
MD5:	FC99465397EE345FEC1979748858AA39
SHA1:	EEDEABFA72AAC65C1A7512A571D679D90213BB57
SHA-256:	4794DF713DDAD3B9A0B115A82234189245334D5CF95D476E446A8AFECF35684F
SHA-512:	7256ED080FBCC05333EC23B0B437DCF050608569336340B7315110C53762442E0276383BAD275E08ABC6D0787184404F2B7D2DDA6944CCCD49E87EF4BC19C7E1
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Cache\Cache_Data\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	1056768
Entropy (8bit):	0.28340956051888383
Encrypted:	false
SSDEEP:	384:ej5WJtn5aj5WJtnZGJtX6bvJtXJXlJtL:eAJt5aAJtkJtsvJtbJt
MD5:	86F85409422843C1CC2B14B6AE226C8C
SHA1:	C06229B378ACD07C14D66627985C1851D1FCF1B5
SHA-256:	4CC8624CE041E78CFB85C168AC6215C77CD303BC1FA95240137401A81D8C49BD
SHA-512:	E6EC991AE9AA33B67121E6507426E281C4DA278CBB3ECFBD434126764E886CC4C4687E86D19078FDB4BA2A61D20A8D37B36F5439BB4ED318F2ADEB925319C766
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Cache\Cache_Data\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4202496
Entropy (8bit):	0.04312480187296375
Encrypted:	false
SSDEEP:	192:rH/WCxkD7MDPSYAxmemxb7mngJdv9TXJ4MQmLu5/4eeNd:rOKSXs/J7mGnQmLu5/5eNd
MD5:	4D3862637A3E49DEA6B0E914424F7F3E
SHA1:	2ADD705EDC5981DFA1DDA043EF8917DD416CA4B3
SHA-256:	081133A6F01292BF3CDF0BFBAE44EEE97EC2920D820294EA0447EE2D71249D58
SHA-512:	FA1B6C0C9D28F5686D65A17D43EC6473524C7D576CADA3BA68A94B85375C703E750F624CA82ED3A431DBF5A41203A974E041BFCC6681E04CFBE708B34A4AA861
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Cache\Cache_Data\f_000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	gzip compressed data, was "asset", last modified: Fri Aug 2 18:10:34 2024, max compression, original size modulo 2^32 374872
Category:	dropped
Size (bytes):	70207
Entropy (8bit):	7.995911906073242
Encrypted:	true
SSDEEP:	1536:VzseWV/dT2G9zm5w0vgxQUFm6SM6ZYRuB61K+aK+POIwPru:VoNQGIwvs6S9+I6RWPOIwTu
MD5:	9F5A7E038BF08B13BD15338EC7BD4E16
SHA1:	AB69D28EEA9AE289BB86159C341910538CDDE5B9
SHA-256:	BA0BCBBF170ADB0B5119D19D56C2D004579507DFC4A9215BCCC8663C8A486AF8
SHA-512:	48557ECD56DFD2157304FE752E15E44314667EFC79E6C21312723251E4E1F1BF5BE0A76F88F4B4D83FADB9D81BFB1835B1C0E5CFA7B07214A605F58064BB94B1
Malicious:	false
Preview:	.....!.f..asset.....6.0.W..3....[........9m;.....IH.E...j...}.....PR..w.gg.....@.P...?...x....?./.%..Q...x....}..9..e..f.8..Yb@g...i..$...I.......<....k...{..{.Qg..k..q.....i.Y}..._......\?....5 .5 .`..._i'@....H'.f!...x`...f......v.._1w.u.<.........5.:..^.Ua....H6...x....D:.R..L..2.,.s.f.......FE'..%{]-;+.`....N...=\|.:q...9N.k..i.I.8E.i.I.s..Y...8..fe'...Xo...Xo...#.r$N.u2.o.]....^,.k....{E."......Q.N...AY..u.^o.............Z..ce.irN.{.O$.C.......HJ.HJ..J..hOgA.5.nW.\........}E.%-.A."a<..~.[O....~.......xX.G?Y.3O8d8I...&X....V4...0=.iS....].D.L@.YiS...<.W..W+..#mj...p..8^.\U;oV;W`..^..V...G..SC.9.....i%@g.iS=..`..#.H.p.q..E.q...)....).X..M.X.%.,i.%..V..6.nk.@1S@-..Y.6....K.n....:c.My.....h...9..q...f't.iS.v..6D7...d't.iS.v..F.....faG.t.f....lR.J@!l.0O..T.....T2...\.n..-....L..ES.9.:...B..P1@...P.l.fX.aV..Y6.B5......Mt..SS,l..+..J...).i.6......8...:.Z...2.H.8..Z.>.5.Oi..N`:..6.i.n.h.l.e.h.T\.lr...TE+m.T..).D..F..+.6....J...x.`..`.m..H..i....p...v

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Cache\Cache_Data\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	524656
Entropy (8bit):	5.027445846313988E-4
Encrypted:	false
SSDEEP:	3:LsulN2:Ls
MD5:	12A5834E40329753FB1C773B18D89E8F
SHA1:	BF1229CCD1A382E8D6B6DAFFC6F7ECC0176CA4CD
SHA-256:	B366A9B2A19122AA0F758A83726C464C4D3F98C3C154CC3DB06E46DA6192631E
SHA-512:	A670665B4AB978383A4522E1374F502B49B711E838B7E422F5FD2D93417EF54CBC63848E89F19AD9EF3B11B8C37462198557AEE368EDFFC7449B237763589F46
Malicious:	false
Preview:	.........................................u..../.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\js\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	2.1431558784658327
Encrypted:	false
SSDEEP:	3:m+l:m
MD5:	54CB446F628B2EA4A5BCE5769910512E
SHA1:	C27CA848427FE87F5CF4D0E0E3CD57151B0D820D
SHA-256:	FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
SHA-512:	8F6ED2E91AED9BD415789B1DBE591E7EAB29F3F1B48FDFA5E864D7BF4AE554ACC5D82B4097A770DABC228523253623E4296C5023CF48252E1B94382C43123CB0
Malicious:	false
Preview:	0\r..m..................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\js\index-dir\temp-index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.8981641637663254
Encrypted:	false
SSDEEP:	3:8qtHC0EtnPKl:8qtHqtP+
MD5:	BD5808FF523FAA7990B788354ACFF8C4
SHA1:	8E56FA667E94C9DDBBB3E37C8E7BA02CBA0673A1
SHA-256:	41BEB0949D06C44AB7036BF66683B76883BA21F0A3251A0304B441CED89E1948
SHA-512:	2D2275969D3376F0526470882D9FBC4C51D0060D3AF5988BC0D8E6B68D0CB9562437C89F484AE090C1D149494ED2F626704308FB8BE4DBBBF204727DFFA58261
Malicious:	false
Preview:	(...!!&.oy retne........................qeg.../.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\js\index-dir\the-real-index (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.8981641637663254
Encrypted:	false
SSDEEP:	3:8qtHC0EtnPKl:8qtHqtP+
MD5:	BD5808FF523FAA7990B788354ACFF8C4
SHA1:	8E56FA667E94C9DDBBB3E37C8E7BA02CBA0673A1
SHA-256:	41BEB0949D06C44AB7036BF66683B76883BA21F0A3251A0304B441CED89E1948
SHA-512:	2D2275969D3376F0526470882D9FBC4C51D0060D3AF5988BC0D8E6B68D0CB9562437C89F484AE090C1D149494ED2F626704308FB8BE4DBBBF204727DFFA58261
Malicious:	false
Preview:	(...!!&.oy retne........................qeg.../.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\wasm\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	2.1431558784658327
Encrypted:	false
SSDEEP:	3:m+l:m
MD5:	54CB446F628B2EA4A5BCE5769910512E
SHA1:	C27CA848427FE87F5CF4D0E0E3CD57151B0D820D
SHA-256:	FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
SHA-512:	8F6ED2E91AED9BD415789B1DBE591E7EAB29F3F1B48FDFA5E864D7BF4AE554ACC5D82B4097A770DABC228523253623E4296C5023CF48252E1B94382C43123CB0
Malicious:	false
Preview:	0\r..m..................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\wasm\index-dir\temp-index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.9972243200613975
Encrypted:	false
SSDEEP:	3:dVjjKcC0ENyG23Tn:y1Nyhj
MD5:	7A1F2C523D6C00CA92F0149514820F12
SHA1:	1620B99E41E2F2CDC3497C36313A06A0F577F05C
SHA-256:	087C63CF8FBF3EFE5FBAD7DB76CE1092B6EEA688348678223DB1427C332BEF55
SHA-512:	CF098AC37D4CABA421C42F40367D47FBCF61206B660664A9737A6F97C7FBABD7C6FAFE8B589758E94651DA8AC53D6F60CA08D233C85DC0A7E5DFF1F3BD4985C2
Malicious:	false
Preview:	(....0..oy retne.........................Wc.../.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\wasm\index-dir\the-real-index (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.9972243200613975
Encrypted:	false
SSDEEP:	3:dVjjKcC0ENyG23Tn:y1Nyhj
MD5:	7A1F2C523D6C00CA92F0149514820F12
SHA1:	1620B99E41E2F2CDC3497C36313A06A0F577F05C
SHA-256:	087C63CF8FBF3EFE5FBAD7DB76CE1092B6EEA688348678223DB1427C332BEF55
SHA-512:	CF098AC37D4CABA421C42F40367D47FBCF61206B660664A9737A6F97C7FBABD7C6FAFE8B589758E94651DA8AC53D6F60CA08D233C85DC0A7E5DFF1F3BD4985C2
Malicious:	false
Preview:	(....0..oy retne.........................Wc.../.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.0012471779557650352
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zE:/M/xT02z
MD5:	F50F89A0A91564D0B8A211F8921AA7DE
SHA1:	112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
SHA-256:	B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
SHA-512:	BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.47693366977411E-4
Encrypted:	false
SSDEEP:	3:LsNlo/:Ls3o/
MD5:	DEB3154ACBA3F203311CF7A64FA6F06A
SHA1:	AB59AB6DF0D7115D49EF186398F24D563598F177
SHA-256:	6FE61D99D2B47464E48F69706B255190D350F507CC867545F294BD227FB384E8
SHA-512:	0976655543AFE579221DB1E1961BE22AE331B51A034037EFB0273D1284BE387C2FF593701EC0ED278CB66E491E62186EB680EBC877606DD1A32FDB805DB66FBB
Malicious:	false
Preview:	........................................E8..../.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EdgeCoupons\coupons_data.db\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EdgeCoupons\coupons_data.db\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	33
Entropy (8bit):	3.5394429593752084
Encrypted:	false
SSDEEP:	3:iWstvhYNrkUn:iptAd
MD5:	F27314DD366903BBC6141EAE524B0FDE
SHA1:	4714D4A11C53CF4258C3A0246B98E5F5A01FBC12
SHA-256:	68C7AD234755B9EDB06832A084D092660970C89A7305E0C47D327B6AC50DD898
SHA-512:	07A0D529D9458DE5E46385F2A9D77E0987567BA908B53DDB1F83D40D99A72E6B2E3586B9F79C2264A83422C4E7FC6559CAC029A6F969F793F7407212BB3ECD51
Malicious:	false
Preview:	...m.................DB_VERSION.1

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EdgeCoupons\coupons_data.db\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EdgeCoupons\coupons_data.db\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EdgeEDrop\EdgeEDropSQLite.db

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 14, database pages 8, cookie 0xe, schema 4, UTF-8, version-valid-for 14
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.494709561094235
Encrypted:	false
SSDEEP:	24:TLEC30OIcqIn2o0FUFlA2cs0US5S693Xlej2:ThLaJUnAg0UB6I
MD5:	CF7760533536E2AF66EA68BC3561B74D
SHA1:	E991DE2EA8F42AE7E0A96A3B3B8AF87A689C8CCD
SHA-256:	E1F183FAE5652BA52F5363A7E28BF62B53E7781314C9AB76B5708AF9918BE066
SHA-512:	38B15FE7503F6DFF9D39BC74AA0150A7FF038029F973BE9A37456CDE6807BCBDEAB06E624331C8DFDABE95A5973B0EE26A391DB2587E614A37ADD50046470162
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...i............t...c................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EdgeHubAppUsage\EdgeHubAppUsageSQLite.db

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 5, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5094712832659277
Encrypted:	false
SSDEEP:	12:TLW4QpRSJDBJuqJSEDNvrWjJQ9Dl9np59yDLgHFUxOUDaaTXubHa7me5q4iZ7dV:TLqpR+DDNzWjJ0npnyXKUO8+j25XmL
MD5:	D4971855DD087E30FC14DF1535B556B9
SHA1:	9E00DEFC7E54C75163273184837B9D0263AA528C
SHA-256:	EC7414FF1DB052E8E0E359801F863969866F19228F3D5C64F632D991C923F0D2
SHA-512:	ACA411D7819B03EF9C9ACA292D91B1258238DF229B4E165A032DB645E66BFE1148FF3DCFDAC3126FCD34DBD0892F420148E280D9716C63AD9FCDD9E7CA58D71D
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...%.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtraction\EntityExtractionAssetStore.db\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtraction\EntityExtractionAssetStore.db\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	375520
Entropy (8bit):	5.354116298716416
Encrypted:	false
SSDEEP:	6144:BA/imBpx6WdPSxKWcHu5MURacq49QxxPnyEndBuHltBfdK5WNbsVEziP/CfXtLPz:BFdMyq49tEndBuHltBfdK5WNbsVEziPU
MD5:	7C7FFE58D248DF522832C568800DAA78
SHA1:	941E8B2A242D76A290CCBEBF819CFF29FB2500AD
SHA-256:	69892BE42E4461E726FFC95AE68BB9AEC9658BCBFB9A6E4FC2795FCCC59DF4A5
SHA-512:	56EA7B6104FB3F7C86911F5755BF6CB5F933F1B8BB72DE607AE2ACE44064CC6759B87071FCCB14AE606D0C65404906E3514859594CDCBD6F30BD2624E44DDF42
Malicious:	false
Preview:	...m.................DB_VERSION.1\|...q...............&QUERY_TIMESTAMP:domains_config_gz2...13369866303381622..QUERY:domains_config_gz2....[{"name":"domains_config_gz","url":"https://edgeassetservice.azureedge.net/assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtractionDomainsConfig","version":{"major":2,"minor":8,"patch":76},"hash":"78Xsq/1H+MXv88uuTT1Rx79Nu2ryKVXh2J6ZzLZd38w=","size":374872}]..*.`~...............ASSET_VERSION:domains_config_gz.2.8.76..ASSET:domains_config_gz...{"config": {"token_limit": 1600, "page_cutoff": 4320, "default_locale_map": {"bg": "bg-bg", "bs": "bs-ba", "el": "el-gr", "en": "en-us", "es": "es-mx", "et": "et-ee", "cs": "cs-cz", "da": "da-dk", "de": "de-de", "fa": "fa-ir", "fi": "fi-fi", "fr": "fr-fr", "he": "he-il", "hr": "hr-hr", "hu": "hu-hu", "id": "id-id", "is": "is-is", "it": "it-it", "ja": "ja-jp", "ko": "ko-kr", "lv": "lv-lv", "lt": "lt-lt", "mk": "mk-mk", "nl": "nl-nl", "nb": "nb-no", "no": "no-no", "pl": "pl-pl", "pt": "pt-pt", "ro": "

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtraction\EntityExtractionAssetStore.db\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtraction\EntityExtractionAssetStore.db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	327
Entropy (8bit):	5.154687305758451
Encrypted:	false
SSDEEP:	6:PPQUD1N723oH+Tcwtj2WwnvB2KLllPlXN4q2PN723oH+Tcwtj2WwnvIFUv:PPFaYebjxwnvFLnPlXOvVaYebjxwnQF2
MD5:	4C64B2FDFD52FCCA7BA3AAB0FDA4FDAA
SHA1:	0752E32DFF125169822197F934FCC1ED05AEA0E5
SHA-256:	638B69F551245A05F4CE01B7EA67443371E78B98DCFA0331B27507C03C3BCBF4
SHA-512:	534ED2A10013EA9010B6F0535C7E2842CD9597B90196052E5788B21DB084387DD531D2413C26B3B1812FFCD7FE16726917C1BFD2962995F4B493DC3C5469A6AD
Malicious:	false
Preview:	2024/09/03-15:45:02.301 21a0 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtractionAssetStore.db since it was missing..2024/09/03-15:45:02.336 21a0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtractionAssetStore.db/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtraction\EntityExtractionAssetStore.db\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtraction\domains_config.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	modified
Size (bytes):	358860
Entropy (8bit):	5.324614774616401
Encrypted:	false
SSDEEP:	6144:CgimBVvUrsc6rRA81b/18jyJNjfvrfM6Re:C1gAg1zfvm
MD5:	C52B534767876B569D218C830D5753E4
SHA1:	502EE51E8E1CAECC1CF5917470F445358B72D552
SHA-256:	95C860C09F84BF0E79763CAF7D9E77C83AA6EEBBD0798D478E2D7CCEF59DEA02
SHA-512:	317FCA7DDAE898746ED0BAE44E66DCC088EF1A7FEC43B531F4500E8B7619B4540790165138FD6E9D2C2E8491E2038419F5EEF8C4126E9E410A0879C5A13E3D7D
Malicious:	false
Preview:	{"aee_config":{"ar":{"price_regex":{"ae":"(((ae\|aed\|\\x{062F}\\x{0660}\\x{0625}\\x{0660}\|\\x{062F}\\.\\x{0625}\|dhs\|dh)\\s\\d{1,3})\|(\\d{1,3}\\s(ae\|aed\|\\x{062F}\\x{0660}\\x{0625}\\x{0660}\|\\x{062F}\\.\\x{0625}\|dhs\|dh)))","dz":"(((dzd\|da\|\\x{062F}\\x{062C})\\s\\d{1,3})\|(\\d{1,3}\\s(dzd\|da\|\\x{062F}\\x{062C})))","eg":"(((e\\x{00a3}\|egp)\\s\\d{1,3})\|(\\d{1,3}\\s(e\\x{00a3}\|egp)))","ma":"(((mad\|dhs\|dh)\\s\\d{1,3})\|(\\d{1,3}\\s(mad\|dhs\|dh)))","sa":"((\\d{1,3}\\s(sar\\s\\x{fdfc}\|sar\|sr\|\\x{fdfc}\|\\.\\x{0631}\\.\\x{0633}))\|((sar\\s\\x{fdfc}\|sar\|sr\|\\x{fdfc}\|\\.\\x{0631}\\.\\x{0633})\\s\\d{1,3}))"},"product_terms":"((\\x{0623}\\x{0636}\\x{0641}\\s\\x{0625}\\x{0644}\\x{0649}\\s\\x{0627}\\x{0644}\\x{0639}\\x{0631}\\x{0628}\\x{0629})\|(\\x{0623}\\x{0636}\\x{0641}\\s\\x{0625}\\x{0644}\\x{0649}\\s\\x{0627}\\x{0644}\\x{062D}\\x{0642}\\x{064A}\\x{0628}\\x{0629})\|(\\x{0627}\\x{0634}\\x{062A}\\x{0631}\\x{064A}\\s*\\x{0627}\\x{0644}\\x{0622}\\x{0646})\|(\\x{062E}\\x{064A}\\x{0627}\\x{0631}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	171
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	3:FQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlX:qTCTCTCTCTCTCTCTCT
MD5:	E952942B492DB39A75DD2669B98EBE74
SHA1:	F6C4DEF325DCA0DFEC01759D7D8610837A370176
SHA-256:	14F92B911F9FE774720461EEC5BB4761AE6BFC9445C67E30BF624A8694B4B1DA
SHA-512:	9193E7BBE7EB633367B39513B48EFED11FD457DCED070A8708F8572D0AB248CBFF37254599A6BFB469637E0DCCBCD986347C6B6075C06FAE2AF08387B560DEA0
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	299
Entropy (8bit):	5.179028183736217
Encrypted:	false
SSDEEP:	6:P2c+q1N723oH+TcwttaVdg2KLllH7+q2PN723oH+TcwttaPrqIFUv:P2saYebDLnHivVaYeb83FUv
MD5:	72FFD4CCAFCDF1CF4ADB90C0C696A7F2
SHA1:	40EA105D171D1BBD3D8EFDF74917A0EF40123767
SHA-256:	3A883F0B6C2B50A6A93E8E723D92AE823FF9943D66BDD162316AED47D6C8A98E
SHA-512:	53A84D66FAA2C8ECE02A468C188444AF376EE68E8482BC0C02621733AAD7FC83E211447C05942C9B3EEB4EB0AD5C6573D3F5189399EE51A151299344EDB61EBF
Malicious:	false
Preview:	2024/09/03-15:44:57.950 1cc8 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules since it was missing..2024/09/03-15:44:58.054 1cc8 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	171
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	3:FQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlX:qTCTCTCTCTCTCTCTCT
MD5:	E952942B492DB39A75DD2669B98EBE74
SHA1:	F6C4DEF325DCA0DFEC01759D7D8610837A370176
SHA-256:	14F92B911F9FE774720461EEC5BB4761AE6BFC9445C67E30BF624A8694B4B1DA
SHA-512:	9193E7BBE7EB633367B39513B48EFED11FD457DCED070A8708F8572D0AB248CBFF37254599A6BFB469637E0DCCBCD986347C6B6075C06FAE2AF08387B560DEA0
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	303
Entropy (8bit):	5.153894349320002
Encrypted:	false
SSDEEP:	6:PHHFfe+q1N723oH+Tcwtt6FB2KLllH6W+q2PN723oH+Tcwtt65IFUv:PHlfeDaYeb8FFLnH2vVaYeb8WFUv
MD5:	0BDF4DB0109A85B4A1152191AED891B2
SHA1:	FCC44B80A60E374C6B7867D33D849F063DED6D7B
SHA-256:	B7F25853CCFBCA59C1E495A54244702DECB04018327797EA3D1BDF43F92CE163
SHA-512:	FBC009B1AEBA997EEDD8F29463B057E4314F13FBB4DA23277E4982158B49EF318B47255D6C25B0DEB52828F3ABCBDFD07BF71976F64FE89CBF62C18BB418805A
Malicious:	false
Preview:	2024/09/03-15:44:58.055 1cc8 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts since it was missing..2024/09/03-15:44:58.083 1cc8 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	513
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	6:qTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCT:qWWWWWWWWWWWWWWWWWWWWWWWWWW
MD5:	C92EABB217D45C77F8D52725AD3758F0
SHA1:	43B422AC002BB445E2E9B2C27D74C27CD70C9975
SHA-256:	388C5C95F0F54F32B499C03A37AABFA5E0A31030EC70D0956A239942544B0EEA
SHA-512:	DFD5D1C614F0EBFF97F354DFC23266655C336B9B7112781D7579057814B4503D4B63AB1263258BDA3358E5EE9457429C1A2451B22261A1F1E2D8657F31240D3C
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	299
Entropy (8bit):	5.171546708615274
Encrypted:	false
SSDEEP:	6:Pcl5ms1N723oH+TcwttYg2KLllcjm+q2PN723oH+TcwttNIFUv:PqXaYebJLnV+vVaYeb0FUv
MD5:	68977BCB530A231946100A1A0AA44C64
SHA1:	3CBA49F31C3D8C53A6B2E198499C6159936E00B9
SHA-256:	9E434054E8DF66D152304503C43AAADA1C38E67877DA2F137F4D25269DB5AE60
SHA-512:	8B6C15B06BACB069B6691BCC0AAF26ADED68A3BC4D996155457CC6304AB6F8FBF7AC2960DD1A936C82C397664FCDEEF5C21F386DD83B16D961CD25B70F870D2C
Malicious:	false
Preview:	2024/09/03-15:44:59.739 1cbc Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State since it was missing..2024/09/03-15:44:59.754 1cbc Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\ExtensionActivityComp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 1, cookie 0x1, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.3169096321222068
Encrypted:	false
SSDEEP:	3:lSWbNFl/sl+ltl4ltllOl83/XWEEabIDWzdWuAzTgdWj3FtFIU:l9bNFlEs1ok8fDEPDadUTgd81Z
MD5:	2554AD7847B0D04963FDAE908DB81074
SHA1:	F84ABD8D05D7B0DFB693485614ECF5204989B74A
SHA-256:	F6EF01E679B9096A7D8A0BD8151422543B51E65142119A9F3271F25F966E6C42
SHA-512:	13009172518387D77A67BBF86719527077BE9534D90CB06E7F34E1CCE7C40B49A185D892EE859A8BAFB69D5EBB6D667831A0FAFBA28AC1F44570C8B68F8C90A4
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\ExtensionActivityEdge

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 8, cookie 0x8, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.40981274649195937
Encrypted:	false
SSDEEP:	24:TL1WK3iOvwxwwweePKmJIOAdQBVA/kjo/TJZwJ9OV3WOT/5eQQ:Tmm+/9ZW943WOT/
MD5:	1A7F642FD4F71A656BE75B26B2D9ED79
SHA1:	51BBF587FB0CCC2D726DDB95C96757CC2854CFAD
SHA-256:	B96B6DDC10C29496069E16089DB0AB6911D7C13B82791868D583897C6D317977
SHA-512:	FD14EADCF5F7AB271BE6D8EF682977D1A0B5199A142E4AB353614F2F96AE9B49A6F35A19CC237489F297141994A4A16B580F88FAC44486FCB22C05B2F1C3F7D1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j............M.....8...b..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Favicons

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 10, cookie 0x8, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6975083372685086
Encrypted:	false
SSDEEP:	24:LLiZxh0GY/l1rWR1PmCx9fZjsBX+T6UwcE85fBmI:EBmw6fU1zBmI
MD5:	F5BBD8449A9C3AB28AC2DE45E9059B01
SHA1:	C569D730853C33234AF2402E69C19E0C057EC165
SHA-256:	825FF36C4431084C76F3D22CE0C75FA321EA680D1F8548706B43E60FCF5B566E
SHA-512:	96ACDED5A51236630A64FAE91B8FA9FAB43E22E0C1BCB80C2DD8D4829E03FBFA75AA6438053599A42EC4BBCF805BF0B1E6DFF9069B2BA182AD0BB30F2542FD3F
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g....._.c...~.2.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................s...;+...indexfavicon_bitmaps_icon_idfavico

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\GPUCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\GPUCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.0012471779557650352
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zE:/M/xT02z
MD5:	F50F89A0A91564D0B8A211F8921AA7DE
SHA1:	112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
SHA-256:	B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
SHA-512:	BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\GPUCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\GPUCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\GPUCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNlR23a+:Ls3Q3a+
MD5:	56CB40E1C3615EEB9361B3C381505814
SHA1:	F58EE4A001A43B4400864DA504A466F2C33FECD6
SHA-256:	4F602E8075F0CA2309F15565E195150FE652CADD6599D7A91C4D9B7D682B4F06
SHA-512:	9968D99094E4704CBB165C1385463469B35F7F64EC22B1C980EA32971D63730DB12469BEA3FD38D6C59A11B27891D040A472F964DD4C5F7F1EA170B53F3F9AD0
Malicious:	false
Preview:	..........................................\|.../.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\History

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	155648
Entropy (8bit):	0.5407252242845243
Encrypted:	false
SSDEEP:	96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
MD5:	7B955D976803304F2C0505431A0CF1CF
SHA1:	E29070081B18DA0EF9D98D4389091962E3D37216
SHA-256:	987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
SHA-512:	CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
Malicious:	false
Preview:	SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\History-journal

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	0.2191763562065486
Encrypted:	false
SSDEEP:	3:el59tFlljq7A/mhWJFuQ3yy7IOWUSNlotdweytllrE9SFcTp4AGbNCV9RUIx:6I75fOsotd0Xi99pEYz
MD5:	C0C688E34007B70FA932A5795320520F
SHA1:	6F8A2B22E97AF7950D6824E9F54E51B4AEF7D89E
SHA-256:	E152E77E5935AD2552FE1C73C94B04ACBC9E90243C552501F1AC32EEF005D64E
SHA-512:	987658BEC3A3305D46170DECF76F23B6CC1697F7E5155743DE67AD0FEE511B1AC15C8A2B9D864A46C804CB6589988CAFAC5F5F353EEE6B9F299C6CE11D06EDB6
Malicious:	false
Preview:	.............q.f...&....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\HubApps Icons

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	0.33890226319329847
Encrypted:	false
SSDEEP:	12:TLMfly7aoxrRGcAkSQdC6ae1//fxEjkE/RFL2iFV1eHFxOUwa5qgufTsZ75fOSI:TLYcjr0+Pdajk+FZH1W6UwccI5fBI
MD5:	971F4C153D386AC7ED39363C31E854FC
SHA1:	339841CA0088C9EABDE4AACC8567D2289CCB9544
SHA-256:	B6468DA6EC0EAE580B251692CFE24620D39412954421BBFDECB13EF21BE7BC88
SHA-512:	1A4DD0C2BE163AAB3B81D63DEB4A7DB6421612A6CF1A5685951F86B7D5A40B67FC6585B7E52AA0CC20FF47349F15DFF0C9038086E3A7C78AE0FFBEE6D8AA7F7E
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...:.8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	383
Entropy (8bit):	5.227012980383786
Encrypted:	false
SSDEEP:	6:PPKJs1N723oH+TcwtRage8Y55HEZzXELIx2KLllPHfjM+q2PN723oH+TcwtRages:PPKWaYebRrcHEZrEkVLnPHbM+vVaYebV
MD5:	77225A9BE296B3193A5583CE782D4FCB
SHA1:	1A0032C699CABF95196FDC059BDF0957352ECD18
SHA-256:	1B2F498FE841A42046AB5F417269A014277190BD1FA3EE3BE7E4A351BE3AF6B0
SHA-512:	2EF3F6F888100DBEE8995C1955FA3D43DBAB25DC688288947682B078F373B8A493D199AF7FD2E940A75A4834FB543EA2525593656755770A25BB2394B601A48D
Malicious:	false
Preview:	2024/09/03-15:45:00.663 1c8c Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold since it was missing..2024/09/03-15:45:00.699 1c8c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	311
Entropy (8bit):	5.195541931644288
Encrypted:	false
SSDEEP:	6:PcV2CRM1N723oH+TcwtRa2jM8B2KLllcbZVq2PN723oH+TcwtRa2jMGIFUv:PS2CRsaYebRjFLnMvVaYebREFUv
MD5:	016B85BE0BA28A4F8F6A0ED66DEB7FE9
SHA1:	E0679D3B2A450B9FE0CBEF5DF1C9C91A108ABD77
SHA-256:	F2FE46FDD06F21B43770AE394B9DA615842EFFB84251E4869ED9E5E1A5AC0649
SHA-512:	1EBDF475DF2CFA8F6C4DF1BCE0894B624D7A4E6243FC1CC2E2AEB63DDB32FCE8532FED6C5B4C49D81D2FD8EA87E9D69C6835688033162E650CEFAAE88B33FE78
Malicious:	false
Preview:	2024/09/03-15:44:59.374 1db4 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb since it was missing..2024/09/03-15:44:59.394 1db4 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Login Data

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8745933985004888
Encrypted:	false
SSDEEP:	96:y8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:y8yLG7IwRWf4
MD5:	7A9BF0D6AB6967E057DB6BA4EE45243B
SHA1:	0C8775DE3A37242BA7CF2FAE40613E935970928F
SHA-256:	E3C8C78A681C3CB37BE10D4B3D9E97E05D438DCF71FBF9CE4F388A3F3218BE8F
SHA-512:	42BCF1D8588E89E9DE413A4AE5C973D5F149F09273CB293EDF53AB2EF94D493310F19F10CA06EBDF6893CB46AA234A5BAA1C4CD1D531F26C1B406B7AE459EEDA
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network Action Predictor

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 11, cookie 0x6, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	45056
Entropy (8bit):	0.40293591932113104
Encrypted:	false
SSDEEP:	24:TLVgTjDk5Yk8k+/kCkzD3zzbLGfIzLihje90xq/WMFFfeFzfXVVlYWOT/CUFSe:Tmo9n+8dv/qALihje9kqL42WOT/9F
MD5:	ADC0CFB8A1A20DE2C4AB738B413CBEA4
SHA1:	238EF489E5FDC6EBB36F09D415FB353350E7097B
SHA-256:	7C071E36A64FB1881258712C9880F155D9CBAC693BADCC391A1CB110C257CC37
SHA-512:	38C8B7293B8F7BEF03299BAFB981EEEE309945B1BDE26ACDAD6FDD63247C21CA04D493A1DDAFC3B9A1904EFED998E9C7C0C8E98506FD4AC0AB252DFF34566B66
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......=......\.t.+.>...,...=........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\03108db3-17f2-4580-859d-1747a3c5ab4b.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\04775e64-de37-475b-a971-cc8ca812d95e.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\085c3cbe-7b65-4987-9b1b-2ad109521823.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	111
Entropy (8bit):	4.718418993774295
Encrypted:	false
SSDEEP:	3:YLb9N+eAXRfHDH2LS7PMVKJq0nMb1KKtiVY:YHpoeS7PMVKJTnMRK3VY
MD5:	285252A2F6327D41EAB203DC2F402C67
SHA1:	ACEDB7BA5FBC3CE914A8BF386A6F72CA7BAA33C6
SHA-256:	5DFC321417FC31359F23320EA68014EBFD793C5BBED55F77DAB4180BBD4A2026
SHA-512:	11CE7CB484FEE66894E63C31DB0D6B7EF66AD0327D4E7E2EB85F3BCC2E836A3A522C68D681E84542E471E54F765E091EFE1EE4065641B0299B15613EB32DCC0D
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[],"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Cookies

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKtiVY:YHkVKJTnMRK3VY
MD5:	2800881C775077E1C4B6E06BF4676DE4
SHA1:	2873631068C8B3B9495638C865915BE822442C8B
SHA-256:	226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
SHA-512:	E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Network Persistent State~RF46722.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKtiVY:YHkVKJTnMRK3VY
MD5:	2800881C775077E1C4B6E06BF4676DE4
SHA1:	2873631068C8B3B9495638C865915BE822442C8B
SHA-256:	226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
SHA-512:	E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Reporting and NEL

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 9, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	0.7608042709291202
Encrypted:	false
SSDEEP:	48:TaIopKWurJNVr1GJmA8pv82pfurJNVrdHXuccaurJN2VrJ1n4n1GmzNGU1cSBke3:uIEumQv8m1ccnvS6p
MD5:	0968E65CE2ACA1675F78D9413C13C153
SHA1:	88EA2860DB7CAC5FA26D5848BBF35F79A24A0D89
SHA-256:	D98CB9FEA9FEFB0A21C0939BDF33CFD9DB4B68976F462DAF216A8AB46831AAF9
SHA-512:	BCEC77C7E4AC44229A73D1A9FEDDFDF32146792E7AD3AD07CAE1D8AB250D4B7F91C0923C6643472C97BEB7C66339E1E81FFD6253FD57F605E7D7A00A0A09E720
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...D.........7............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\SCT Auditing Pending Reports (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\SCT Auditing Pending Reports~RF343b1.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Sdch Dictionaries (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Trust Tokens

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	0.36515621748816035
Encrypted:	false
SSDEEP:	24:TLH3lIIAoDJ84l5lDlnDMlRlyKDtM6UwccWfp15fBIe:Tb31DtX5nDOvyKDhU1cSB
MD5:	25363ADC3C9D98BAD1A33D0792405CBF
SHA1:	D06E343087D86EF1A06F7479D81B26C90A60B5C3
SHA-256:	6E019B8B9E389216D5BDF1F2FE63F41EF98E71DA101F2A6BE04F41CC5954532D
SHA-512:	CF7EEE35D0E00945AF221BEC531E8BF06C08880DA00BD103FA561BC069D7C6F955CBA3C1C152A4884601E5A670B7487D39B4AE9A4D554ED8C14F129A74E555F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......X..g...}.....$.X..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\a2219384-9686-4a54-ad78-7a60206a2356.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\b03efe3a-f136-4dab-a90a-a434e8722ced.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKtiVY:YHkVKJTnMRK3VY
MD5:	2800881C775077E1C4B6E06BF4676DE4
SHA1:	2873631068C8B3B9495638C865915BE822442C8B
SHA-256:	226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
SHA-512:	E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Nurturing\campaign_history

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.46731661083066856
Encrypted:	false
SSDEEP:	12:TL1QAFUxOUDaabZXiDiIF8izX4fhhdWeci2oesJaYi3is25q0S9K0xHZ75fOV:TLiOUOq0afDdWec9sJf5Q7J5fc
MD5:	E93ACF0820CA08E5A5D2D159729F70E3
SHA1:	2C1A4D4924B9AEC1A796F108607404B000877C5D
SHA-256:	F2267FDA7F45499F7A01186B75CEFB799F8D2BC97E2E9B5068952D477294302C
SHA-512:	3BF36C20E04DCF1C16DC794E272F82F68B0DE43F16B4A9746B63B6D6BBC953B00BD7111CDA7AFE85CEBB2C447145483A382B15E2B0A5B36026C3441635D4E50C
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Preferences (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6296
Entropy (8bit):	4.97224243860445
Encrypted:	false
SSDEEP:	96:stIqfeis1HKDb9BoS+fq8zeE1cs85eh6Cb7/x+6MhmuecmAeSRdl2MMu/EJ:stI6shKcS+fqkOs88bV+FiA1lPjMJ
MD5:	2860CC53894D772DABB8788A4166FC29
SHA1:	5D4E272CD97454B85020A380EC887EBE4E05ED88
SHA-256:	023E2FCFBA39B9D4C15C0BB39E03AC245A3A81A18B288A48DD3D4A1B54219528
SHA-512:	E80F22B8CAAEC168D90C60E68DF9CD4D88863746405926287AA9919D27FD6EB921D7E45CC598318249497439A4DD54F3E5F31363845C3927670CCCF9F8B88685
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369866298852721","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"domain_diversity":{"last_reporting_timestamp":"13369866298852529"},"download":{"default_directory":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\KioskDownloads\\","directory_upgrade":true},"dual_user":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_versio

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Preferences~RF3d4e5.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6296
Entropy (8bit):	4.97224243860445
Encrypted:	false
SSDEEP:	96:stIqfeis1HKDb9BoS+fq8zeE1cs85eh6Cb7/x+6MhmuecmAeSRdl2MMu/EJ:stI6shKcS+fqkOs88bV+FiA1lPjMJ
MD5:	2860CC53894D772DABB8788A4166FC29
SHA1:	5D4E272CD97454B85020A380EC887EBE4E05ED88
SHA-256:	023E2FCFBA39B9D4C15C0BB39E03AC245A3A81A18B288A48DD3D4A1B54219528
SHA-512:	E80F22B8CAAEC168D90C60E68DF9CD4D88863746405926287AA9919D27FD6EB921D7E45CC598318249497439A4DD54F3E5F31363845C3927670CCCF9F8B88685
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369866298852721","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"domain_diversity":{"last_reporting_timestamp":"13369866298852529"},"download":{"default_directory":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\KioskDownloads\\","directory_upgrade":true},"dual_user":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_versio

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Preferences~RF44a15.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6296
Entropy (8bit):	4.97224243860445
Encrypted:	false
SSDEEP:	96:stIqfeis1HKDb9BoS+fq8zeE1cs85eh6Cb7/x+6MhmuecmAeSRdl2MMu/EJ:stI6shKcS+fqkOs88bV+FiA1lPjMJ
MD5:	2860CC53894D772DABB8788A4166FC29
SHA1:	5D4E272CD97454B85020A380EC887EBE4E05ED88
SHA-256:	023E2FCFBA39B9D4C15C0BB39E03AC245A3A81A18B288A48DD3D4A1B54219528
SHA-512:	E80F22B8CAAEC168D90C60E68DF9CD4D88863746405926287AA9919D27FD6EB921D7E45CC598318249497439A4DD54F3E5F31363845C3927670CCCF9F8B88685
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369866298852721","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"domain_diversity":{"last_reporting_timestamp":"13369866298852529"},"download":{"default_directory":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\KioskDownloads\\","directory_upgrade":true},"dual_user":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_versio

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\PreferredApps

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	33
Entropy (8bit):	4.051821770808046
Encrypted:	false
SSDEEP:	3:YVXADAEvTLSJ:Y9AcEvHSJ
MD5:	2B432FEF211C69C745ACA86DE4F8E4AB
SHA1:	4B92DA8D4C0188CF2409500ADCD2200444A82FCC
SHA-256:	42B55D126D1E640B1ED7A6BDCB9A46C81DF461FA7E131F4F8C7108C2C61C14DE
SHA-512:	948502DE4DC89A7E9D2E1660451FCD0F44FD3816072924A44F145D821D0363233CC92A377DBA3A0A9F849E3C17B1893070025C369C8120083A622D025FE1EACF
Malicious:	false
Preview:	{"preferred_apps":[],"version":1}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\README

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	182
Entropy (8bit):	4.2629097520179995
Encrypted:	false
SSDEEP:	3:RGXKRjg0QwVIWRKXECSAV6jDyhjgHGAW+LB2Z4MKLFE1SwhiFAfXQmWyKBPMwRgK:z3frsUpAQQgHGwB26MK8Sw06fXQmWtRT
MD5:	643E00B0186AA80523F8A6BED550A925
SHA1:	EC4056125D6F1A8890FFE01BFFC973C2F6ABD115
SHA-256:	A0C9ABAE18599F0A65FC654AD36251F6330794BEA66B718A09D8B297F3E38E87
SHA-512:	D91A934EAF7D9D669B8AD4452234DE6B23D15237CB4D251F2C78C8339CEE7B4F9BA6B8597E35FE8C81B3D6F64AE707C68FF492903C0EDC3E4BAF2C6B747E247D
Malicious:	false
Preview:	Microsoft Edge settings and storage represent user-selected preferences and information and MUST not be extracted, overwritten or modified except through Microsoft Edge defined APIs.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Secure Preferences (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24799
Entropy (8bit):	5.566455670194235
Encrypted:	false
SSDEEP:	768:iOVdP+WjqW5wWsf4dc8F1+UoAYDCx9Tuqh0VfUC9xbog/OVPvPID43drwXvL3+pC:iwJ+YqWaWsfscu1jaq6ym/jbtP
MD5:	D0004272BBF4C31E70A658C934C2D916
SHA1:	14C8B49FD84EF5515D5C0D82276CDCF02CA6397B
SHA-256:	19E494AD0BAFD0C8BC294AB026845BCD8472D152D4B2A4788C18FCA665EA37F5
SHA-512:	81C4DB201AF4713E30D79AF0EBB58D1017E265D6AE528B255C74625F6FD44A09EA4FCF26AB2B545A8570F2F08B0DAF23AC8FC4E6CC90C56B57A31629E710BDFE
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13369866297943856","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13369866297943856","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Secure Preferences~RF3a49e.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24799
Entropy (8bit):	5.566455670194235
Encrypted:	false
SSDEEP:	768:iOVdP+WjqW5wWsf4dc8F1+UoAYDCx9Tuqh0VfUC9xbog/OVPvPID43drwXvL3+pC:iwJ+YqWaWsfscu1jaq6ym/jbtP
MD5:	D0004272BBF4C31E70A658C934C2D916
SHA1:	14C8B49FD84EF5515D5C0D82276CDCF02CA6397B
SHA-256:	19E494AD0BAFD0C8BC294AB026845BCD8472D152D4B2A4788C18FCA665EA37F5
SHA-512:	81C4DB201AF4713E30D79AF0EBB58D1017E265D6AE528B255C74625F6FD44A09EA4FCF26AB2B545A8570F2F08B0DAF23AC8FC4E6CC90C56B57A31629E710BDFE
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13369866297943856","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13369866297943856","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	118
Entropy (8bit):	3.160877598186631
Encrypted:	false
SSDEEP:	3:S8ltHlS+QUl1ASEGhTFljljljl:S85aEFljljljl
MD5:	7733303DBE19B64C38F3DE4FE224BE9A
SHA1:	8CA37B38028A2DB895A4570E0536859B3CC5C279
SHA-256:	B10C1BA416A632CD57232C81A5C2E8EE76A716E0737D10EABE1D430BEC50739D
SHA-512:	E8CD965BCA0480DB9808CB1B461AC5BF5935C3CBF31C10FDF090D406F4BC4F3187D717199DCF94197B8DF24C1D6E4FF07241D8CFFFD9AEE06CCE9674F0220E29
Malicious:	false
Preview:	*...#................version.1..namespace-..&f.................&f.................&f.................&f...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	299
Entropy (8bit):	5.1342168612638694
Encrypted:	false
SSDEEP:	6:PPBcFqCRM1N723oH+TcwtSQM72KLllPB4o0Vq2PN723oH+TcwtSQMxIFUv:PPOFqCRsaYeb0LnP69vVaYebrFUv
MD5:	15AB58B06E24ED403E83CA7D879F2CAA
SHA1:	C778A2F78853FEADD724959090869542871D49F6
SHA-256:	13F7DFFA54174F571885578CA44FCD45756D1B4F318D747A283F8D2CA9509081
SHA-512:	6C59CE1725E8F52B416968EDFCAAE203F163A68648A43FE027AC228F9576B41DAAF858D675990881B299A18E77F87DFA5BE3562ACF1B298D1C4B3A2FAAEC46E1
Malicious:	false
Preview:	2024/09/03-15:45:15.333 1db4 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage since it was missing..2024/09/03-15:45:15.351 1db4 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Shortcuts

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.44194574462308833
Encrypted:	false
SSDEEP:	12:TLiNCcUMskMVcIWGhWxBzEXx7AAQlvsdFxOUwa5qgufTJpbZ75fOS:TLisVMnYPhIY5Qlvsd6UwccNp15fB
MD5:	B35F740AA7FFEA282E525838EABFE0A6
SHA1:	A67822C17670CCE0BA72D3E9C8DA0CE755A3421A
SHA-256:	5D599596D116802BAD422497CF68BE59EEB7A9135E3ED1C6BEACC48F73827161
SHA-512:	05C0D33516B2C1AB6928FB34957AD3E03CB0A8B7EEC0FD627DD263589655A16DEA79100B6CC29095C3660C95FD2AFB2E4DD023F0597BD586DD664769CABB67F8
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g....."....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	3.473726825238924
Encrypted:	false
SSDEEP:	3:41tt0diERGn:et084G
MD5:	148079685E25097536785F4536AF014B
SHA1:	C5FF5B1B69487A9DD4D244D11BBAFA91708C1A41
SHA-256:	F096BC366A931FBA656BDCD77B24AF15A5F29FC53281A727C79F82C608ECFAB8
SHA-512:	C2556034EA51ABFBC172EB62FF11F5AC45C317F84F39D4B9E3DDBD0190DA6EF7FA03FE63631B97AB806430442974A07F8E81B5F7DC52D9F2FCDC669ADCA8D91F
Malicious:	false
Preview:	.On.!................database_metadata.1

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	327
Entropy (8bit):	5.112661890419032
Encrypted:	false
SSDEEP:	6:P2jDq1N723oH+TcwtgUh2gr52KLll2IW+q2PN723oH+TcwtgUh2ghZIFUv:P2juaYeb3hHJLn2UvVaYeb3hHh2FUv
MD5:	0437169B2590C8393047B9CA677B06D5
SHA1:	563B987324968BCACBC9F206FC1EB0D3C7C15ADF
SHA-256:	9D69F7E7F99D6BA5BA7A21E6518920AA2DD9A3B2353F00E64F19ABB9490C866C
SHA-512:	459FB78A133529038DB41E2C1DCA411694B37911A9A51BDB96C67F635B2707A1D86BC6D8026865EC33ED737FCD6B99E2EB7118967421B152AFB3F279F49EE9D5
Malicious:	false
Preview:	2024/09/03-15:44:57.941 1cc8 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database since it was missing..2024/09/03-15:44:57.948 1cc8 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\Cache_Data\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\Cache_Data\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	8.280239615765425E-4
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2:/M/xT02
MD5:	D0D388F3865D0523E451D6BA0BE34CC4
SHA1:	8571C6A52AACC2747C048E3419E5657B74612995
SHA-256:	902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
SHA-512:	376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\Cache_Data\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\Cache_Data\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\Cache_Data\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	524656
Entropy (8bit):	4.989325630401085E-4
Encrypted:	false
SSDEEP:	3:LsulzQp:LsT
MD5:	75D750BBF43001F4B85163927CA8081B
SHA1:	9D5D9E06385E408E9C538747D4A1F9112366F32F
SHA-256:	ECAE3A23C260208069AA87FCC7C52F69E860CF12FE5B48B6803E56B8A132E5CB
SHA-512:	533F6A38BB52AD1B225AC8475F553CB4055AC6441C08154CA36396E5CAC46FC80B7CECD1F9E7526F99C43EC343D1C5E9595D5F5CBD3CB5B97650EF141F77E749
Malicious:	false
Preview:	........................................D8.../.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	2.1431558784658327
Encrypted:	false
SSDEEP:	3:m+l:m
MD5:	54CB446F628B2EA4A5BCE5769910512E
SHA1:	C27CA848427FE87F5CF4D0E0E3CD57151B0D820D
SHA-256:	FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
SHA-512:	8F6ED2E91AED9BD415789B1DBE591E7EAB29F3F1B48FDFA5E864D7BF4AE554ACC5D82B4097A770DABC228523253623E4296C5023CF48252E1B94382C43123CB0
Malicious:	false
Preview:	0\r..m..................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index-dir\temp-index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.955557653394731
Encrypted:	false
SSDEEP:	3:RaXAyEWpIq+:AwuIq+
MD5:	CD37CACC8F8EA967295E8DE4B7D6E037
SHA1:	C3756CDDAF174D78B5CD64DBCA48DDA2CAF2CD0B
SHA-256:	9AD7404876A3EBFEAC4D3B95D2D6C17F0964C3B81511D3F34650B3FF53F5000D
SHA-512:	5A76D5C0E9379C92E6BC37BFE35D751FC7880585D04081CE0903CD164CB26AB02DF0D802BA0BA5109AB16A82A32820E10E89A441DEC9B5A855B7CE9C010EB25F
Malicious:	false
Preview:	(...L...oy retne.........................\|.../.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index-dir\the-real-index (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.955557653394731
Encrypted:	false
SSDEEP:	3:RaXAyEWpIq+:AwuIq+
MD5:	CD37CACC8F8EA967295E8DE4B7D6E037
SHA1:	C3756CDDAF174D78B5CD64DBCA48DDA2CAF2CD0B
SHA-256:	9AD7404876A3EBFEAC4D3B95D2D6C17F0964C3B81511D3F34650B3FF53F5000D
SHA-512:	5A76D5C0E9379C92E6BC37BFE35D751FC7880585D04081CE0903CD164CB26AB02DF0D802BA0BA5109AB16A82A32820E10E89A441DEC9B5A855B7CE9C010EB25F
Malicious:	false
Preview:	(...L...oy retne.........................\|.../.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	2.1431558784658327
Encrypted:	false
SSDEEP:	3:m+l:m
MD5:	54CB446F628B2EA4A5BCE5769910512E
SHA1:	C27CA848427FE87F5CF4D0E0E3CD57151B0D820D
SHA-256:	FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
SHA-512:	8F6ED2E91AED9BD415789B1DBE591E7EAB29F3F1B48FDFA5E864D7BF4AE554ACC5D82B4097A770DABC228523253623E4296C5023CF48252E1B94382C43123CB0
Malicious:	false
Preview:	0\r..m..................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm\index-dir\temp-index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.955557653394731
Encrypted:	false
SSDEEP:	3:RaXAyEWpIq+:AwuIq+
MD5:	CD37CACC8F8EA967295E8DE4B7D6E037
SHA1:	C3756CDDAF174D78B5CD64DBCA48DDA2CAF2CD0B
SHA-256:	9AD7404876A3EBFEAC4D3B95D2D6C17F0964C3B81511D3F34650B3FF53F5000D
SHA-512:	5A76D5C0E9379C92E6BC37BFE35D751FC7880585D04081CE0903CD164CB26AB02DF0D802BA0BA5109AB16A82A32820E10E89A441DEC9B5A855B7CE9C010EB25F
Malicious:	false
Preview:	(...L...oy retne.........................\|.../.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm\index-dir\the-real-index (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.955557653394731
Encrypted:	false
SSDEEP:	3:RaXAyEWpIq+:AwuIq+
MD5:	CD37CACC8F8EA967295E8DE4B7D6E037
SHA1:	C3756CDDAF174D78B5CD64DBCA48DDA2CAF2CD0B
SHA-256:	9AD7404876A3EBFEAC4D3B95D2D6C17F0964C3B81511D3F34650B3FF53F5000D
SHA-512:	5A76D5C0E9379C92E6BC37BFE35D751FC7880585D04081CE0903CD164CB26AB02DF0D802BA0BA5109AB16A82A32820E10E89A441DEC9B5A855B7CE9C010EB25F
Malicious:	false
Preview:	(...L...oy retne.........................\|.../.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.0012471779557650352
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zE:/M/xT02z
MD5:	F50F89A0A91564D0B8A211F8921AA7DE
SHA1:	112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
SHA-256:	B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
SHA-512:	BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNl6:Ls3
MD5:	E0B592E0A3BE634D475B13088A54D122
SHA1:	0AB5E6B617EC54CA183D66C4762E304CD52C7068
SHA-256:	A0D6B9087A0C8053778B0FC36489BDA29B2D7B3C04A763A5000EBB852D3F9EA5
SHA-512:	FCD515CB692E4F38FB64D6E10BAF30BE5AE5442F6D6F914913C02A0CC1F09D01E0E5771C9D25C92C2599A6DF9544558BEC297214594B743D9A16F06D557AF1C5
Malicious:	false
Preview:	............................................./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.0012471779557650352
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zE:/M/xT02z
MD5:	F50F89A0A91564D0B8A211F8921AA7DE
SHA1:	112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
SHA-256:	B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
SHA-512:	BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNl2p:Ls3
MD5:	E0EEA301417909F68A7DCC110D65221F
SHA1:	699585833B0ACC1F0736AE80D2450F8CD8FC82F0
SHA-256:	3D1C67F9772534BEA38DCDAD9355DE23BB1BFA02069187D315095EF92A4CA4DD
SHA-512:	B1E67380B1E1914BF83630E2DA7B8B5A4CC24E1DE54097BA11A929F69F7E6A7E3F546609139BF64B06D275AA7BBCBB07498EE8DA10DEE1CE96177E11A2845A79
Malicious:	false
Preview:	............................................../.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	409
Entropy (8bit):	5.218386627031913
Encrypted:	false
SSDEEP:	6:PcdjRM1N723oH+Tcwt0jqEKj3K/2jM8B2KLllPutUVq2PN723oH+Tcwt0jqEKj3V:PoRsaYebqqBvFLnP4svVaYebqqBQFUv
MD5:	53602D55BA1BB2A12F7FAD1B86E6558B
SHA1:	E1FB94F68D66CA324132FF7B4226D10934F8A187
SHA-256:	5D4E2377BF8ABC5234272C794B095C9E0A7D0D3B1042E799DEA3740B4E5BC325
SHA-512:	8F56FB6574EB6B6C1C546C29437EA82008FE103F04E9691BEEDFE7AB7CA0B27335DFF5A20EB3385D98CA6CA00D239ED1DC9CA52BDDE41D73709F57FDE089EB99
Malicious:	false
Preview:	2024/09/03-15:44:59.837 1db4 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb since it was missing..2024/09/03-15:45:00.387 1db4 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\643ab239-aa3e-47db-a708-866b25f1d824.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\88439df4-b231-4838-8fd5-63e55f4408aa.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKtiVY:YHkVKJTnMRK3VY
MD5:	2800881C775077E1C4B6E06BF4676DE4
SHA1:	2873631068C8B3B9495638C865915BE822442C8B
SHA-256:	226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
SHA-512:	E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKtiVY:YHkVKJTnMRK3VY
MD5:	2800881C775077E1C4B6E06BF4676DE4
SHA1:	2873631068C8B3B9495638C865915BE822442C8B
SHA-256:	226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
SHA-512:	E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Network Persistent State~RF46742.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKtiVY:YHkVKJTnMRK3VY
MD5:	2800881C775077E1C4B6E06BF4676DE4
SHA1:	2873631068C8B3B9495638C865915BE822442C8B
SHA-256:	226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
SHA-512:	E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Reporting and NEL

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 9, cookie 0x4, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	0.5559635235158827
Encrypted:	false
SSDEEP:	48:T6IopKWurJNVr1GJmA8pv82pfurJNVrdHXuccaurJN2VrJ1n4n1GmzNGU1cSB:OIEumQv8m1ccnvS6
MD5:	9AAAE8C040B616D1378F3E0E17689A29
SHA1:	F91E7DE07F1DA14D15D067E1F50C3B84A328DBB7
SHA-256:	5B94D63C31AE795661F69B9D10E8BFD115584CD6FEF5FBB7AA483FDC6A66945B
SHA-512:	436202AB8B6BB0318A30946108E6722DFF781F462EE05980C14F57F347EDDCF8119E236C3290B580CEF6902E1B59FB4F546D6BD69F62479805B39AB0F3308EC1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...D.........7............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\SCT Auditing Pending Reports (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Sdch Dictionaries (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Trust Tokens

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	0.36515621748816035
Encrypted:	false
SSDEEP:	24:TLH3lIIAoDJ84l5lDlnDMlRlyKDtM6UwccWfp15fBIe:Tb31DtX5nDOvyKDhU1cSB
MD5:	25363ADC3C9D98BAD1A33D0792405CBF
SHA1:	D06E343087D86EF1A06F7479D81B26C90A60B5C3
SHA-256:	6E019B8B9E389216D5BDF1F2FE63F41EF98E71DA101F2A6BE04F41CC5954532D
SHA-512:	CF7EEE35D0E00945AF221BEC531E8BF06C08880DA00BD103FA561BC069D7C6F955CBA3C1C152A4884601E5A670B7487D39B4AE9A4D554ED8C14F129A74E555F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......X..g...}.....$.X..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\dece4fb5-3d9b-4535-916e-4ece88bc992a.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	111
Entropy (8bit):	4.718418993774295
Encrypted:	false
SSDEEP:	3:YLb9N+eAXRfHDH2LS7PMVKJq0nMb1KKtiVY:YHpoeS7PMVKJTnMRK3VY
MD5:	285252A2F6327D41EAB203DC2F402C67
SHA1:	ACEDB7BA5FBC3CE914A8BF386A6F72CA7BAA33C6
SHA-256:	5DFC321417FC31359F23320EA68014EBFD793C5BBED55F77DAB4180BBD4A2026
SHA-512:	11CE7CB484FEE66894E63C31DB0D6B7EF66AD0327D4E7E2EB85F3BCC2E836A3A522C68D681E84542E471E54F765E091EFE1EE4065641B0299B15613EB32DCC0D
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[],"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\e78de9bb-4a6d-4a8e-b904-084ded39c121.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	61
Entropy (8bit):	3.7273991737283296
Encrypted:	false
SSDEEP:	3:S8ltHlS+QUl1ASEGhTFl:S85aEFl
MD5:	9F7EADC15E13D0608B4E4D590499AE2E
SHA1:	AFB27F5C20B117031328E12DD3111A7681FF8DB5
SHA-256:	5C3A5B578AB9FE853EAD7040BC161929EA4F6902073BA2B8BB84487622B98923
SHA-512:	88455784C705F565C70FA0A549C54E2492976E14643E9DD0A8E58C560D003914313DF483F096BD33EC718AEEC7667B8DE063A73627AA3436BA6E7E562E565B3F
Malicious:	false
Preview:	*...#................version.1..namespace-..&f...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	397
Entropy (8bit):	5.178163927179916
Encrypted:	false
SSDEEP:	6:PPBbD1N723oH+Tcwt0jqEKj0QM72KLllPBZuBwN+q2PN723oH+Tcwt0jqEKj0QMH:PPNDaYebqqB6LnP/uy+vVaYebqqBZFUv
MD5:	C85B6A11C141D52DF97B2F9B747FCA69
SHA1:	B4DA37F6149FB1DA5195A32D63C82761360F52C6
SHA-256:	667103F64F69F87F7085BBFD5E79AF250ECC1A354CE704A23EE2831F224276F0
SHA-512:	FE99C282758F30414C3F3D3E4BC2FDF849F41DF91145B657A8E8994E514CCBC30D613E831CF635FD8A89A6BB77943B467BD09BDF4FF158CDB4A799FB039D9CAD
Malicious:	false
Preview:	2024/09/03-15:45:15.635 1ddc Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage since it was missing..2024/09/03-15:45:15.660 1ddc Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	46
Entropy (8bit):	4.019797536844534
Encrypted:	false
SSDEEP:	3:sLollttz6sjlGXU2tkn:qolXtWswXU2tkn
MD5:	90881C9C26F29FCA29815A08BA858544
SHA1:	06FEE974987B91D82C2839A4BB12991FA99E1BDD
SHA-256:	A2CA52E34B6138624AC2DD20349CDE28482143B837DB40A7F0FBDA023077C26A
SHA-512:	15F7F8197B4FC46C4C5C2570FB1F6DD73CB125F9EE53DFA67F5A0D944543C5347BDAB5CCE95E91DD6C948C9023E23C7F9D76CFF990E623178C92F8D49150A625
Malicious:	false
Preview:	...n'................_mts_schema_descriptor...

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	303
Entropy (8bit):	5.207087108841947
Encrypted:	false
SSDEEP:	6:P2qcs1N723oH+Tcwtkx2KLll2bL+q2PN723oH+TcwtCIFUv:P2qfaYebkVLn2bL+vVaYebLFUv
MD5:	EAF3512D3FDF137104DB9B3BEAE222FA
SHA1:	83FCB72B522F19236857FF2E0AB7FF5EF0377123
SHA-256:	F417BFF3BF6982B88C14F2E1800259C8753797E6E84F0F5AA7E5BBD0C229D102
SHA-512:	E8072FBEB2695D7C898C9FAD4A156D559B353F029BA36EE444D9BB36C697F50D95F2EFCA568CD5E763CFF88D5DC3578A6780BE0C9F011D5575E2F03D483130BC
Malicious:	false
Preview:	2024/09/03-15:44:57.942 1ccc Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB since it was missing..2024/09/03-15:44:57.965 1ccc Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Top Sites

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.3528485475628876
Encrypted:	false
SSDEEP:	12:TLiN6CZhDu6MvDOF5yEHFxOUwa5qguYZ75fOSiPe2d:TLiwCZwE8I6Uwcco5fBtC
MD5:	F2B4FB2D384AA4E4D6F4AEB0BBA217DC
SHA1:	2CD70CFB3CE72D9B079170C360C1F563B6BF150E
SHA-256:	1ECC07CD1D383472DAD33D2A5766625009EA5EACBAEDE2417ADA1842654CBBC8
SHA-512:	48D03991660FA1598B3E002F5BC5F0F05E9696BCB2289240FA8CCBB2C030CDD23245D4ECC0C64DA1E7C54B092C3E60AE0427358F63087018BF0E6CEDC471DD34
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g.....4....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Visited Links

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.002110589502647469
Encrypted:	false
SSDEEP:	3:ImtVORpHvll:IiVO7
MD5:	3231347F78F32AEFF7D2078E046B9532
SHA1:	791B58D88D4BF1938FC2309EBF92CCF92164606F
SHA-256:	193C11990E07CD0730C789A48E9D7CD0E99C9F85B3ACF042529513C1F227A995
SHA-512:	E049B7ABC7F5B6D5C9013C5D7FFF77393EE814E1C23D9F935F676001721FD9870F36988463E01C6B52D9E74A3E64714C6644C721CA7C1EB5F28DFA6D59ADC396
Malicious:	false
Preview:	VLnk.....?..........M.bH................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Web Data

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 4, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	182272
Entropy (8bit):	1.0800216145035022
Encrypted:	false
SSDEEP:	192:hrb2qAdB9TbTbuDDsnxCkO0SAzWn0lKOMq+JLVumYOPn66:h/2qOB1nxCkO0SACnqKOMq+pVum5p
MD5:	DE52E213D1632AFDBC0AAB3CA6E701A4
SHA1:	CFB480564F6B6F66ABDDCC871D9CBADE9B41FCA5
SHA-256:	0312234126037076FCF5AD0F45111BA3B9D81A3F061357CDB09217C5DD3F4C3E
SHA-512:	F1FB2165DC1A4715BDF8CD47FA834DC8D44753ECB1DC32FB918DBF4D394DEC557BA5631F8C01C5C3E2CD84E01914F38185334212B8E4B2338582EB6C66E5AC92
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\WebAssistDatabase

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 10, database pages 7, cookie 0xb, schema 4, UTF-8, version-valid-for 10
Category:	dropped
Size (bytes):	14336
Entropy (8bit):	0.7836182415564406
Encrypted:	false
SSDEEP:	24:LLqlCouxhK3thdkSdj5QjUsEGcGBXp22iSBgm+xjgm:uOK3tjkSdj5IUltGhp22iSBgm+xj/
MD5:	AA9965434F66985F0979719F3035C6E1
SHA1:	39FC31CBB2BB4F8FA8FB6C34154FB48FBCBAEEF4
SHA-256:	F42877E694E9AFC76E1BBA279F6EC259E28A7E7C574EFDCC15D58EFAE06ECA09
SHA-512:	201667EAA3DF7DBCCF296DE6FCF4E79897C1BB744E29EF37235C44821A18EAD78697DFEB9253AA01C0DC28E5758E2AF50852685CDC9ECA1010DBAEE642590CEA
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..................n..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\ab47a69a-3ec6-4de5-b418-694cc226b8ee.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\arbitration_service_config.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with very long lines (3951), with CRLF line terminators
Category:	dropped
Size (bytes):	11755
Entropy (8bit):	5.190465908239046
Encrypted:	false
SSDEEP:	192:hH4vrmqRBB4W4PoiUDNaxvR5FCHFcoaSbqGEDI:hH4vrmUB6W4jR3GaSbqGEDI
MD5:	07301A857C41B5854E6F84CA00B81EA0
SHA1:	7441FC1018508FF4F3DBAA139A21634C08ED979C
SHA-256:	2343C541E095E1D5F202E8D2A0807113E69E1969AF8E15E3644C51DB0BF33FBF
SHA-512:	00ADE38E9D2F07C64648202F1D5F18A2DFB2781C0517EAEBCD567D8A77DBB7CB40A58B7C7D4EC03336A63A20D2E11DD64448F020C6FF72F06CA870AA2B4765E0
Malicious:	false
Preview:	{.. "DefaultCohort": {.. "21f3388b-c2a5-4791-8f6e-a4cad6d17f4f.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.BingHomePage.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Covid.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Finance.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Jobs.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.KnowledgeCard.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Local.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.NTP3PCLICK.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.NotifySearchPage.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Recipe.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.SearchPage.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Sports.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Travel.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Weather.Bubble": 1,.. "2cb2db96-3bd0-403e-abe2-9269b3761041.Bubble": 1,.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\e11c0212-bc50-4ddc-8cb9-6450426096b3.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6430
Entropy (8bit):	4.979662133600996
Encrypted:	false
SSDEEP:	96:stIqfeis1HKDb9BoS+fq8zeE1cs85eh6Cb7/x+6MhmuecmAeSrQJl2MMu/EJ:stI6shKcS+fqkOs88bV+FiAAlPjMJ
MD5:	F3E506C2BB2ABB79E4CF425158084D05
SHA1:	C029931A5C30DA30B7A3C19CDC8A1FB660D3500C
SHA-256:	855DC44D7A61086406CB988B874558B35B39955E643EC5E55DB13F93F9273A85
SHA-512:	86CB219B584069B446C85008242B0E2023A017603EA7C7D1FBAF6E229FF20B113D14824F05F6354F3C14679435C74342FE3D932EF96B8ED4955635AC498CCB84
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369866298852721","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"domain_diversity":{"last_reporting_timestamp":"13369866298852529"},"download":{"default_directory":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\KioskDownloads\\","directory_upgrade":true},"dual_user":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_versio

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\heavy_ad_intervention_opt_out.db

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 4, cookie 0x2, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.35226517389931394
Encrypted:	false
SSDEEP:	12:TLC+waBg9LBgVDBgQjiZBgKuFtuQkMbmgcVAzO5kMCgGUg5OR:TLPdBgtBgJBgQjiZS53uQFE27MCgGZsR
MD5:	D2CCDC36225684AAE8FA563AFEDB14E7
SHA1:	3759649035F23004A4C30A14C5F0B54191BEBF80
SHA-256:	080AEE864047C67CB1586A5BA5EDA007AFD18ECC2B702638287E386F159D7AEE
SHA-512:	1A915AF643D688CA68AEDC1FF26C407D960D18DFDE838B417C437D7ADAC7B91C906E782DCC414784E64287915BD1DE5BB6A282E59AA9FEB8C384B4D4BC5F70EC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......Q......Q......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\load_statistics.db

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, writer version 2, read version 2, file counter 1, database pages 1, cookie 0, schema 0, unknown 0 encoding, version-valid-for 1
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.0905602561507182
Encrypted:	false
SSDEEP:	3:lSWFN3sl+ltlMWll:l9Fys1M
MD5:	A8E75ACC11904CB877E15A0D0DE03941
SHA1:	FBEE05EA246A7F08F7390237EA8B7E49204EF0E0
SHA-256:	D78C40FEBE1BA7EC83660B78E3F6AB7BC45AB822B8F21B03B16B9CB4F3B3A259
SHA-512:	A7B52B0575D451466A47AFFE3DCC0BC7FC9A6F8AB8194DA1F046AADA0EDDCCA76B4326AA9F19732BA50359B51EC72896BB8FA2FC23BAA6847C33AB51218511A4
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\load_statistics.db-journal

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.28109187076190567
Encrypted:	false
SSDEEP:	3:7FEG2l/XLgw1lFll:7+/l/XUw
MD5:	73A3EBB38834A5F608033A204C4CFF9B
SHA1:	38C745FDA3D215F6F728389E5BCD56AF45993C43
SHA-256:	F227F77B3BE5DAE72BEF33DE3D6A0D4F2EE3776FAFE6A73C1FA13227F3311C96
SHA-512:	A67D271F612A73B80D2CAE2A0C0D6305E80A5E2DCF86E711D8B9C161CB5AF5B5CE7958535973A844F6E81DEA3F41EC3E64A0A5FC8A4F7FF7A2ED388E77303B51
Malicious:	false
Preview:	.... .c.....rn..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\load_statistics.db-shm

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.049899871979391254
Encrypted:	false
SSDEEP:	6:GLW0bGXLcjV6TW0bGXLcjVoL9X8hslotGLNl0ml/XoQDeX:aigB6DigBMGEjVl/XoQ
MD5:	15B1FBE69664266A94F71D74FF204CC5
SHA1:	7BA0475D8CFEB7ACB1D250D5C7C58D5FAA97DA11
SHA-256:	69273092ECB6F6E5236042C0FE98B043213137D695D7B1C2AE36D40254483573
SHA-512:	02DD308B02B49F511C2225F54209EF1A026D8A095A548732BB660A0111537BB02FDB06DE7794FDE0AA91C344852294C1F2409B0994E844F760D071359DA02A18
Malicious:	false
Preview:	..-.....................b...X..3(..s....Es.......-.....................b...X..3(..s....Es.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\load_statistics.db-wal

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	70072
Entropy (8bit):	0.9966371607515725
Encrypted:	false
SSDEEP:	48:63lzxFL6lO+WQcbX+7H6Pn9VAKAFXX+jG2VAKAFXX+qGTxOqVAKAFXX+79nUYVAX:2xFGF7HRNs2NslO5Ns4Nsvw
MD5:	DA1443346621C4605F5CE5333E148A47
SHA1:	F5829EEE4B9E2E08B6E85C62332DCB086D6F1BB9
SHA-256:	3D41CE7B4CF4695D047C2D4772C662DF561F855E8CD00F57A4A8FB9ABDD0D783
SHA-512:	89723838E1CEB041DE8720C92CC9407D3A004C85D034E90C5E6B3BF1B3F5E827E1255F5BDBEB62800B3F6F6DD7C6C94DB328205128C74DF0C5B96C9632C057CB
Malicious:	false
Preview:	7....-..........3(..s...kn+F.7.^........3(..s....1..E$..SQLite format 3......@ ..........................................................................j.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	modified
Size (bytes):	1566
Entropy (8bit):	5.49265535755751
Encrypted:	false
SSDEEP:	48:gP8wSBSuQfqQCPhHRHlxjIYjIY1zFqkEMYjMYjy2AlkfAlka3o:x0lqQ8IYjIY1zFbEMYjMYfYcYH3o
MD5:	47FC673E07B9EE852045D2886D0C4D9B
SHA1:	215255A1649F092EC97E43A46E704C293D28C0B4
SHA-256:	7902AD8B21FE0DC6389777AB81A3210AD8591E4761824A8CCBD4DDFFADD8E908
SHA-512:	1F0F665E90A35BE6E3C40F483441BACB42FF46B213F37704BF5B6A1D9684C4CB962190FA876BE9BAC063028CB0998D1C4642E8B6F5D123A59CE94B97959153E2
Malicious:	false
Preview:	A..r.................20_1_1...1.,U.................20_1_1...1..&f...............'.Kq.................4_IPH_CompanionSidePanel...IPH_CompanionSidePanel.....$4_IPH_CompanionSidePanelRegionSearch(."IPH_CompanionSidePanelRegionSearch......4_IPH_DownloadToolbarButton...IPH_DownloadToolbarButton.....&4_IPH_FocusHelpBubbleScreenReaderPromo.$IPH_FocusHelpBubbleScreenReaderPromo......4_IPH_GMCCastStartStop...IPH_GMCCastStartStop......4_IPH_HighEfficiencyMode...IPH_HighEfficiencyMode......4_IPH_LiveCaption...IPH_LiveCaption......4_IPH_PasswordsAccountStorage!..IPH_PasswordsAccountStorage....."4_IPH_PasswordsWebAppProfileSwitch&. IPH_PasswordsWebAppProfileSwitch.....-4_IPH_PriceInsightsPageActionIconLabelFeature1.+IPH_PriceInsightsPageActionIconLabelFeature......4_IPH_PriceTrackingChipFeature"..IPH_PriceTrackingChipFeature.....&4_IPH_PriceTrackingEmailConsentFeature.$IPH_PriceTrackingEmailConsentFeature.....-4_IPH_PriceTrackingPageActionIconLabelFeature1.+IPH_PriceTrackingPageActionIconLabelFe

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	299
Entropy (8bit):	5.245918465830355
Encrypted:	false
SSDEEP:	6:PcX3nD1N723oH+Tcwt0rl2KLllcXM3+q2PN723oH+Tcwt0rK+IFUv:PmzaYebeLnmMOvVaYeb13FUv
MD5:	0FAC3EC56AFEE6BC16CE911E8F293930
SHA1:	E95FD03DB07082851486B80E792BB6C61C9A2C53
SHA-256:	2C7C7BAECD85EF4C47B42D5F6A6D0870B0B78FC3E5369FDF1588F78DA5C6DA52
SHA-512:	45620343ACADEAFDAFA70360C4D752257A3BDE3AD53A27FE1192EA1F80102F9447A6FB207466E7A4ED035EC5C76853837A23E5D72E77437012A9B423B093758B
Malicious:	false
Preview:	2024/09/03-15:44:59.219 1cb8 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db since it was missing..2024/09/03-15:44:59.230 1cb8 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	729
Entropy (8bit):	3.958141412815535
Encrypted:	false
SSDEEP:	12:G0nYUtTNop//z3p/Wui+it/4JbZfPStub/RG0lbANqa:G0nYUtypD3RXi6FZfc25m
MD5:	FBC524D02048C176A0A5D1B8B752932A
SHA1:	294C48557549A4C978326D9B7969E293A024F157
SHA-256:	F3FC95AE128DB918FC126F15CD9D96618482BA6ACCC622AAA19B10CE80B15EA0
SHA-512:	9B6434442E11610B8B5DDA43AA56656599925C9C8F0A364DDB69D15B37A912D223EE600012468E0DB723CAF3546FFBDF56F085A0159EA7968BBACE894AAFF856
Malicious:	false
Preview:	.h.6.................__global... .t...................__global... .9..b.................33_..........................33_........v.................21_.....vuNX.................21_.....<...................20_.....,.1..................19_.....QL.s.................18_.....!....................3_.....n.b..................4_.........................37_.......`.................38_.....].$&.................39_.....4.9..................20_......R...................20_.......1..................19_......(...................18_.....:.=..................3_......W2..................4_.....)..>.................37_..........................38_.....h.#..................39_.....P"...................9_.........................9_.....

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	317
Entropy (8bit):	5.211531798606688
Encrypted:	false
SSDEEP:	6:PH/1N723oH+Tcwt0rzs52KLllcXEF3+q2PN723oH+Tcwt0rzAdIFUv:PHfaYeb99LnmyOvVaYebyFUv
MD5:	38672FAD4B4DB66F7736BB27E423B750
SHA1:	4E4248E594E9BB9BB0046B62A898E50FFD104DD2
SHA-256:	37414382FD88B56C8B057196D00D6A316B0D6B3CF632FE8E629422989613CCCE
SHA-512:	C6DCC9DE14F1EBD4D3D8D64E49A82CC91FCA9C5C9D8230DD0443DA56A468757F8D3EC563870152533ED94BEDB6AA9B4BE1B577C5B167CF76841867C569D6EB37
Malicious:	false
Preview:	2024/09/03-15:44:58.992 1cb8 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata since it was missing..2024/09/03-15:44:59.210 1cb8 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GrShaderCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GrShaderCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	8.280239615765425E-4
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2:/M/xT02
MD5:	D0D388F3865D0523E451D6BA0BE34CC4
SHA1:	8571C6A52AACC2747C048E3419E5657B74612995
SHA-256:	902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
SHA-512:	376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GrShaderCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GrShaderCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GrShaderCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.47693366977411E-4
Encrypted:	false
SSDEEP:	3:LsNlOa2x:Ls3O
MD5:	D1B8D813220E536E0E14F597EDE119D9
SHA1:	BDB4B94575215B8AA7D54B5572BC74B838DBB41A
SHA-256:	00FFBC58E8E3429F02757D95FAD1C2FFE38424452C41474AF1C8418290614E74
SHA-512:	BAC4540E2DF503C0942EF15566E98E2B2EB2302E8B28F4B003A52CE095527360C45B32EDE003706B661ED3AA41761739D9EBDEFB9E68123CA992E9DD256CEEFB
Malicious:	false
Preview:	........................................v...../.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GraphiteDawnCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GraphiteDawnCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	8.280239615765425E-4
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2:/M/xT02
MD5:	D0D388F3865D0523E451D6BA0BE34CC4
SHA1:	8571C6A52AACC2747C048E3419E5657B74612995
SHA-256:	902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
SHA-512:	376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GraphiteDawnCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GraphiteDawnCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GraphiteDawnCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNlG2q+l:Ls3G2q+
MD5:	9FCB6280E51DD8599589EBE6B43D1CCD
SHA1:	053B67A91476E590AF3FEB8F6848DD5C8B4CF6DC
SHA-256:	9C1B83337FE09FF2882FCCE963EB54BCF368E9FA0F102163714DC2015840C1EF
SHA-512:	B197D3E567765F26A438204BAE6F60A44B03DB981401A75AF563F6CB0C55CBAA46BA906FDCFD89544919DCD6C6A51A606ADF1E68ACE04D2A9B974458994E84CB
Malicious:	false
Preview:	........................................0=..../.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Last Browser

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	120
Entropy (8bit):	3.32524464792714
Encrypted:	false
SSDEEP:	3:tbloIlrJFlXnpQoWcNylRjlgbYnPdJiG6R7lZAUAl:tbdlrYoWcV0n1IGi7kBl
MD5:	A397E5983D4A1619E36143B4D804B870
SHA1:	AA135A8CC2469CFD1EF2D7955F027D95BE5DFBD4
SHA-256:	9C70F766D3B84FC2BB298EFA37CC9191F28BEC336329CC11468CFADBC3B137F4
SHA-512:	4159EA654152D2810C95648694DD71957C84EA825FCCA87B36F7E3282A72B30EF741805C610C5FA847CA186E34BDE9C289AAA7B6931C5B257F1D11255CD2A816
Malicious:	false
Preview:	C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Last Version

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	13
Entropy (8bit):	2.6612262562697895
Encrypted:	false
SSDEEP:	3:NYLFRQZ:ap2Z
MD5:	B64BD80D877645C2DD14265B1A856F8A
SHA1:	F7379E1A6F8CE062E891C56736C789C7EA77CD6A
SHA-256:	83476CEEEB7682F41030664B4E17305986878D14E82D0C277FB99EC546B44569
SHA-512:	734A7316A269C76DD052D980CC0D5209C0BFEDFFC55B11C58FA25C433CE8A42536827298C3E58CACD68CC01593C23D39350E956E8DE2268D8D29918E1F0667F2
Malicious:	false
Preview:	117.0.2045.55

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.4973501584113516
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrt4w7T4EkoXWIWapHM6yikpJdXBuBuwBTauYNhpPXIQoTEtCY/g:YuBqDPaf9/4SA4PIgBzBTLqpPdRE5
MD5:	B5E908E123993B04E4ADA6D999A317C4
SHA1:	D48CFF1C101D717C69B81A9709655F852F7BBDF9
SHA-256:	CF33409E37F3E088F42E96EE8B17A100F365495EAF253452FF67158D0BC88CC1
SHA-512:	A8B638A37A11ECC472FEE9F46D1F4B059112EC7B20A07375CF10084CFEBC31AE87B34DEFE92C6EA766EC006F2CDB3D8B4A2804B2BAC6F1752C3A755001A2622E
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAA3mo1C2vxPS5cYZvb18j1UEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAADxaKctnu6p51QbXzcec0yJJHRCERFOewneC7s2Q8cx4wAAAAAOgAAAAAIAACAAAADDQBNAyQ2e/fxXiNJwYS72m7RtJj6wBI1XfE15Cot+7DAAAAD8uFIVc3Ze0Ct/1F6l1WEnAdCApjj70vDAX/o95QolLMbu9d2jUaun9EdAdjkDztxAAAAAntEefTqjnDveTyCvBwLaSV25PAM0umDaPgRkrlkXEs0DDX9ldkwYyhGd+xYytZ+boi+rs7RJ7Ul3DoTV77Vgcw=="},"profile":{"info_cache":{},"profile_counts_reported":"13369866297317036","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1725392697"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF3372e.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.4973501584113516
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrt4w7T4EkoXWIWapHM6yikpJdXBuBuwBTauYNhpPXIQoTEtCY/g:YuBqDPaf9/4SA4PIgBzBTLqpPdRE5
MD5:	B5E908E123993B04E4ADA6D999A317C4
SHA1:	D48CFF1C101D717C69B81A9709655F852F7BBDF9
SHA-256:	CF33409E37F3E088F42E96EE8B17A100F365495EAF253452FF67158D0BC88CC1
SHA-512:	A8B638A37A11ECC472FEE9F46D1F4B059112EC7B20A07375CF10084CFEBC31AE87B34DEFE92C6EA766EC006F2CDB3D8B4A2804B2BAC6F1752C3A755001A2622E
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAA3mo1C2vxPS5cYZvb18j1UEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAADxaKctnu6p51QbXzcec0yJJHRCERFOewneC7s2Q8cx4wAAAAAOgAAAAAIAACAAAADDQBNAyQ2e/fxXiNJwYS72m7RtJj6wBI1XfE15Cot+7DAAAAD8uFIVc3Ze0Ct/1F6l1WEnAdCApjj70vDAX/o95QolLMbu9d2jUaun9EdAdjkDztxAAAAAntEefTqjnDveTyCvBwLaSV25PAM0umDaPgRkrlkXEs0DDX9ldkwYyhGd+xYytZ+boi+rs7RJ7Ul3DoTV77Vgcw=="},"profile":{"info_cache":{},"profile_counts_reported":"13369866297317036","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1725392697"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF338d4.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.4973501584113516
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrt4w7T4EkoXWIWapHM6yikpJdXBuBuwBTauYNhpPXIQoTEtCY/g:YuBqDPaf9/4SA4PIgBzBTLqpPdRE5
MD5:	B5E908E123993B04E4ADA6D999A317C4
SHA1:	D48CFF1C101D717C69B81A9709655F852F7BBDF9
SHA-256:	CF33409E37F3E088F42E96EE8B17A100F365495EAF253452FF67158D0BC88CC1
SHA-512:	A8B638A37A11ECC472FEE9F46D1F4B059112EC7B20A07375CF10084CFEBC31AE87B34DEFE92C6EA766EC006F2CDB3D8B4A2804B2BAC6F1752C3A755001A2622E
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAA3mo1C2vxPS5cYZvb18j1UEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAADxaKctnu6p51QbXzcec0yJJHRCERFOewneC7s2Q8cx4wAAAAAOgAAAAAIAACAAAADDQBNAyQ2e/fxXiNJwYS72m7RtJj6wBI1XfE15Cot+7DAAAAD8uFIVc3Ze0Ct/1F6l1WEnAdCApjj70vDAX/o95QolLMbu9d2jUaun9EdAdjkDztxAAAAAntEefTqjnDveTyCvBwLaSV25PAM0umDaPgRkrlkXEs0DDX9ldkwYyhGd+xYytZ+boi+rs7RJ7Ul3DoTV77Vgcw=="},"profile":{"info_cache":{},"profile_counts_reported":"13369866297317036","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1725392697"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF338f3.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.4973501584113516
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrt4w7T4EkoXWIWapHM6yikpJdXBuBuwBTauYNhpPXIQoTEtCY/g:YuBqDPaf9/4SA4PIgBzBTLqpPdRE5
MD5:	B5E908E123993B04E4ADA6D999A317C4
SHA1:	D48CFF1C101D717C69B81A9709655F852F7BBDF9
SHA-256:	CF33409E37F3E088F42E96EE8B17A100F365495EAF253452FF67158D0BC88CC1
SHA-512:	A8B638A37A11ECC472FEE9F46D1F4B059112EC7B20A07375CF10084CFEBC31AE87B34DEFE92C6EA766EC006F2CDB3D8B4A2804B2BAC6F1752C3A755001A2622E
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAA3mo1C2vxPS5cYZvb18j1UEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAADxaKctnu6p51QbXzcec0yJJHRCERFOewneC7s2Q8cx4wAAAAAOgAAAAAIAACAAAADDQBNAyQ2e/fxXiNJwYS72m7RtJj6wBI1XfE15Cot+7DAAAAD8uFIVc3Ze0Ct/1F6l1WEnAdCApjj70vDAX/o95QolLMbu9d2jUaun9EdAdjkDztxAAAAAntEefTqjnDveTyCvBwLaSV25PAM0umDaPgRkrlkXEs0DDX9ldkwYyhGd+xYytZ+boi+rs7RJ7Ul3DoTV77Vgcw=="},"profile":{"info_cache":{},"profile_counts_reported":"13369866297317036","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1725392697"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF36013.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.4973501584113516
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrt4w7T4EkoXWIWapHM6yikpJdXBuBuwBTauYNhpPXIQoTEtCY/g:YuBqDPaf9/4SA4PIgBzBTLqpPdRE5
MD5:	B5E908E123993B04E4ADA6D999A317C4
SHA1:	D48CFF1C101D717C69B81A9709655F852F7BBDF9
SHA-256:	CF33409E37F3E088F42E96EE8B17A100F365495EAF253452FF67158D0BC88CC1
SHA-512:	A8B638A37A11ECC472FEE9F46D1F4B059112EC7B20A07375CF10084CFEBC31AE87B34DEFE92C6EA766EC006F2CDB3D8B4A2804B2BAC6F1752C3A755001A2622E
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAA3mo1C2vxPS5cYZvb18j1UEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAADxaKctnu6p51QbXzcec0yJJHRCERFOewneC7s2Q8cx4wAAAAAOgAAAAAIAACAAAADDQBNAyQ2e/fxXiNJwYS72m7RtJj6wBI1XfE15Cot+7DAAAAD8uFIVc3Ze0Ct/1F6l1WEnAdCApjj70vDAX/o95QolLMbu9d2jUaun9EdAdjkDztxAAAAAntEefTqjnDveTyCvBwLaSV25PAM0umDaPgRkrlkXEs0DDX9ldkwYyhGd+xYytZ+boi+rs7RJ7Ul3DoTV77Vgcw=="},"profile":{"info_cache":{},"profile_counts_reported":"13369866297317036","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1725392697"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF39af9.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.4973501584113516
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrt4w7T4EkoXWIWapHM6yikpJdXBuBuwBTauYNhpPXIQoTEtCY/g:YuBqDPaf9/4SA4PIgBzBTLqpPdRE5
MD5:	B5E908E123993B04E4ADA6D999A317C4
SHA1:	D48CFF1C101D717C69B81A9709655F852F7BBDF9
SHA-256:	CF33409E37F3E088F42E96EE8B17A100F365495EAF253452FF67158D0BC88CC1
SHA-512:	A8B638A37A11ECC472FEE9F46D1F4B059112EC7B20A07375CF10084CFEBC31AE87B34DEFE92C6EA766EC006F2CDB3D8B4A2804B2BAC6F1752C3A755001A2622E
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAA3mo1C2vxPS5cYZvb18j1UEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAADxaKctnu6p51QbXzcec0yJJHRCERFOewneC7s2Q8cx4wAAAAAOgAAAAAIAACAAAADDQBNAyQ2e/fxXiNJwYS72m7RtJj6wBI1XfE15Cot+7DAAAAD8uFIVc3Ze0Ct/1F6l1WEnAdCApjj70vDAX/o95QolLMbu9d2jUaun9EdAdjkDztxAAAAAntEefTqjnDveTyCvBwLaSV25PAM0umDaPgRkrlkXEs0DDX9ldkwYyhGd+xYytZ+boi+rs7RJ7Ul3DoTV77Vgcw=="},"profile":{"info_cache":{},"profile_counts_reported":"13369866297317036","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1725392697"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF422d6.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.4973501584113516
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrt4w7T4EkoXWIWapHM6yikpJdXBuBuwBTauYNhpPXIQoTEtCY/g:YuBqDPaf9/4SA4PIgBzBTLqpPdRE5
MD5:	B5E908E123993B04E4ADA6D999A317C4
SHA1:	D48CFF1C101D717C69B81A9709655F852F7BBDF9
SHA-256:	CF33409E37F3E088F42E96EE8B17A100F365495EAF253452FF67158D0BC88CC1
SHA-512:	A8B638A37A11ECC472FEE9F46D1F4B059112EC7B20A07375CF10084CFEBC31AE87B34DEFE92C6EA766EC006F2CDB3D8B4A2804B2BAC6F1752C3A755001A2622E
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAA3mo1C2vxPS5cYZvb18j1UEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAADxaKctnu6p51QbXzcec0yJJHRCERFOewneC7s2Q8cx4wAAAAAOgAAAAAIAACAAAADDQBNAyQ2e/fxXiNJwYS72m7RtJj6wBI1XfE15Cot+7DAAAAD8uFIVc3Ze0Ct/1F6l1WEnAdCApjj70vDAX/o95QolLMbu9d2jUaun9EdAdjkDztxAAAAAntEefTqjnDveTyCvBwLaSV25PAM0umDaPgRkrlkXEs0DDX9ldkwYyhGd+xYytZ+boi+rs7RJ7Ul3DoTV77Vgcw=="},"profile":{"info_cache":{},"profile_counts_reported":"13369866297317036","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1725392697"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF449f6.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.4973501584113516
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrt4w7T4EkoXWIWapHM6yikpJdXBuBuwBTauYNhpPXIQoTEtCY/g:YuBqDPaf9/4SA4PIgBzBTLqpPdRE5
MD5:	B5E908E123993B04E4ADA6D999A317C4
SHA1:	D48CFF1C101D717C69B81A9709655F852F7BBDF9
SHA-256:	CF33409E37F3E088F42E96EE8B17A100F365495EAF253452FF67158D0BC88CC1
SHA-512:	A8B638A37A11ECC472FEE9F46D1F4B059112EC7B20A07375CF10084CFEBC31AE87B34DEFE92C6EA766EC006F2CDB3D8B4A2804B2BAC6F1752C3A755001A2622E
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAA3mo1C2vxPS5cYZvb18j1UEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAADxaKctnu6p51QbXzcec0yJJHRCERFOewneC7s2Q8cx4wAAAAAOgAAAAAIAACAAAADDQBNAyQ2e/fxXiNJwYS72m7RtJj6wBI1XfE15Cot+7DAAAAD8uFIVc3Ze0Ct/1F6l1WEnAdCApjj70vDAX/o95QolLMbu9d2jUaun9EdAdjkDztxAAAAAntEefTqjnDveTyCvBwLaSV25PAM0umDaPgRkrlkXEs0DDX9ldkwYyhGd+xYytZ+boi+rs7RJ7Ul3DoTV77Vgcw=="},"profile":{"info_cache":{},"profile_counts_reported":"13369866297317036","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1725392697"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF4a823.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.4973501584113516
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrt4w7T4EkoXWIWapHM6yikpJdXBuBuwBTauYNhpPXIQoTEtCY/g:YuBqDPaf9/4SA4PIgBzBTLqpPdRE5
MD5:	B5E908E123993B04E4ADA6D999A317C4
SHA1:	D48CFF1C101D717C69B81A9709655F852F7BBDF9
SHA-256:	CF33409E37F3E088F42E96EE8B17A100F365495EAF253452FF67158D0BC88CC1
SHA-512:	A8B638A37A11ECC472FEE9F46D1F4B059112EC7B20A07375CF10084CFEBC31AE87B34DEFE92C6EA766EC006F2CDB3D8B4A2804B2BAC6F1752C3A755001A2622E
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAA3mo1C2vxPS5cYZvb18j1UEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAADxaKctnu6p51QbXzcec0yJJHRCERFOewneC7s2Q8cx4wAAAAAOgAAAAAIAACAAAADDQBNAyQ2e/fxXiNJwYS72m7RtJj6wBI1XfE15Cot+7DAAAAD8uFIVc3Ze0Ct/1F6l1WEnAdCApjj70vDAX/o95QolLMbu9d2jUaun9EdAdjkDztxAAAAAntEefTqjnDveTyCvBwLaSV25PAM0umDaPgRkrlkXEs0DDX9ldkwYyhGd+xYytZ+boi+rs7RJ7Ul3DoTV77Vgcw=="},"profile":{"info_cache":{},"profile_counts_reported":"13369866297317036","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1725392697"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Nurturing\campaign_history

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.46731661083066856
Encrypted:	false
SSDEEP:	12:TL1QAFUxOUDaabZXiDiIF8izX4fhhdWeci2oesJaYi3is25q0S9K0xHZ75fOV:TLiOUOq0afDdWec9sJf5Q7J5fc
MD5:	E93ACF0820CA08E5A5D2D159729F70E3
SHA1:	2C1A4D4924B9AEC1A796F108607404B000877C5D
SHA-256:	F2267FDA7F45499F7A01186B75CEFB799F8D2BC97E2E9B5068952D477294302C
SHA-512:	3BF36C20E04DCF1C16DC794E272F82F68B0DE43F16B4A9746B63B6D6BBC953B00BD7111CDA7AFE85CEBB2C447145483A382B15E2B0A5B36026C3441635D4E50C
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\ShaderCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\ShaderCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	8.280239615765425E-4
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2:/M/xT02
MD5:	D0D388F3865D0523E451D6BA0BE34CC4
SHA1:	8571C6A52AACC2747C048E3419E5657B74612995
SHA-256:	902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
SHA-512:	376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\ShaderCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\ShaderCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\ShaderCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNl0:Ls30
MD5:	4B9030C659872438F19A455939FC55A9
SHA1:	16E2C7FD61D82692A2FC1F5BE73D57B4B543F298
SHA-256:	CFD2C187BC522C34B34E004A8631F2DC70557DD6CEABBBADC097CF37BCA9D881
SHA-512:	1B3D1E2F786F9DC1334F80016DA11EF5654C50EF5365B2EDFD1D4B2FDA2C29E6C37A296DD68303FF22791F3E5B72DD029490C222684762D42932987EE2F01566
Malicious:	false
Preview:	........................................._Y.../.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\customSettings

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	47
Entropy (8bit):	4.3818353308528755
Encrypted:	false
SSDEEP:	3:2jRo6jhM6ceYcUtS2djIn:5I2uxUt5Mn
MD5:	48324111147DECC23AC222A361873FC5
SHA1:	0DF8B2267ABBDBD11C422D23338262E3131A4223
SHA-256:	D8D672F953E823063955BD9981532FC3453800C2E74C0CC3653D091088ABD3B3
SHA-512:	E3B5DB7BA5E4E3DE3741F53D91B6B61D6EB9ECC8F4C07B6AE1C2293517F331B716114BAB41D7935888A266F7EBDA6FABA90023EFFEC850A929986053853F1E02
Malicious:	false
Preview:	customSettings_F95BA787499AB4FA9EFFF472CE383A14

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\customSettings_F95BA787499AB4FA9EFFF472CE383A14

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	35
Entropy (8bit):	4.014438730983427
Encrypted:	false
SSDEEP:	3:YDMGA2ADH/AYKEqsYq:YQXT/bKE1F
MD5:	BB57A76019EADEDC27F04EB2FB1F1841
SHA1:	8B41A1B995D45B7A74A365B6B1F1F21F72F86760
SHA-256:	2BAE8302F9BD2D87AE26ACF692663DF1639B8E2068157451DA4773BD8BD30A2B
SHA-512:	A455D7F8E0BE9A27CFB7BE8FE0B0E722B35B4C8F206CAD99064473F15700023D5995CC2C4FAFDB8FBB50F0BAB3EC8B241E9A512C0766AAAE1A86C3472C589FFD
Malicious:	false
Preview:	{"forceServiceDetermination":false}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\customSynchronousLookupUris

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	29
Entropy (8bit):	3.922828737239167
Encrypted:	false
SSDEEP:	3:2NGw+K+:fwZ+
MD5:	7BAAFE811F480ACFCCCEE0D744355C79
SHA1:	24B89AE82313084BB8BBEB9AD98A550F41DF7B27
SHA-256:	D5743766AF0312C7B7728219FC24A03A4FB1C2A54A506F337953FBC2C1B847C7
SHA-512:	70FE1C197AF507CC0D65E99807D245C896A40A4271BA1121F9B621980877B43019E584C48780951FC1AD2A5D7D146FC6EA4678139A5B38F9B6F7A5F1E2E86BA3
Malicious:	false
Preview:	customSynchronousLookupUris_0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\customSynchronousLookupUris_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	35302
Entropy (8bit):	7.99333285466604
Encrypted:	true
SSDEEP:	768:rRhaFePY38QBsj61g3g01LXoDGPpgb8KbMcnjrQCckBuJyqk3x8cBBT:rLP+TBK6ZQLXSsaMcnHQQcox80
MD5:	0E06E28C3536360DE3486B1A9E5195E8
SHA1:	EB768267F34EC16A6CCD1966DCA4C3C2870268AB
SHA-256:	F2658B1C913A96E75B45E6ADB464C8D796B34AC43BAF1635AA32E16D1752971C
SHA-512:	45F1E909599E2F63372867BC359CF72FD846619DFEB5359E52D5700E0B1BCFFE5FF07606511A3BFFDDD933A0507195439457E4E29A49EB6451F26186B7240041
Malicious:	false
Preview:	.......murmur3.....IN...9.......0..X..#l....C....]......pv..E..........,..?.N?....V..B-..F.1....g\|..._.>'.-(V... .=.7P.m....#}.r.....>.LE...G.A.h5........J..=..L^-.Zl++,..h..o.y..~j.]u...W...&s.........M..........h3b..[.5.]..V^w.........a....6g3..%.gy../{\|Z.B..X.}5.]..t.1.H&B.[.).$Y......2....L.t...{...[WE.yy.]..e.v0..\.J3..T.`1Lnh.../..-=w...W.&N7.nz.P...z......'i..R6....../....t.[..&-.....T&l..e....$.8.."....Iq....J.v..\|.6.M...zE...a9uw..'.$6.L..m$......NB).JL.G.7}8(`....J.)b.E.m...c.0I.V...\|$....;.k.......8v..l.:..@.F.........K..2...%(...kA......LJd~._A.N.....$3...5....Z"...X=.....%.........6.k.....F..1..l,ia..i.i....y.M..Cl........}.I..r..-+=b.6....%...#...W..K.....=.F....~.....[.......-...../;....~.09..d.....GR..H.lR...m.Huh9.:..A H./)..D.F..Y.n7.....7D.O.a;>Z.K....w...sq..qo3N...8@.zpD.Ku......+.Z=.zNFgP._@.z.ic.......3.....+..j...an%...X..7.q..A.l.7.S2..+....1.s.b..z...@v..!.y...N.C.XQ.p.\..x8(.<.....cq.(

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\edgeSettings

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	18
Entropy (8bit):	3.5724312513221195
Encrypted:	false
SSDEEP:	3:kDnaV6bVon:kDYa2
MD5:	5692162977B015E31D5F35F50EFAB9CF
SHA1:	705DC80E8B32AC8B68F7E13CF8A75DCCB251ED7D
SHA-256:	42CCB5159B168DBE5D5DDF026E5F7ED3DBF50873CFE47C7C3EF0677BB07B90D4
SHA-512:	32905A4CC5BCE0FE8502DDD32096F40106625218BEDC4E218A344225D6DF2595A7B70EEB3695DCEFDD894ECB2B66BED479654E8E07F02526648E07ACFE47838C
Malicious:	false
Preview:	edgeSettings_2.0-0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\edgeSettings_2.0-0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3581
Entropy (8bit):	4.459693941095613
Encrypted:	false
SSDEEP:	96:JTMhnytNaSA4BOsNQNhnUZTFGKDIWHCgL5tfHaaJzRHF+P1sYmnfHUdT+GWBH7Y/:KyMot7vjFU
MD5:	BDE38FAE28EC415384B8CFE052306D6C
SHA1:	3019740AF622B58D573C00BF5C98DD77F3FBB5CD
SHA-256:	1F4542614473AE103A5EE3DEEEC61D033A40271CFF891AAA6797534E4DBB4D20
SHA-512:	9C369D69298EBF087412EDA782EE72AFE5448FD0D69EA5141C2744EA5F6C36CDF70A51845CDC174838BAC0ADABDFA70DF6AEDBF6E7867578AE7C4B7805A8B55E
Malicious:	false
Preview:	{"models":[],"geoidMaps":{"gw_my":"https://malaysia.smartscreen.microsoft.com/","gw_tw":"https://taiwan.smartscreen.microsoft.com/","gw_at":"https://austria.smartscreen.microsoft.com/","gw_es":"https://spain.smartscreen.microsoft.com/","gw_pl":"https://poland.smartscreen.microsoft.com/","gw_se":"https://sweden.smartscreen.microsoft.com/","gw_kr":"https://southkorea.smartscreen.microsoft.com/","gw_br":"https://brazil.smartscreen.microsoft.com/","au":"https://australia.smartscreen.microsoft.com/","dk":"https://denmark.smartscreen.microsoft.com/","gw_sg":"https://singapore.smartscreen.microsoft.com/","gw_fr":"https://france.smartscreen.microsoft.com/","gw_ca":"https://canada.smartscreen.microsoft.com/","test":"https://eu-9.smartscreen.microsoft.com/","gw_il":"https://israel.smartscreen.microsoft.com/","gw_au":"https://australia.smartscreen.microsoft.com/","gw_ffl4mod":"https://unitedstates4.ss.wd.microsoft.us/","gw_ffl4":"https://unitedstates1.ss.wd.microsoft.us/","gw_eu":"https://europe.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\synchronousLookupUris

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	47
Entropy (8bit):	4.493433469104717
Encrypted:	false
SSDEEP:	3:kfKbQSQSuLA5:kyUc5
MD5:	3F90757B200B52DCF5FDAC696EFD3D60
SHA1:	569A2E1BED9ECCDF7CD03E270AEF2BD7FF9B0E77
SHA-256:	1EE63F0A3502CFB7DF195FABBA41A7805008AB2CCCDAEB9AF990409D163D60C8
SHA-512:	39252BBAA33130DF50F36178A8EAB1D09165666D8A229FBB3495DD01CBE964F87CD2E6FCD479DFCA36BE06309EF18FEDA7F14722C57545203BBA24972D4835C8
Malicious:	false
Preview:	synchronousLookupUris_636976985063396749.rel.v2

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\synchronousLookupUris_636976985063396749.rel.v2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	35302
Entropy (8bit):	7.99333285466604
Encrypted:	true
SSDEEP:	768:rRhaFePY38QBsj61g3g01LXoDGPpgb8KbMcnjrQCckBuJyqk3x8cBBT:rLP+TBK6ZQLXSsaMcnHQQcox80
MD5:	0E06E28C3536360DE3486B1A9E5195E8
SHA1:	EB768267F34EC16A6CCD1966DCA4C3C2870268AB
SHA-256:	F2658B1C913A96E75B45E6ADB464C8D796B34AC43BAF1635AA32E16D1752971C
SHA-512:	45F1E909599E2F63372867BC359CF72FD846619DFEB5359E52D5700E0B1BCFFE5FF07606511A3BFFDDD933A0507195439457E4E29A49EB6451F26186B7240041
Malicious:	false
Preview:	.......murmur3.....IN...9.......0..X..#l....C....]......pv..E..........,..?.N?....V..B-..F.1....g\|..._.>'.-(V... .=.7P.m....#}.r.....>.LE...G.A.h5........J..=..L^-.Zl++,..h..o.y..~j.]u...W...&s.........M..........h3b..[.5.]..V^w.........a....6g3..%.gy../{\|Z.B..X.}5.]..t.1.H&B.[.).$Y......2....L.t...{...[WE.yy.]..e.v0..\.J3..T.`1Lnh.../..-=w...W.&N7.nz.P...z......'i..R6....../....t.[..&-.....T&l..e....$.8.."....Iq....J.v..\|.6.M...zE...a9uw..'.$6.L..m$......NB).JL.G.7}8(`....J.)b.E.m...c.0I.V...\|$....;.k.......8v..l.:..@.F.........K..2...%(...kA......LJd~._A.N.....$3...5....Z"...X=.....%.........6.k.....F..1..l,ia..i.i....y.M..Cl........}.I..r..-+=b.6....%...#...W..K.....=.F....~.....[.......-...../;....~.09..d.....GR..H.lR...m.Huh9.:..A H./)..D.F..Y.n7.....7D.O.a;>Z.K....w...sq..qo3N...8@.zpD.Ku......+.Z=.zNFgP._@.z.ic.......3.....+..j...an%...X..7.q..A.l.7.S2..+....1.s.b..z...@v..!.y...N.C.XQ.p.\..x8(.<.....cq.(

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\topTraffic

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	50
Entropy (8bit):	3.9904355005135823
Encrypted:	false
SSDEEP:	3:0xXF/XctY5GUf+:0RFeUf+
MD5:	E144AFBFB9EE10479AE2A9437D3FC9CA
SHA1:	5AAAC173107C688C06944D746394C21535B0514B
SHA-256:	EB28E8ED7C014F211BD81308853F407DF86AEBB5F80F8E4640C608CD772544C2
SHA-512:	837D15B3477C95D2D71391D677463A497D8D9FFBD7EB42E412DA262C9B5C82F22CE4338A0BEAA22C81A06ECA2DF7A9A98B7D61ECACE5F087912FD9BA7914AF3F
Malicious:	false
Preview:	topTraffic_170540185939602997400506234197983529371

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\topTraffic_170540185939602997400506234197983529371

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	575056
Entropy (8bit):	7.999649474060713
Encrypted:	true
SSDEEP:	12288:fXdhUG0PlM/EXEBQlbk19RrH76Im4u8C1jJodha:Ji80e9Rb7Tm4u8CnR
MD5:	BE5D1A12C1644421F877787F8E76642D
SHA1:	06C46A95B4BD5E145E015FA7E358A2D1AC52C809
SHA-256:	C1CE928FBEF4EF5A4207ABAFD9AB6382CC29D11DDECC215314B0522749EF6A5A
SHA-512:	FD5B100E2F192164B77F4140ADF6DE0322F34D7B6F0CF14AED91BACAB18BB8F195F161F7CF8FB10651122A598CE474AC4DC39EDF47B6A85C90C854C2A3170960
Malicious:	false
Preview:	...._+jE.`..}....S..1....G}s..E....y".Wh.^.W.H...-...#.A...KR...9b........>k......bU.IVo...D......Y..[l.yx.......'c=..I0.....E.d...-...1 ....m../C...OQ.........qW..<:N.....38.u..X-..s....<..U.,Mi..._.......`.Y/.........^..,.E..........j@..G8..N.... ..Ea...4.+.79k.!T.-5W..!..@+..!.P..LDG.....V."....L.... .(#..$..&......C.....%A.T}....K_.S..'Q.".d....s....(j.D!......Ov..)d0)."(..%..-..G..L.}....i.....m9;.....t.w..0....f?..-..M.c.3.....N7K.T..D>.3.x...z..u$5!..4..T.....U.O^L{.5..=E..'..;.}(\|.6.:..f!.>...?M.8......P.D.J.I4.<....y.E....>....i%.6..Y.@..n.....M..r..C.f.;..<..0.H...F....h.......HB1]1....u..:...H..k....B.Q..J...@}j~.#...'Y.J~....I...ub.&..L[z..1.W/.Ck....M.......[.......N.F..z.{nZ~d.V.4.u.K.V.......X.<p..cz..>....X...W..da3(..g..Z$.L4.j=~.p.l.\.[e.&&.Y ...U)..._.^r0.,.{_......`S..[....(.\..p.bt.g..%.$+....f.....d....Im..f...W ......G..i_8a..ae..7....pS.....z-H..A.s.4.3..O.r.....u.S......a.}..v.-/..... ...a.x#./:...sS&U.().xL...pg

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Variations

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	86
Entropy (8bit):	4.3751917412896075
Encrypted:	false
SSDEEP:	3:YQ3JYq9xSs0dMEJAELJ2rjozQan:YQ3Kq9X0dMgAEwjM
MD5:	961E3604F228B0D10541EBF921500C86
SHA1:	6E00570D9F78D9CFEBE67D4DA5EFE546543949A7
SHA-256:	F7B24F2EB3D5EB0550527490395D2F61C3D2FE74BB9CB345197DAD81B58B5FED
SHA-512:	535F930AFD2EF50282715C7E48859CC2D7B354FF4E6C156B94D5A2815F589B33189FFEDFCAF4456525283E993087F9F560D84CFCF497D189AB8101510A09C472
Malicious:	false
Preview:	{"user_experience_metrics.stability.exited_cleanly":false,"variations_crash_streak":0}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\c7a132c7-39e0-4123-9413-66062ac7c61c.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	20959
Entropy (8bit):	6.064886398173115
Encrypted:	false
SSDEEP:	384:i6tMGQ7LBjuYXGIgtDAW5u0TDJ2q03X8NBSMIb8GoIEN555LI0K:ZMGQ7FCYXGIgtDAWtJ4nrb8GoIUI
MD5:	182C0A5249E5AE057CC9B0049162DD84
SHA1:	A33CE49584E1D18B999C90294E9F24D53791DA5B
SHA-256:	5B0A0802BBABDE787DA7D5A419C7CF970D4B96FEA4A8B342E97D470BA60CFC81
SHA-512:	6DD6B7A4695FAEF34E47C2A5D7FB781FCC579BE7FA6FDFE1C5D1652A04053CE2CE43C846E42D15BEA78B916BE3C59D2DD1ECCC75B4E52266822122A13CB9C308
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","apps_count_check_time":"13369866299641235","domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5GOJiTA/oXLTdG6qXtmMBDiyS59PvY7eCklyb4QcfFi7tpdwu3VBt1XNorvM4+RiU6+CjD0kb+pHz7rRm3rXSyzABnWdKBG+Ijlx7hEE4QTzo+AB6fnDLLJBpo7PKv8Ob367/KjUg8mcY6CmCjTJCmtsWFOcUf5vj04cw0e1yZe2WAl8svFn5IC43jfc+dLnGrEyDwAicHCxNdhlrVa5LEtTgt5u2lAK02pd198r5dr5VYgHj55jUJZGTtlg0NlA7S5AnvB8l7z3olnPV2vfCLsugvBUH7vTVIe9Y151SnmS2Auyvcr5UGYXBvzT2s0L3fKpCZl+2D91MLf04NPNNUni9BZmDP4Sfjk2Ig7ktgg8r8InfhHz//zSP7e8bquWlsDJ411j

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\cb989319-1e6e-4577-b7e9-5c311101f7cf.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24282
Entropy (8bit):	6.055706931755872
Encrypted:	false
SSDEEP:	384:i6tMGQ7LBjuYXGIgtDAW5u0TDJ2q03X8NlMIDeqdpVE/8aaEN555LI0K:ZMGQ7FCYXGIgtDAWtJ4nYDM/8aaUI
MD5:	866840C32DDBAB9D5BE6A4D0744DC242
SHA1:	F066C68AF7A1A5391CAED5A917072409D8C1AD8B
SHA-256:	82E77ADB8BF00597D235E3D2D2D6BCF960636B6051CC2F3ECADBAA033F601188
SHA-512:	CEEE1E83521AA08A3B40AF4BF00E8F2E7D97FB5B6FD9F803799D99C29AE47238DDD81193FFAAEDEA3F2CC5C148114AC4C96FAACF817E155B07E28C21E4672A3E
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","apps_count_check_time":"13369866299641235","domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5GOJiTA/oXLTdG6qXtmMBDiyS59PvY7eCklyb4QcfFi7tpdwu3VBt1XNorvM4+RiU6+CjD0kb+pHz7rRm3rXSyzABnWdKBG+Ijlx7hEE4QTzo+AB6fnDLLJBpo7PKv8Ob367/KjUg8mcY6CmCjTJCmtsWFOcUf5vj04cw0e1yZe2WAl8svFn5IC43jfc+dLnGrEyDwAicHCxNdhlrVa5LEtTgt5u2lAK02pd198r5dr5VYgHj55jUJZGTtlg0NlA7S5AnvB8l7z3olnPV2vfCLsugvBUH7vTVIe9Y151SnmS2Auyvcr5UGYXBvzT2s0L3fKpCZl+2D91MLf04NPNNUni9BZmDP4Sfjk2Ig7ktgg8r8InfhHz//zSP7e8bquWlsDJ411j

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\dc65e0cc-178a-4221-97f0-47fec8dab573.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4235
Entropy (8bit):	5.488901003015015
Encrypted:	false
SSDEEP:	96:0q8NkGS1f9PA4r58rh/cI9URoDotoYmBIZvROCZJkGocmSDS4S4SDSne4a:/8NBSfPMeoDUiLCfkGol
MD5:	69017B15D763796278B56B8B510D8A15
SHA1:	F37308714751711FD915263B90B74FC1D9ABD08B
SHA-256:	8C93987BA29CEB493C4E7CBDA96D03F83383B6C0E6527B86BA2410039E2DC15E
SHA-512:	ED15E2F74D377B1C5E38E2E2DC1283736FE7F9CE831813D8C17FD8E278DFEB9A5834F09DAF30231EC3CB88CF00DB9C446CBCC0E91E8F951EA26D4D51BBCA9418
Malicious:	false
Preview:	{"dual_user":{"ie_to_edge":{"redirection_mode":0}},"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false},"tab_stabs":{"closed_without_unfreeze_never_unfrozen":0,"closed_without_unfreeze_previously_unfrozen":0,"discard_without_unfreeze_never_unfrozen":0,"discard_without_unfreeze_previously_unfrozen":0},"tab_stats":{"frozen_daily":0,"unfrozen_daily":0}},"fre":{"oem_bookmarks_set":true},"hardware_acceleration_mode_previous":true,"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAA3mo1C2vxPS5cYZvb18j1UEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAADxaKctnu6p51QbXzcec0yJJHRCERFOewneC7s2Q8cx4wAAAAAOgAAAAAIAACAAAADDQBNAyQ2e/fxXiNJwYS72m7RtJj6wBI1XfE15Cot+7DAAAAD8uFIVc3Ze0Ct/1F6l1WEnAdCApjj70vDAX/o95QolLMbu9d2jUaun9EdAdjkDztxAAAAAntEefTqjnDveTyCvBwLaSV25PAM0umDaPgRkrlkXEs0DDX9ldkwYyhGd+xYytZ+boi+rs7RJ7Ul3DoTV7

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\e6f76734-7da4-4ebb-a5fd-3190d131bf83.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	70464
Entropy (8bit):	6.0714438103024495
Encrypted:	false
SSDEEP:	1536:ZMGQ5XMBGAvQUtqtVpxMG26XTa8qvk/o+5EIx/8a1:ZMrJM8AQ6GPXTa8y45x00
MD5:	24572373BCA53C0BAA2AAD204530CA0D
SHA1:	7DF7D880388531B209F327B47CD0E25121ACDF8E
SHA-256:	F3E7B2A235F6DE7B2AE86446C6080F582F80659346842DD69277AAE28B374ABC
SHA-512:	2DD74750A7AF7C252239D807EEFAB90A77077E150E87A10861C8F1568626607B083166D3803E1A526D2D9DA850E9DA9BDE1CF8FD8C7342654C8287B701D0A605
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","apps_count_check_time":"13369866299641235","domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5GOJiTA/oXLTdG6qXtmMBDiyS59PvY7eCklyb4QcfFi7tpdwu3VBt1XNorvM4+RiU6+CjD0kb+pHz7rRm3rXSyzABnWdKBG+Ijlx7hEE4QTzo+AB6fnDLLJBpo7PKv8Ob367/KjUg8mcY6CmCjTJCmtsWFOcUf5vj04cw0e1yZe2WAl8svFn5IC43jfc+dLnGrEyDwAicHCxNdhlrVa5LEtTgt5u2lAK02pd198r5dr5VYgHj55jUJZGTtlg0NlA7S5AnvB8l7z3olnPV2vfCLsugvBUH7vTVIe9Y151SnmS2Auyvcr5UGYXBvzT2s0L3fKpCZl+2D91MLf04NPNNUni9BZmDP4Sfjk2Ig7ktgg8r8InfhHz//zSP7e8bquWlsDJ411j

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\eb9a9a39-a803-4f11-92e3-30a8e21f97ac.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.4973501584113516
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrt4w7T4EkoXWIWapHM6yikpJdXBuBuwBTauYNhpPXIQoTEtCY/g:YuBqDPaf9/4SA4PIgBzBTLqpPdRE5
MD5:	B5E908E123993B04E4ADA6D999A317C4
SHA1:	D48CFF1C101D717C69B81A9709655F852F7BBDF9
SHA-256:	CF33409E37F3E088F42E96EE8B17A100F365495EAF253452FF67158D0BC88CC1
SHA-512:	A8B638A37A11ECC472FEE9F46D1F4B059112EC7B20A07375CF10084CFEBC31AE87B34DEFE92C6EA766EC006F2CDB3D8B4A2804B2BAC6F1752C3A755001A2622E
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAA3mo1C2vxPS5cYZvb18j1UEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAADxaKctnu6p51QbXzcec0yJJHRCERFOewneC7s2Q8cx4wAAAAAOgAAAAAIAACAAAADDQBNAyQ2e/fxXiNJwYS72m7RtJj6wBI1XfE15Cot+7DAAAAD8uFIVc3Ze0Ct/1F6l1WEnAdCApjj70vDAX/o95QolLMbu9d2jUaun9EdAdjkDztxAAAAAntEefTqjnDveTyCvBwLaSV25PAM0umDaPgRkrlkXEs0DDX9ldkwYyhGd+xYytZ+boi+rs7RJ7Ul3DoTV77Vgcw=="},"profile":{"info_cache":{},"profile_counts_reported":"13369866297317036","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1725392697"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\212b58a7-3be0-4b5f-964b-af53f6bf0638.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44455
Entropy (8bit):	6.089773930632628
Encrypted:	false
SSDEEP:	768:+DXzgWPsj/qlGJqIY8GB4kWsdi1zNtPMGkzZ7okEt9r1JDSgzMMd6qD47u3+CioC:+/Ps+wsI7yn81kzItSmd6qE7lFoC
MD5:	18A02250EED9B5D15A00702E74953A49
SHA1:	145C161E41086F69647A395E636E53F4C1C58E1B
SHA-256:	8710EC4B023AA4D2A309ACDEF95922901E1DE241A1F5C48084B54B7E0A12CA50
SHA-512:	AC5AE9DAF27B0ADF3B1EB31D6A1508F41083AEF99E09CBE092243088B881BB32306869C0038999836F6BCEF83523B878FE0A9C1F24E9E476EE616747171E56A8
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","apps_count_check_time":"13340961226065099","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJO

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\4d404ffd-ef64-4ec1-9c38-ec598a6159dc.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44975
Entropy (8bit):	6.095054949626027
Encrypted:	false
SSDEEP:	768:TDXzgWPsj/qlGJqIY8GB4xWPyi1zNt/602oNHGoVA/qKJDSgzMMd6qD47u3+CioC:T/Ps+wsI7yOV02oAEKtSmd6qE7lFoC
MD5:	C1AB3E935B0CF18F3BD570A599E05EA8
SHA1:	B89F2DB80CD842989FFF371A3DDCA12104CA7490
SHA-256:	AD62FEA624C1790BEF0E15EE94E097428BFAA60A57751A0728D28AC25BE898D7
SHA-512:	55D5CD79C1804D938834A9C67A6D016757B506A4D5E1CF3021D80E676C9210F1A37F2F89CCF6D7C1188357C877548B1EA0EE9BA11D7FBB32EE018A6A03448AF0
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","apps_count_check_time":"13369866313586021","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJO

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\5bf131f0-e9e5-4b5c-8545-d1e030bf6db2.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44975
Entropy (8bit):	6.094835020143854
Encrypted:	false
SSDEEP:	768:TDXzgWPsj/qlGJqIY8GB4xWPyi1zNt/602o9PGoKPFGCKJDSgzMMd6qD47u3+CiB:T/Ps+wsI7yOV02oILKtSmd6qE7lFoC
MD5:	7233939E29C0F73CAE2B64E02498F5EE
SHA1:	648E538D5ADCA70AB5281D918F24394467113B7B
SHA-256:	A9852F988AF1BE5ACA9FC30024A82E61AA48ED152ACD8F7C93146FFDE9E7B7E0
SHA-512:	30F23B2F433AFBF52228CC9781669010450C1580232B7A8EF87D144277021996FFB3C0023EE4E78645BC605316404C14C408968EC0D0ECF6464807597A028289
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","apps_count_check_time":"13369866313586021","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJO

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\9341aa30-1856-498b-b365-949d820ff99b.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44975
Entropy (8bit):	6.094855636100407
Encrypted:	false
SSDEEP:	768:TDXzgWPsj/qlGJqIY8GB4xWPyi1zNt/602o95GoKPFGCKJDSgzMMd6qD47u3+CiB:T/Ps+wsI7yOV02o6LKtSmd6qE7lFoC
MD5:	B66883B8D13DED902D8B830EF6EB05CE
SHA1:	699DC059609BFFA989807484432D737370240A45
SHA-256:	5D1883307EB8B3B969C02FC6239A9AFE58A97E4F0D59CF8961977B7CB7B1DF10
SHA-512:	2049656549BE8A145A6CE7863191F47F9E985D099DDE596CDF40E6A5D2DE80B3800E6689AC0AF8F05E7626666C3F7ACB9C01BB6FC217E8F4CFD6E8D340BAF267
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","apps_count_check_time":"13369866313586021","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJO

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-66D76751-1DE4.pma

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	DIY-Thermocam raw data (Lepton 3.x), scale 0-0, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 134217728.000000, slope 75015551881388056232440365056.000000
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.12328795957948559
Encrypted:	false
SSDEEP:	768:iagjtTEZH8BU0Es44vADq9h7hsHrTRGO6b/g2BtTbRGO:iagZTEl8lF4Tyh7hsLTRGvztTbRG
MD5:	5349B314BBB3C6115D3302C0ABDC8F7E
SHA1:	69EE9C715A0FD1789882017108CE04D87ED12640
SHA-256:	3A9BBC8ABB7942BEEBC9D6E99F2C80C186031E87465211A5FB80190DEB7FC03D
SHA-512:	9C4B7B75A715CC22981BAEED37B2695FEF3486032525BAA99BABF94D4744D7552E56E95643CEBC0B73B0CAA4D3DE71774E0376CF82AC2C9954238E4839277A54
Malicious:	false
Preview:	...@..@...@.....C.].....@...................................`... ...i.y.........BrowserMetrics......i.y..Yd. .......A...................v.0.....UV&K.k<................UV&K.k<................UMA.PersistentHistograms.InitResult.....8...i.y.[".................................................i.y.Pq.30...............117.0.2045.55-64..".en-GB...Windows NT..10.0.190452l..x86_64..?........".sjqdfg20,1(.0..8..B.......2.:.M..BU..Be...?j...GenuineIntel... .. ..........x86_64...J....k..^o..J..l.zL.^o..J....\.^o..J.....f.^o..J....?.^o..P.Z...b.INBXj....... .8.@....................................w..U].0r........>.........."....."...24.."."+jDg7C0j+BlQ1Nj+QPG7Safjq+2ZvoQsMhxZL1Gpc+U=".:............B)..1.3.177.11.. .*.RegKeyNotFound2.windowsR...Z...Nb.X9.I@..$...SF@.......Y@.......4@.......Y@........?........?.........................Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......4@.......Y@................Y@.......Y@.......Y@........?........?2........V...... .2.......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	280
Entropy (8bit):	4.0984945491284295
Encrypted:	false
SSDEEP:	3:FiWWltlcUpPmPIijS3XbnbO6YBVP/Sh/JzvbYuDRBOc7cEJHCll:o1cUh4Y3LbO/BVsJDbYuDRBOycd
MD5:	AFAC5E4CC1213807ACB7D1A0F61BCF99
SHA1:	FEDCA0A829A0DBCCD1E9D7048398372FF9604783
SHA-256:	FF48F538CBF3D665C9B115D6F3F6459E0CD7D9DF368E921E5A4BF2CA88E3C55F
SHA-512:	44F1A7E8C8DD1D5CE625AE26ED4074900A979ACD34BAFB3D3B354145690D37D34E07F2D0D9DEE81BE80EAFA9E3973AB11AD6E85EB23A804958584D8DB4902D66
Malicious:	false
Preview:	sdPC.....................cT..\.E.....P."+jDg7C0j+BlQ1Nj+QPG7Safjq+2ZvoQsMhxZL1Gpc+U="..................................................................................47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=....................7aa5fc64-f4df-45d8-92ed-89470ca1c2d2............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\0add6b7e-2054-4028-8a63-e60c606f6adc.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\2a55a5ce-6929-4bfe-95b1-f85bcd4e318a.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\91a50dbb-f3f7-4e6c-bece-34a254890b09.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7818
Entropy (8bit):	5.085952856555038
Encrypted:	false
SSDEEP:	96:stFqKks1jbDkNewfiwXnMwjTrEm8zrsY5eh6Cb7/x+6MhmuecmAeZnDU1CML/EJ:stFkss6wFvrEmkrsY8bV+FiAiU1bLMJ
MD5:	4CEB75F00F62D93CACE464CE51DC6FE8
SHA1:	91941FEEFA111A8B785230C05202B2E575635235
SHA-256:	92B67A819C8FABC8EBA516736B3A8021E887B384909F8E2210C567D8CCA8A93A
SHA-512:	E6BD4F564E4296C47890ADDD7AB57C3C77C22EB7B57BF8F1E0743EC208DC9D9F389E58514535420023AC7B98D97BD33BC153D986581DD3989700681C61F9639E
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369866313498591","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340961151815957","arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"default_apps_install_state":3,"domain_diversity":{"last_reporting_timestamp":"13369866313494289"},"dual_user":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version":""},"edge":{

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\9b7e8dbd-dc03-4405-9619-8d293085a819.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	349
Entropy (8bit):	5.215356028929554
Encrypted:	false
SSDEEP:	6:PP2cMq2PN723oH+TcwtnG2tMsIFUt82P2wGZmw+2P2w6kwON723oH+TcwtnG2tM2:PPAvVaYebn9GFUt82PxG/+2Px65OaYeV
MD5:	F133D24D075F811105165D5FE234F6B7
SHA1:	06365D499DC6392754060008CFF5D9AF34070512
SHA-256:	06EEDD8BBF1D32DFAA5D7B5BFAF2C780D7201B92E3008062232FAE7DD8D66559
SHA-512:	B746486F474BB842F975632E486C0E3E473BE2CC94DA1EF33D0FB57D10E64AD89270FC17F1239E45EEB901B0DB25767A359AB9C39460665124D0CED51937B383
Malicious:	false
Preview:	2024/09/03-15:45:21.842 3b4 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/MANIFEST-000001.2024/09/03-15:45:21.843 3b4 Recovering log #3.2024/09/03-15:45:21.843 3b4 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	349
Entropy (8bit):	5.215356028929554
Encrypted:	false
SSDEEP:	6:PP2cMq2PN723oH+TcwtnG2tMsIFUt82P2wGZmw+2P2w6kwON723oH+TcwtnG2tM2:PPAvVaYebn9GFUt82PxG/+2Px65OaYeV
MD5:	F133D24D075F811105165D5FE234F6B7
SHA1:	06365D499DC6392754060008CFF5D9AF34070512
SHA-256:	06EEDD8BBF1D32DFAA5D7B5BFAF2C780D7201B92E3008062232FAE7DD8D66559
SHA-512:	B746486F474BB842F975632E486C0E3E473BE2CC94DA1EF33D0FB57D10E64AD89270FC17F1239E45EEB901B0DB25767A359AB9C39460665124D0CED51937B383
Malicious:	false
Preview:	2024/09/03-15:45:21.842 3b4 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/MANIFEST-000001.2024/09/03-15:45:21.843 3b4 Recovering log #3.2024/09/03-15:45:21.843 3b4 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db\LOG.old~RF3955b.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	349
Entropy (8bit):	5.215356028929554
Encrypted:	false
SSDEEP:	6:PP2cMq2PN723oH+TcwtnG2tMsIFUt82P2wGZmw+2P2w6kwON723oH+TcwtnG2tM2:PPAvVaYebn9GFUt82PxG/+2Px65OaYeV
MD5:	F133D24D075F811105165D5FE234F6B7
SHA1:	06365D499DC6392754060008CFF5D9AF34070512
SHA-256:	06EEDD8BBF1D32DFAA5D7B5BFAF2C780D7201B92E3008062232FAE7DD8D66559
SHA-512:	B746486F474BB842F975632E486C0E3E473BE2CC94DA1EF33D0FB57D10E64AD89270FC17F1239E45EEB901B0DB25767A359AB9C39460665124D0CED51937B383
Malicious:	false
Preview:	2024/09/03-15:45:21.842 3b4 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/MANIFEST-000001.2024/09/03-15:45:21.843 3b4 Recovering log #3.2024/09/03-15:45:21.843 3b4 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	380
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	6:qTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCT:qWWWWWWWWWWWWWWWWWWW
MD5:	9FE07A071FDA31327FA322B32FCA0B7E
SHA1:	A3E0BAE8853A163C9BB55F68616C795AAAF462E8
SHA-256:	E02333C0359406998E3FED40B69B61C9D28B2117CF9E6C0239E2E13EC13BA7C8
SHA-512:	9CCE621CD5B7CFBD899ABCBDD71235776FF9FF7DEA19C67F86E7F0603F7B09CA294CC16B672B742FA9B51387B2F0A501C3446872980BCA69ADE13F2B5677601D
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	328
Entropy (8bit):	5.187770573737897
Encrypted:	false
SSDEEP:	6:PPHiaGK39+q2PN723oH+Tcwt8aPrqIFUt82PHikNJZmw+2PHikN9VkwON723oH+o:PPHinK34vVaYebL3FUt82PHikNJ/+2PI
MD5:	77EC504737E06E1D2B4BD98E90FBA712
SHA1:	8232FC300BC1774EBB5AAC33C4C09291224AB99B
SHA-256:	912D73D44184287401FF0B9249EEB320B590B6D7439B33AB528979B0D73CFA7A
SHA-512:	798E204101258A967BF45CC69C3713747F6AD0164DA32FF4434F583FD5332317CF8B4F14AF2B3A4597C5BC9E817FF8B8CA4A4493FFFF3B4B96596A3796441A62
Malicious:	false
Preview:	2024/09/03-15:45:13.389 2378 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/MANIFEST-000001.2024/09/03-15:45:13.390 2378 Recovering log #3.2024/09/03-15:45:13.390 2378 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	328
Entropy (8bit):	5.187770573737897
Encrypted:	false
SSDEEP:	6:PPHiaGK39+q2PN723oH+Tcwt8aPrqIFUt82PHikNJZmw+2PHikN9VkwON723oH+o:PPHinK34vVaYebL3FUt82PHikNJ/+2PI
MD5:	77EC504737E06E1D2B4BD98E90FBA712
SHA1:	8232FC300BC1774EBB5AAC33C4C09291224AB99B
SHA-256:	912D73D44184287401FF0B9249EEB320B590B6D7439B33AB528979B0D73CFA7A
SHA-512:	798E204101258A967BF45CC69C3713747F6AD0164DA32FF4434F583FD5332317CF8B4F14AF2B3A4597C5BC9E817FF8B8CA4A4493FFFF3B4B96596A3796441A62
Malicious:	false
Preview:	2024/09/03-15:45:13.389 2378 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/MANIFEST-000001.2024/09/03-15:45:13.390 2378 Recovering log #3.2024/09/03-15:45:13.390 2378 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	380
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	6:qTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCT:qWWWWWWWWWWWWWWWWWWW
MD5:	9FE07A071FDA31327FA322B32FCA0B7E
SHA1:	A3E0BAE8853A163C9BB55F68616C795AAAF462E8
SHA-256:	E02333C0359406998E3FED40B69B61C9D28B2117CF9E6C0239E2E13EC13BA7C8
SHA-512:	9CCE621CD5B7CFBD899ABCBDD71235776FF9FF7DEA19C67F86E7F0603F7B09CA294CC16B672B742FA9B51387B2F0A501C3446872980BCA69ADE13F2B5677601D
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	332
Entropy (8bit):	5.198673859979465
Encrypted:	false
SSDEEP:	6:PPHiE99+q2PN723oH+Tcwt865IFUt82PHiE9JZmw+2PHiE99VkwON723oH+TcwtD:PPHiE94vVaYeb/WFUt82PHiE9J/+2PHR
MD5:	4AB0C588791562E01D57DB3978352F5C
SHA1:	146200DFDFF08A176C2F3282AF667439E1E44D67
SHA-256:	B7EB61A7983BF728E3F4393FE4C902AB37273798B96BFB7F435D4C334D29F5FB
SHA-512:	3CDD3A1C9E8CCDB8EB4B3CB9932A6F90E7E827901836A4D7906BAE47AD9DA94EC817663CD0A4AB5810CD5A7E3ABDA9AE4E0073E50E03BECE1CD8DAFB228200BC
Malicious:	false
Preview:	2024/09/03-15:45:13.392 2378 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/MANIFEST-000001.2024/09/03-15:45:13.392 2378 Recovering log #3.2024/09/03-15:45:13.392 2378 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	332
Entropy (8bit):	5.198673859979465
Encrypted:	false
SSDEEP:	6:PPHiE99+q2PN723oH+Tcwt865IFUt82PHiE9JZmw+2PHiE99VkwON723oH+TcwtD:PPHiE94vVaYeb/WFUt82PHiE9J/+2PHR
MD5:	4AB0C588791562E01D57DB3978352F5C
SHA1:	146200DFDFF08A176C2F3282AF667439E1E44D67
SHA-256:	B7EB61A7983BF728E3F4393FE4C902AB37273798B96BFB7F435D4C334D29F5FB
SHA-512:	3CDD3A1C9E8CCDB8EB4B3CB9932A6F90E7E827901836A4D7906BAE47AD9DA94EC817663CD0A4AB5810CD5A7E3ABDA9AE4E0073E50E03BECE1CD8DAFB228200BC
Malicious:	false
Preview:	2024/09/03-15:45:13.392 2378 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/MANIFEST-000001.2024/09/03-15:45:13.392 2378 Recovering log #3.2024/09/03-15:45:13.392 2378 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	1140
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	12:qWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW:
MD5:	914FD8DC5F9A741C6947E1AB12A9D113
SHA1:	6529EFE14E7B0BEA47D78B147243096408CDAAE4
SHA-256:	8BE3C96EE64B5D2768057EA1C4D1A70F40A0041585F3173806E2278E9300960B
SHA-512:	2862BF83C061414EFA2AC035FFC25BA9C4ED523B430FDEEED4974F55D4450A62766C2E799D0ACDB8269210078547048ACAABFD78EDE6AB91133E30F6B5EBFFBD
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5........

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	328
Entropy (8bit):	5.155510713373795
Encrypted:	false
SSDEEP:	6:PPyVq2PN723oH+Tcwt8NIFUt82Ps1SgZmw+2Ps1SIkwON723oH+Tcwt8+eLJ:PPuvVaYebpFUt82PsB/+2Psb5OaYebqJ
MD5:	4DBFF9A614FD52B3ADD5B5F790DB7A96
SHA1:	D906E31A4EE65C6E2A932EFCDB5F4C654449E1EA
SHA-256:	E03D0F5036379642F9365BE5D5A7A5AA09564CFC186D11FD03E89AFD3A335A0C
SHA-512:	7046E4F15868959925E308D9889943DEB8BC0C84D75F524AFB9090D0D4B1594633316C754D4DDA2BA24C2F778F6661FCDEDF21023CCC275E2260A3AC979972D5
Malicious:	false
Preview:	2024/09/03-15:45:21.740 2280 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/MANIFEST-000001.2024/09/03-15:45:21.741 2280 Recovering log #3.2024/09/03-15:45:21.741 2280 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	328
Entropy (8bit):	5.155510713373795
Encrypted:	false
SSDEEP:	6:PPyVq2PN723oH+Tcwt8NIFUt82Ps1SgZmw+2Ps1SIkwON723oH+Tcwt8+eLJ:PPuvVaYebpFUt82PsB/+2Psb5OaYebqJ
MD5:	4DBFF9A614FD52B3ADD5B5F790DB7A96
SHA1:	D906E31A4EE65C6E2A932EFCDB5F4C654449E1EA
SHA-256:	E03D0F5036379642F9365BE5D5A7A5AA09564CFC186D11FD03E89AFD3A335A0C
SHA-512:	7046E4F15868959925E308D9889943DEB8BC0C84D75F524AFB9090D0D4B1594633316C754D4DDA2BA24C2F778F6661FCDEDF21023CCC275E2260A3AC979972D5
Malicious:	false
Preview:	2024/09/03-15:45:21.740 2280 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/MANIFEST-000001.2024/09/03-15:45:21.741 2280 Recovering log #3.2024/09/03-15:45:21.741 2280 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG.old~RF3957b.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	328
Entropy (8bit):	5.155510713373795
Encrypted:	false
SSDEEP:	6:PPyVq2PN723oH+Tcwt8NIFUt82Ps1SgZmw+2Ps1SIkwON723oH+Tcwt8+eLJ:PPuvVaYebpFUt82PsB/+2Psb5OaYebqJ
MD5:	4DBFF9A614FD52B3ADD5B5F790DB7A96
SHA1:	D906E31A4EE65C6E2A932EFCDB5F4C654449E1EA
SHA-256:	E03D0F5036379642F9365BE5D5A7A5AA09564CFC186D11FD03E89AFD3A335A0C
SHA-512:	7046E4F15868959925E308D9889943DEB8BC0C84D75F524AFB9090D0D4B1594633316C754D4DDA2BA24C2F778F6661FCDEDF21023CCC275E2260A3AC979972D5
Malicious:	false
Preview:	2024/09/03-15:45:21.740 2280 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/MANIFEST-000001.2024/09/03-15:45:21.741 2280 Recovering log #3.2024/09/03-15:45:21.741 2280 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\830ef6ac-8b40-4491-b5d7-42195919bab6.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	61
Entropy (8bit):	3.926136109079379
Encrypted:	false
SSDEEP:	3:YLb9N+eAXRfHDH2LSL:YHpoeSL
MD5:	4DF4574BFBB7E0B0BC56C2C9B12B6C47
SHA1:	81EFCBD3E3DA8221444A21F45305AF6FA4B71907
SHA-256:	E1B77550222C2451772C958E44026ABE518A2C8766862F331765788DDD196377
SHA-512:	78B14F60F2D80400FE50360CF303A961685396B7697775D078825A29B717081442D357C2039AD0984D4B622976B0314EDE8F478CDE320DAEC118DA546CB0682A
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[],"version":5}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\f02a0fc0-faee-4161-a8d6-64aca9dec021.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	61
Entropy (8bit):	3.926136109079379
Encrypted:	false
SSDEEP:	3:YLb9N+eAXRfHDH2LSL:YHpoeSL
MD5:	4DF4574BFBB7E0B0BC56C2C9B12B6C47
SHA1:	81EFCBD3E3DA8221444A21F45305AF6FA4B71907
SHA-256:	E1B77550222C2451772C958E44026ABE518A2C8766862F331765788DDD196377
SHA-512:	78B14F60F2D80400FE50360CF303A961685396B7697775D078825A29B717081442D357C2039AD0984D4B622976B0314EDE8F478CDE320DAEC118DA546CB0682A
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[],"version":5}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Preferences (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7818
Entropy (8bit):	5.085952856555038
Encrypted:	false
SSDEEP:	96:stFqKks1jbDkNewfiwXnMwjTrEm8zrsY5eh6Cb7/x+6MhmuecmAeZnDU1CML/EJ:stFkss6wFvrEmkrsY8bV+FiAiU1bLMJ
MD5:	4CEB75F00F62D93CACE464CE51DC6FE8
SHA1:	91941FEEFA111A8B785230C05202B2E575635235
SHA-256:	92B67A819C8FABC8EBA516736B3A8021E887B384909F8E2210C567D8CCA8A93A
SHA-512:	E6BD4F564E4296C47890ADDD7AB57C3C77C22EB7B57BF8F1E0743EC208DC9D9F389E58514535420023AC7B98D97BD33BC153D986581DD3989700681C61F9639E
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369866313498591","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340961151815957","arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"default_apps_install_state":3,"domain_diversity":{"last_reporting_timestamp":"13369866313494289"},"dual_user":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version":""},"edge":{

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Preferences~RF395f8.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7818
Entropy (8bit):	5.085952856555038
Encrypted:	false
SSDEEP:	96:stFqKks1jbDkNewfiwXnMwjTrEm8zrsY5eh6Cb7/x+6MhmuecmAeZnDU1CML/EJ:stFkss6wFvrEmkrsY8bV+FiAiU1bLMJ
MD5:	4CEB75F00F62D93CACE464CE51DC6FE8
SHA1:	91941FEEFA111A8B785230C05202B2E575635235
SHA-256:	92B67A819C8FABC8EBA516736B3A8021E887B384909F8E2210C567D8CCA8A93A
SHA-512:	E6BD4F564E4296C47890ADDD7AB57C3C77C22EB7B57BF8F1E0743EC208DC9D9F389E58514535420023AC7B98D97BD33BC153D986581DD3989700681C61F9639E
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369866313498591","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340961151815957","arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"default_apps_install_state":3,"domain_diversity":{"last_reporting_timestamp":"13369866313494289"},"dual_user":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version":""},"edge":{

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24691
Entropy (8bit):	5.568465921936851
Encrypted:	false
SSDEEP:	768:Pjb/cjWJwW5w4rf4cj8F1+UoAYDCx9Tuqh0VfUC9xbog/OVPmOI6nXfrwX70pDtL:PnUjywWa4rfFju1ja/OXsMtL
MD5:	13E841CD615D28A0D4EE332CF662AAD9
SHA1:	01A20EF0F0D28445BA43E1570056C941C2DF3E87
SHA-256:	809CD4AFA8A0A4973600B9E4833EB91856C80A378E0F3CB8ADB3E726B48630E7
SHA-512:	D6F73EB1C3091CD8F770BDAF5D76D0AE0C97E9EC0D3A3ACD14FB286CA1CF4EE778ED791486FAB9953831DC6FC97B4C146300E5A52261D910E7CAFD69B62F3693
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13369866313287378","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13369866313287378","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	356
Entropy (8bit):	5.152137907516895
Encrypted:	false
SSDEEP:	6:PPHYXWP1L+q2PN723oH+Tcwt7Uh2ghZIFUt82PHdj1Zmw+2PHd1LVkwON723oH+Q:PPHvL+vVaYebIhHh2FUt82PHn/+2PHTE
MD5:	6EA28D4D89E0C70645E5262D4E61DE44
SHA1:	7C4643201676EAC591E3DDEE9FCFE622CF378806
SHA-256:	0AC5B84C4F3A5E44BDD3C4654DAFEC14063F23D72BB934D149CBD63E848D260E
SHA-512:	1CA7D9154BFA7BA656E703EDC7D430BD2E6855CA54CCC0CBC202546441F8FA0501D1C17E52C5ACC51B0BBC18ECFB9F8E9CE7C731196AC9BE1181C42F263B1224
Malicious:	false
Preview:	2024/09/03-15:45:13.470 237c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/MANIFEST-000001.2024/09/03-15:45:13.610 237c Recovering log #3.2024/09/03-15:45:13.610 237c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	356
Entropy (8bit):	5.152137907516895
Encrypted:	false
SSDEEP:	6:PPHYXWP1L+q2PN723oH+Tcwt7Uh2ghZIFUt82PHdj1Zmw+2PHd1LVkwON723oH+Q:PPHvL+vVaYebIhHh2FUt82PHn/+2PHTE
MD5:	6EA28D4D89E0C70645E5262D4E61DE44
SHA1:	7C4643201676EAC591E3DDEE9FCFE622CF378806
SHA-256:	0AC5B84C4F3A5E44BDD3C4654DAFEC14063F23D72BB934D149CBD63E848D260E
SHA-512:	1CA7D9154BFA7BA656E703EDC7D430BD2E6855CA54CCC0CBC202546441F8FA0501D1C17E52C5ACC51B0BBC18ECFB9F8E9CE7C731196AC9BE1181C42F263B1224
Malicious:	false
Preview:	2024/09/03-15:45:13.470 237c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/MANIFEST-000001.2024/09/03-15:45:13.610 237c Recovering log #3.2024/09/03-15:45:13.610 237c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG.old~RF3955b.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	356
Entropy (8bit):	5.152137907516895
Encrypted:	false
SSDEEP:	6:PPHYXWP1L+q2PN723oH+Tcwt7Uh2ghZIFUt82PHdj1Zmw+2PHd1LVkwON723oH+Q:PPHvL+vVaYebIhHh2FUt82PHn/+2PHTE
MD5:	6EA28D4D89E0C70645E5262D4E61DE44
SHA1:	7C4643201676EAC591E3DDEE9FCFE622CF378806
SHA-256:	0AC5B84C4F3A5E44BDD3C4654DAFEC14063F23D72BB934D149CBD63E848D260E
SHA-512:	1CA7D9154BFA7BA656E703EDC7D430BD2E6855CA54CCC0CBC202546441F8FA0501D1C17E52C5ACC51B0BBC18ECFB9F8E9CE7C731196AC9BE1181C42F263B1224
Malicious:	false
Preview:	2024/09/03-15:45:13.470 237c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/MANIFEST-000001.2024/09/03-15:45:13.610 237c Recovering log #3.2024/09/03-15:45:13.610 237c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	332
Entropy (8bit):	5.203910604595705
Encrypted:	false
SSDEEP:	6:PP4gq2PN723oH+TcwtpIFUt82P4NZZmw+2P4NzkwON723oH+Tcwta/WLJ:PP4gvVaYebmFUt82P4NZ/+2P4Nz5OaYM
MD5:	B224F5F1DD5C5B6C1095835946959035
SHA1:	0F47C2036F2AAE9B3BFF2D50E54C6A74A8F25A6E
SHA-256:	8DA630F1CFF49F6F815DBDDFBCF517EB6CE3D5F45D45CF0D7A437D8E5B0BB85D
SHA-512:	6411F20504003C8637F84D2DD49F763911B372BF7F63FAEDF7D5AAAE4F3F6D1002A91B2F79722AC4C386384DFE4ECFFBE5CB65FFBB2BD88316267A00F4AABDFF
Malicious:	false
Preview:	2024/09/03-15:45:21.627 21d0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/MANIFEST-000001.2024/09/03-15:45:21.629 21d0 Recovering log #3.2024/09/03-15:45:21.629 21d0 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	332
Entropy (8bit):	5.203910604595705
Encrypted:	false
SSDEEP:	6:PP4gq2PN723oH+TcwtpIFUt82P4NZZmw+2P4NzkwON723oH+Tcwta/WLJ:PP4gvVaYebmFUt82P4NZ/+2P4Nz5OaYM
MD5:	B224F5F1DD5C5B6C1095835946959035
SHA1:	0F47C2036F2AAE9B3BFF2D50E54C6A74A8F25A6E
SHA-256:	8DA630F1CFF49F6F815DBDDFBCF517EB6CE3D5F45D45CF0D7A437D8E5B0BB85D
SHA-512:	6411F20504003C8637F84D2DD49F763911B372BF7F63FAEDF7D5AAAE4F3F6D1002A91B2F79722AC4C386384DFE4ECFFBE5CB65FFBB2BD88316267A00F4AABDFF
Malicious:	false
Preview:	2024/09/03-15:45:21.627 21d0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/MANIFEST-000001.2024/09/03-15:45:21.629 21d0 Recovering log #3.2024/09/03-15:45:21.629 21d0 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG.old~RF394fe.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	332
Entropy (8bit):	5.203910604595705
Encrypted:	false
SSDEEP:	6:PP4gq2PN723oH+TcwtpIFUt82P4NZZmw+2P4NzkwON723oH+Tcwta/WLJ:PP4gvVaYebmFUt82P4NZ/+2P4Nz5OaYM
MD5:	B224F5F1DD5C5B6C1095835946959035
SHA1:	0F47C2036F2AAE9B3BFF2D50E54C6A74A8F25A6E
SHA-256:	8DA630F1CFF49F6F815DBDDFBCF517EB6CE3D5F45D45CF0D7A437D8E5B0BB85D
SHA-512:	6411F20504003C8637F84D2DD49F763911B372BF7F63FAEDF7D5AAAE4F3F6D1002A91B2F79722AC4C386384DFE4ECFFBE5CB65FFBB2BD88316267A00F4AABDFF
Malicious:	false
Preview:	2024/09/03-15:45:21.627 21d0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/MANIFEST-000001.2024/09/03-15:45:21.629 21d0 Recovering log #3.2024/09/03-15:45:21.629 21d0 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 10, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 10
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1248842763741618
Encrypted:	false
SSDEEP:	384:A2qOB1nxCk1SA1LyKOMq+8iP5GDHP/0j:dq+n0K91LyKOMq+8iP5GLP/0
MD5:	148980E16E26CCF06DFB0B0F3314EAD2
SHA1:	AF7F267D0273C6BC9B808A4317AA59FD7403E791
SHA-256:	3DC2DC0EA589FBBCDC441CDD06B80FDA50B8720C232A97097AA39E09EE052B15
SHA-512:	F5163E023FD136D484B87E1D5A7191403D2EB3B9602AC20FA5EE42F40277E021EAEA85382453F20B66E9BF99185B7A505835CAAB7E1498FDAB964D560EA6795C
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\b33563b6-6993-45eb-8e2f-12f4a989e879.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7999
Entropy (8bit):	5.08609447473036
Encrypted:	false
SSDEEP:	96:stFqKks1jbDkNewfiwXnMwjTrEm8zrsY5eh6Cb7/x+6MhmuecmAeZnDUmbCML/EJ:stFkss6wFvrEmkrsY8bV+FiAiUWbLMJ
MD5:	3E5D3F02C77FCDC0020F75832C13A390
SHA1:	651242EB78E033D6AAB6A5CE0270EBF05A5960B4
SHA-256:	56C5BDFFA362165418704BA1FF46C18C4EC7ECCCE2EF44A166F194789A0C5899
SHA-512:	FBDFF59E8D8FA8D8A72E59FF304906C436FF727B603212BC447679CE11386063B399EDB2254689C35FE7F8BE59608ABCFF3E06D0218DEAFFD1B0A02C5BF11E91
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369866313498591","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340961151815957","arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"default_apps_install_state":3,"domain_diversity":{"last_reporting_timestamp":"13369866313494289"},"dual_user":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version":""},"edge":{

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\ba1788ab-f82a-4de2-bf08-d9f797e36274.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\c35c3206-21c7-4c1c-9e71-53ca59a4e129.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24691
Entropy (8bit):	5.568465921936851
Encrypted:	false
SSDEEP:	768:Pjb/cjWJwW5w4rf4cj8F1+UoAYDCx9Tuqh0VfUC9xbog/OVPmOI6nXfrwX70pDtL:PnUjywWa4rfFju1ja/OXsMtL
MD5:	13E841CD615D28A0D4EE332CF662AAD9
SHA1:	01A20EF0F0D28445BA43E1570056C941C2DF3E87
SHA-256:	809CD4AFA8A0A4973600B9E4833EB91856C80A378E0F3CB8ADB3E726B48630E7
SHA-512:	D6F73EB1C3091CD8F770BDAF5D76D0AE0C97E9EC0D3A3ACD14FB286CA1CF4EE778ED791486FAB9953831DC6FC97B4C146300E5A52261D910E7CAFD69B62F3693
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13369866313287378","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13369866313287378","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, writer version 2, read version 2, file counter 8, database pages 11, cookie 0x7, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	45056
Entropy (8bit):	0.4108834313259155
Encrypted:	false
SSDEEP:	24:TSWUYP5/ZrK/AxH1Aj5sAFWZmasamfDsCBjy8e+ZcI5fc:TnUYVAKAFXX+CcEc
MD5:	8593795778EA3EC8221366AA2FBBA867
SHA1:	2F307D4925183EA13E7BE637CB93ECAF2BA9810A
SHA-256:	F3C17873660988454A5A403D047FCE88379D1FE8917A89C98E6EB940F8929C03
SHA-512:	CC86DD61ACEDA6F2927C4C23CBD6D426F2C8CD1DF65E342C76D07153ACBF801F9B297F8EF182097CBABBDE6A49C90AF0E7A38E49AB53DF3FD2EC2D5BC675099A
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..................?.P................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-shm

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.04980715022639089
Encrypted:	false
SSDEEP:	6:Gd0ddi8gd0ddi8myL9XCChslotGLNl0ml/XoQDeX:zddHgiddH7pEjVl/XoQ
MD5:	0DCF538A04A10139C2BEF0CD1B1FA9FB
SHA1:	C6AED1B5CA0A1ECE6E81CC70CD14AA046162B5D0
SHA-256:	752A0BD20BD96F5916028A5F87541F11C760FDC19DE38C8BCB16B4C14DF60647
SHA-512:	49DBC69DFFD0CCAEE055EB9D417412E90EEA4362B57585064E8F89B0911264BA86A06EC01B31B0450027E87AAB4BB2CB0754666F4C81604C152A06C5BE1FE287
Malicious:	false
Preview:	..-.......................FVN...$J...V..n.c..mv=..-.......................FVN...$J...V..n.c..mv=........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	328
Entropy (8bit):	5.18003862425082
Encrypted:	false
SSDEEP:	6:PPHkV31yq2PN723oH+TcwtfrK+IFUt82PHkiGuj1Zmw+2PHkiGu1RkwON723oH+t:PPH7vVaYeb23FUt82PH3n1/+2PH3n5O+
MD5:	070D77FF87626621E1A0CBC9FEA1A50C
SHA1:	8A1563A8234569FE946FE72C9270E32BF5EBA48C
SHA-256:	DB31F0ADDB58954F2973CDE498FEAF428A1F37FB8FB90F770C34AF6312220560
SHA-512:	4AD06E2EE06765DDFB91265EBB643FBDBD78B38E55F1A6F396DD6F220382D1A72F49AE59468E3270CB1C6F025E46C02A3E51FAB45623F5CDBF1BA073FA88DE85
Malicious:	false
Preview:	2024/09/03-15:45:13.508 23a0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/MANIFEST-000001.2024/09/03-15:45:13.509 23a0 Recovering log #3.2024/09/03-15:45:13.509 23a0 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	328
Entropy (8bit):	5.18003862425082
Encrypted:	false
SSDEEP:	6:PPHkV31yq2PN723oH+TcwtfrK+IFUt82PHkiGuj1Zmw+2PHkiGu1RkwON723oH+t:PPH7vVaYeb23FUt82PH3n1/+2PH3n5O+
MD5:	070D77FF87626621E1A0CBC9FEA1A50C
SHA1:	8A1563A8234569FE946FE72C9270E32BF5EBA48C
SHA-256:	DB31F0ADDB58954F2973CDE498FEAF428A1F37FB8FB90F770C34AF6312220560
SHA-512:	4AD06E2EE06765DDFB91265EBB643FBDBD78B38E55F1A6F396DD6F220382D1A72F49AE59468E3270CB1C6F025E46C02A3E51FAB45623F5CDBF1BA073FA88DE85
Malicious:	false
Preview:	2024/09/03-15:45:13.508 23a0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/MANIFEST-000001.2024/09/03-15:45:13.509 23a0 Recovering log #3.2024/09/03-15:45:13.509 23a0 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	816
Entropy (8bit):	4.0647916882227655
Encrypted:	false
SSDEEP:	12:G0nYUtTNop//z32m5t/yVf9HqlIZfkBA//DtKhKg+rOyBrgxvB1ySxs:G0nYUtypD32m3yWlIZMBA5NgKIvB8Sxs
MD5:	3BE72D8D40752B3A97028FDB2931FABA
SHA1:	A27EA4726857A948F0A4B074062B674469A9A371
SHA-256:	3C18553C8C3F7E801855F3579AC57F3C156D783BBA27FB35C6D2FB6CB89BD902
SHA-512:	8EBD4D6980BB7796615217E72BC65953C920B68B9259341CD52858C1E889EC90339E2A304FE0C971D6C6EF9AFC4A00CFB3E5CC89C7B2DF8737A0C7EC241BDADC
Malicious:	false
Preview:	.h.6.................__global... .t...................__global... .9..b.................33_..........................33_........v.................21_.....vuNX.................21_.....<...................20_.....X...................20_.....W.J+.................19_......qY.................18_.....'}2..................37_.......c..................38_......i...................39_.....Owa..................20_.....4.9..................20_.....B.I..................19_..........................18_.....2.1..................37_..........................38_......=.%.................39_.....p.j..................9_.....JJ...................9_.....\|.&R.................__global... ./....................__global... ..T...................__global... ...G..................__global... ......................__global... .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	346
Entropy (8bit):	5.147370731168141
Encrypted:	false
SSDEEP:	6:PPHkUGU31yq2PN723oH+TcwtfrzAdIFUt82PHkJj1Zmw+2PHkJ1RkwON723oH+TC:PPHkUIvVaYeb9FUt82PHk1/+2PHm5Oaa
MD5:	E41D088C5FB18E9D736951D213A2E027
SHA1:	40AE76316C049F0A6F37C450643A88E5365B9152
SHA-256:	239B44295DDD430479CFA28F842608DA3482332BFB1EEC193AD37970DA8A6700
SHA-512:	B1DF94F0D1413FE9AE6A961DB0D794275363B7DC05431063E7E9C8CC168E44F7730F924CBA0DC818236510EA2BC557BC121D53086E1CDC2459806F61B24AC0D9
Malicious:	false
Preview:	2024/09/03-15:45:13.503 23a0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/MANIFEST-000001.2024/09/03-15:45:13.504 23a0 Recovering log #3.2024/09/03-15:45:13.504 23a0 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	346
Entropy (8bit):	5.147370731168141
Encrypted:	false
SSDEEP:	6:PPHkUGU31yq2PN723oH+TcwtfrzAdIFUt82PHkJj1Zmw+2PHkJ1RkwON723oH+TC:PPHkUIvVaYeb9FUt82PHk1/+2PHm5Oaa
MD5:	E41D088C5FB18E9D736951D213A2E027
SHA1:	40AE76316C049F0A6F37C450643A88E5365B9152
SHA-256:	239B44295DDD430479CFA28F842608DA3482332BFB1EEC193AD37970DA8A6700
SHA-512:	B1DF94F0D1413FE9AE6A961DB0D794275363B7DC05431063E7E9C8CC168E44F7730F924CBA0DC818236510EA2BC557BC121D53086E1CDC2459806F61B24AC0D9
Malicious:	false
Preview:	2024/09/03-15:45:13.503 23a0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/MANIFEST-000001.2024/09/03-15:45:13.504 23a0 Recovering log #3.2024/09/03-15:45:13.504 23a0 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Last Version

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	13
Entropy (8bit):	2.6612262562697895
Encrypted:	false
SSDEEP:	3:NYLFRQZ:ap2Z
MD5:	B64BD80D877645C2DD14265B1A856F8A
SHA1:	F7379E1A6F8CE062E891C56736C789C7EA77CD6A
SHA-256:	83476CEEEB7682F41030664B4E17305986878D14E82D0C277FB99EC546B44569
SHA-512:	734A7316A269C76DD052D980CC0D5209C0BFEDFFC55B11C58FA25C433CE8A42536827298C3E58CACD68CC01593C23D39350E956E8DE2268D8D29918E1F0667F2
Malicious:	false
Preview:	117.0.2045.55

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44455
Entropy (8bit):	6.089773930632628
Encrypted:	false
SSDEEP:	768:+DXzgWPsj/qlGJqIY8GB4kWsdi1zNtPMGkzZ7okEt9r1JDSgzMMd6qD47u3+CioC:+/Ps+wsI7yn81kzItSmd6qE7lFoC
MD5:	18A02250EED9B5D15A00702E74953A49
SHA1:	145C161E41086F69647A395E636E53F4C1C58E1B
SHA-256:	8710EC4B023AA4D2A309ACDEF95922901E1DE241A1F5C48084B54B7E0A12CA50
SHA-512:	AC5AE9DAF27B0ADF3B1EB31D6A1508F41083AEF99E09CBE092243088B881BB32306869C0038999836F6BCEF83523B878FE0A9C1F24E9E476EE616747171E56A8
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","apps_count_check_time":"13340961226065099","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJO

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF37512.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44455
Entropy (8bit):	6.089773930632628
Encrypted:	false
SSDEEP:	768:+DXzgWPsj/qlGJqIY8GB4kWsdi1zNtPMGkzZ7okEt9r1JDSgzMMd6qD47u3+CioC:+/Ps+wsI7yn81kzItSmd6qE7lFoC
MD5:	18A02250EED9B5D15A00702E74953A49
SHA1:	145C161E41086F69647A395E636E53F4C1C58E1B
SHA-256:	8710EC4B023AA4D2A309ACDEF95922901E1DE241A1F5C48084B54B7E0A12CA50
SHA-512:	AC5AE9DAF27B0ADF3B1EB31D6A1508F41083AEF99E09CBE092243088B881BB32306869C0038999836F6BCEF83523B878FE0A9C1F24E9E476EE616747171E56A8
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","apps_count_check_time":"13340961226065099","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJO

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF375ec.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44455
Entropy (8bit):	6.089773930632628
Encrypted:	false
SSDEEP:	768:+DXzgWPsj/qlGJqIY8GB4kWsdi1zNtPMGkzZ7okEt9r1JDSgzMMd6qD47u3+CioC:+/Ps+wsI7yn81kzItSmd6qE7lFoC
MD5:	18A02250EED9B5D15A00702E74953A49
SHA1:	145C161E41086F69647A395E636E53F4C1C58E1B
SHA-256:	8710EC4B023AA4D2A309ACDEF95922901E1DE241A1F5C48084B54B7E0A12CA50
SHA-512:	AC5AE9DAF27B0ADF3B1EB31D6A1508F41083AEF99E09CBE092243088B881BB32306869C0038999836F6BCEF83523B878FE0A9C1F24E9E476EE616747171E56A8
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","apps_count_check_time":"13340961226065099","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJO

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF376a8.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44455
Entropy (8bit):	6.089773930632628
Encrypted:	false
SSDEEP:	768:+DXzgWPsj/qlGJqIY8GB4kWsdi1zNtPMGkzZ7okEt9r1JDSgzMMd6qD47u3+CioC:+/Ps+wsI7yn81kzItSmd6qE7lFoC
MD5:	18A02250EED9B5D15A00702E74953A49
SHA1:	145C161E41086F69647A395E636E53F4C1C58E1B
SHA-256:	8710EC4B023AA4D2A309ACDEF95922901E1DE241A1F5C48084B54B7E0A12CA50
SHA-512:	AC5AE9DAF27B0ADF3B1EB31D6A1508F41083AEF99E09CBE092243088B881BB32306869C0038999836F6BCEF83523B878FE0A9C1F24E9E476EE616747171E56A8
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","apps_count_check_time":"13340961226065099","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJO

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF395a9.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44455
Entropy (8bit):	6.089773930632628
Encrypted:	false
SSDEEP:	768:+DXzgWPsj/qlGJqIY8GB4kWsdi1zNtPMGkzZ7okEt9r1JDSgzMMd6qD47u3+CioC:+/Ps+wsI7yn81kzItSmd6qE7lFoC
MD5:	18A02250EED9B5D15A00702E74953A49
SHA1:	145C161E41086F69647A395E636E53F4C1C58E1B
SHA-256:	8710EC4B023AA4D2A309ACDEF95922901E1DE241A1F5C48084B54B7E0A12CA50
SHA-512:	AC5AE9DAF27B0ADF3B1EB31D6A1508F41083AEF99E09CBE092243088B881BB32306869C0038999836F6BCEF83523B878FE0A9C1F24E9E476EE616747171E56A8
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","apps_count_check_time":"13340961226065099","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJO

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF395f8.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44455
Entropy (8bit):	6.089773930632628
Encrypted:	false
SSDEEP:	768:+DXzgWPsj/qlGJqIY8GB4kWsdi1zNtPMGkzZ7okEt9r1JDSgzMMd6qD47u3+CioC:+/Ps+wsI7yn81kzItSmd6qE7lFoC
MD5:	18A02250EED9B5D15A00702E74953A49
SHA1:	145C161E41086F69647A395E636E53F4C1C58E1B
SHA-256:	8710EC4B023AA4D2A309ACDEF95922901E1DE241A1F5C48084B54B7E0A12CA50
SHA-512:	AC5AE9DAF27B0ADF3B1EB31D6A1508F41083AEF99E09CBE092243088B881BB32306869C0038999836F6BCEF83523B878FE0A9C1F24E9E476EE616747171E56A8
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","apps_count_check_time":"13340961226065099","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJO

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\ShaderCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	modified
Size (bytes):	270336
Entropy (8bit):	0.0018238520723782249
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zEjrrXF:/M/xT02zaXF
MD5:	5193C55BE2D3F5497D7596B39377876D
SHA1:	0A25106CA005623F6E005DEF4567BDC870844F01
SHA-256:	415D4415888438A6C56F72A4C195BE3D1C61695CAC5B9416495A653A21FDC1A4
SHA-512:	3962E77786E0712C5DB741442FB24402479FE4AE5E6F63F1A9B0D9A764394E9570CF3338F95DF680E0ED1D289AAE7D7BD6FB67430E2116070E4211B532037E84
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Variations

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	85
Entropy (8bit):	4.3488360343066725
Encrypted:	false
SSDEEP:	3:YQ3JYq9xSs0dMEJAELJ25AmIpozQp:YQ3Kq9X0dMgAEiLIj
MD5:	8549C255650427D618EF18B14DFD2B56
SHA1:	8272585186777B344DB3960DF62B00F570D247F6
SHA-256:	40395D9CA4B65D48DEAC792844A77D4F8051F1CEF30DF561DACFEEED3C3BAE13
SHA-512:	E5BB8A0AD338372635C3629E306604E3DC5A5C26FB5547A3DD7E404E5261630612C07326E7EBF5B47ABAFADE8E555965A1A59A1EECFC496DCDD5003048898A8C
Malicious:	false
Preview:	{"user_experience_metrics.stability.exited_cleanly":true,"variations_crash_streak":1}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\ac1279a1-90f4-45eb-88a9-d306d1b06b33.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44974
Entropy (8bit):	6.095054930225408
Encrypted:	false
SSDEEP:	768:+DXzgWPsj/qlGJqIY8GB4xWmyi1zNt/602oNoGoVA/qKJDSgzMMd6qD47u3+CioC:+/Ps+wsI7yO802oNEKtSmd6qE7lFoC
MD5:	654CE199213D810740C9F6FC29205E38
SHA1:	58D1AAFAA65E8FE6A391045FC4769A927BB827DE
SHA-256:	DFB2B82D0FC8438C64B36DF5AA73E1CE79E12B84760F5D2DD0812061EF257A06
SHA-512:	FDD2FB1EF4530D0078C713F30698D010898D7DBA4190C5022B274C91935FAA9539B947D36676C64E2914A25526ADF0ECDFE964F40EBA1F912B3C769F3C6F8080
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","apps_count_check_time":"13340961226065099","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJO

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\de8088f0-3d85-4a9c-b7fe-82869d17d001.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44975
Entropy (8bit):	6.094855636100407
Encrypted:	false
SSDEEP:	768:TDXzgWPsj/qlGJqIY8GB4xWPyi1zNt/602o95GoKPFGCKJDSgzMMd6qD47u3+CiB:T/Ps+wsI7yOV02o6LKtSmd6qE7lFoC
MD5:	B66883B8D13DED902D8B830EF6EB05CE
SHA1:	699DC059609BFFA989807484432D737370240A45
SHA-256:	5D1883307EB8B3B969C02FC6239A9AFE58A97E4F0D59CF8961977B7CB7B1DF10
SHA-512:	2049656549BE8A145A6CE7863191F47F9E985D099DDE596CDF40E6A5D2DE80B3800E6689AC0AF8F05E7626666C3F7ACB9C01BB6FC217E8F4CFD6E8D340BAF267
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","apps_count_check_time":"13369866313586021","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJO

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\eead95dd-caa5-4ec0-b511-1bdc6cd4e456.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44975
Entropy (8bit):	6.095054949626027
Encrypted:	false
SSDEEP:	768:TDXzgWPsj/qlGJqIY8GB4xWPyi1zNt/602oNHGoVA/qKJDSgzMMd6qD47u3+CioC:T/Ps+wsI7yOV02oAEKtSmd6qE7lFoC
MD5:	C1AB3E935B0CF18F3BD570A599E05EA8
SHA1:	B89F2DB80CD842989FFF371A3DDCA12104CA7490
SHA-256:	AD62FEA624C1790BEF0E15EE94E097428BFAA60A57751A0728D28AC25BE898D7
SHA-512:	55D5CD79C1804D938834A9C67A6D016757B506A4D5E1CF3021D80E676C9210F1A37F2F89CCF6D7C1188357C877548B1EA0EE9BA11D7FBB32EE018A6A03448AF0
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","apps_count_check_time":"13369866313586021","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJO

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	2278
Entropy (8bit):	3.8614549813800907
Encrypted:	false
SSDEEP:	48:uiTrlKxrgxMSxl9Il8up6Sn46SRny4nY0RUmreYid1rc:mwYyS4q4Y0uyb
MD5:	00A3ABA1D7CBD747E1E8BF7EFEE6EBA4
SHA1:	5DEB597F22B523DCD354D86BC5E52D0BFF6B8279
SHA-256:	A56BEB3E367BE8C0F52FFE46A5ECE4C7CF2D3E3953E6B4879F0A6B6AFFE606D1
SHA-512:	D4E6CF1C42CE71AF94DA61346C349891A6FA328BE934BD45E13AAA032894AA224BD0010EC64B3AE20464261E73BD87F02105B32A73075F846E1FFF5E5379E17C
Malicious:	false
Preview:	{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".W.i.p.w.W.M.+.N.H.l.b.C.D.m.s.Z.p.8.S.O.s.j.h.t.F.B.s.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.K.7.T.J.E.L.+.2.g.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.N.5.q.N.Q.t.

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\cf7513a936f7effbb38627e56f8d1fce10eb12cc.tbres

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4622
Entropy (8bit):	4.002027227620322
Encrypted:	false
SSDEEP:	96:hYD50cFqT0OIvcjJ2YG12ka5P3xcQpWHjGW69Iay6O+:hptrQU2YqbahvpW1XayV+
MD5:	14C93EF62EAF205E42614A7CD255B735
SHA1:	A9E3CB1A63816F4C2EAFEC0AEF95DAFFAF31732F
SHA-256:	6F8A89489FE7DC2900639A2B7D1316B92DBDB9825A32241642E54E38A2793D97
SHA-512:	F25BC92EE37B926CF1730DA14DB802EB782F6B9864B0102EB183D380CD6B6979FC7FABE59FD451BB6F4674E7B46D77A7E7B7EAEAAEE07A108C57838A3D8210B0
Malicious:	false
Preview:	{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".z.3.U.T.q.T.b.3.7./.u.z.h.i.f.l.b.4.0.f.z.h.D.r.E.s.w.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".f.c.U.s.C.z.r.+.2.g.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.w.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.N.5.q.N.Q.t.

C:\Users\user\AppData\Local\Temp\cv_debug.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1428
Entropy (8bit):	5.3928573914979
Encrypted:	false
SSDEEP:	24:YZGMfJVA/5BGMLfp5BGMz6jT07ncIF5InHI0MY5kUQnA0OpJ5xHRS4L0Mom2J5VR:Y4MfJVe5wMd5wMe07cIF5Io0MY5kU2AS
MD5:	0931DCAEC9A38D62EE90456911368EAE
SHA1:	DBF0648351247C4B1E38BF92FB77A491FC29D082
SHA-256:	8D6B43CEF0E9046996D8C22DC0971254780BADAFEE0AD92FEE37F91CAFB78356
SHA-512:	E91F838D7E7FE233E7E2884EEBFF0F7070DC444209DD6609F9AAB4516E0BCF5C6B1116C4756CF188344E9D9A25ECCB1CE411D7D15866207ABC4F50FACF2C8121
Malicious:	false
Preview:	{"logTime": "1005/061810", "correlationVector":"0kV+/vRB8ay0a3Cue7mk6o","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1005/061810", "correlationVector":"AFo3IfjRT+3l4ojiXpMdNH","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1005/061810", "correlationVector":"838E3BF9A44F456CB4AD62AC737EDD15","action":"FETCH_UX_CONFIG", "result":""}.{"logTime": "1005/063233", "correlationVector":"2N8fwTcZh6EtTfQ8o4+6aX","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1005/063233", "correlationVector":"5ADEBA42608E4CC9A1FACA719F284CF9","action":"FETCH_UX_CONFIG", "result":""}.{"logTime": "1005/063346", "correlationVector":"xp/hBMCdVPtUIxZHIviv/x","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1005/063347", "correlationVector":"BF0B9E58C0CC45ED9AB5D0371131E69A","action":"FETCH_UX_CONFIG", "result":""}.{"logTime": "1005/064305", "correlationVector":"ONVjsWDap1LyjIRdxsqPGs","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1005/064305", "correlationVector":"82E52491

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\875a60a09683c344.customDestinations-ms (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	3888
Entropy (8bit):	3.5287806878853005
Encrypted:	false
SSDEEP:	48:/JP8dOXhIHsiVpzBdLXuHokDpRAJ1dOXh+HsiVpzngdLXuHok+21:q3uIkDXgnIuIkz
MD5:	65B3F045D53D86C728B316617F0AFBBB
SHA1:	EF9C07FE97635F281E5844B759AAEA6328E40736
SHA-256:	E46744EDDFCCDAD7C90D812F1C3CAFF2827346FD460712019DDBB1AA5D6B1C94
SHA-512:	F32556291E29856058260F8B4E6D11ADE41A9A6E017F49783A8182EBB2446E491ED3C77E937E7F1BD874F3E973C979954DFB7FA2F3C6C091828ED26A9B4D1F19
Malicious:	false
Preview:	...................................FL..................F.@.. .....\|.K...>.V.9...".......(>@.....................1....P.O. .:i.....+00.../C:\.....................1.....EW.5..PROGRA~2.........O.IEW.5....................V........P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....\.1.....EW.5..MICROS~1..D......(Ux.#Y.............................Z..M.i.c.r.o.s.o.f.t.....N.1.....EW/40.Edge..:.......S8.EW74..............................E.d.g.e.....`.1.....EW$40.APPLIC~1..H.......S8.#Y................................A.p.p.l.i.c.a.t.i.o.n.....`.2.(>@.DW. .msedge.exe..F.......S8.#Y.............................5.m.s.e.d.g.e...e.x.e.......k...............-.......j....................C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe..<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.........%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe...............................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FE3VZPM8ZKTVONGCA0KY.temp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	3888
Entropy (8bit):	3.5287806878853005
Encrypted:	false
SSDEEP:	48:/JP8dOXhIHsiVpzBdLXuHokDpRAJ1dOXh+HsiVpzngdLXuHok+21:q3uIkDXgnIuIkz
MD5:	65B3F045D53D86C728B316617F0AFBBB
SHA1:	EF9C07FE97635F281E5844B759AAEA6328E40736
SHA-256:	E46744EDDFCCDAD7C90D812F1C3CAFF2827346FD460712019DDBB1AA5D6B1C94
SHA-512:	F32556291E29856058260F8B4E6D11ADE41A9A6E017F49783A8182EBB2446E491ED3C77E937E7F1BD874F3E973C979954DFB7FA2F3C6C091828ED26A9B4D1F19
Malicious:	false
Preview:	...................................FL..................F.@.. .....\|.K...>.V.9...".......(>@.....................1....P.O. .:i.....+00.../C:\.....................1.....EW.5..PROGRA~2.........O.IEW.5....................V........P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....\.1.....EW.5..MICROS~1..D......(Ux.#Y.............................Z..M.i.c.r.o.s.o.f.t.....N.1.....EW/40.Edge..:.......S8.EW74..............................E.d.g.e.....`.1.....EW$40.APPLIC~1..H.......S8.#Y................................A.p.p.l.i.c.a.t.i.o.n.....`.2.(>@.DW. .msedge.exe..F.......S8.#Y.............................5.m.s.e.d.g.e...e.x.e.......k...............-.......j....................C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe..<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.........%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe...............................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\O34PMKGWXWU2MPNKTIH4.temp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	3888
Entropy (8bit):	3.529171709853887
Encrypted:	false
SSDEEP:	48:/J1dOXh+HsiVpzBdLXuHokDpRAJ1dOXh+HsiVpzngdLXuHok+21:X3uIkDXgnIuIkz
MD5:	930BE40609FD8AA76BF8133FA6906F85
SHA1:	73F076E6576A271BA1B83F6B337A128EC4A33FD6
SHA-256:	CF099C6330B0962207AA08A64205C868D479D4C5EBF95609B6CCDEA2A1EBBEE5
SHA-512:	62B11DE0F4CB04F963B2A946FB43FD2FE372844A657478A2AEF8D8BA09FC84857DEA247A084DCF6A234E055F287A22A6084ABF5EEDCC7EF02335F22B9395CCEE
Malicious:	false
Preview:	...................................FL..................F.@.. .....\|.K...>.V.9...".......(>@.....................1....P.O. .:i.....+00.../C:\.....................1.....#Y....PROGRA~2.........O.I#Y......................V........P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....\.1.....EW.5..MICROS~1..D......(Ux.#Y.............................Z..M.i.c.r.o.s.o.f.t.....N.1.....EW/40.Edge..:.......S8.#Y................................E.d.g.e.....`.1.....EW$40.APPLIC~1..H.......S8.#Y................................A.p.p.l.i.c.a.t.i.o.n.....`.2.(>@.DW. .msedge.exe..F.......S8.#Y.............................5.m.s.e.d.g.e...e.x.e.......k...............-.......j....................C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe..<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.........%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe...............................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	3888
Entropy (8bit):	3.529171709853887
Encrypted:	false
SSDEEP:	48:/J1dOXh+HsiVpzBdLXuHokDpRAJ1dOXh+HsiVpzngdLXuHok+21:X3uIkDXgnIuIkz
MD5:	930BE40609FD8AA76BF8133FA6906F85
SHA1:	73F076E6576A271BA1B83F6B337A128EC4A33FD6
SHA-256:	CF099C6330B0962207AA08A64205C868D479D4C5EBF95609B6CCDEA2A1EBBEE5
SHA-512:	62B11DE0F4CB04F963B2A946FB43FD2FE372844A657478A2AEF8D8BA09FC84857DEA247A084DCF6A234E055F287A22A6084ABF5EEDCC7EF02335F22B9395CCEE
Malicious:	false
Preview:	...................................FL..................F.@.. .....\|.K...>.V.9...".......(>@.....................1....P.O. .:i.....+00.../C:\.....................1.....#Y....PROGRA~2.........O.I#Y......................V........P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....\.1.....EW.5..MICROS~1..D......(Ux.#Y.............................Z..M.i.c.r.o.s.o.f.t.....N.1.....EW/40.Edge..:.......S8.#Y................................E.d.g.e.....`.1.....EW$40.APPLIC~1..H.......S8.#Y................................A.p.p.l.i.c.a.t.i.o.n.....`.2.(>@.DW. .msedge.exe..F.......S8.#Y.............................5.m.s.e.d.g.e...e.x.e.......k...............-.......j....................C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe..<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.........%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe...............................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.579767841541415
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	917'504 bytes
MD5:	722a21a12025094cefd6de00ab539383
SHA1:	00c7867204dcb23a342cdbcb915d042919569a05
SHA256:	88327e1bf9762bc4429d9799ada169121b27b1e59c4f3d7fcfda877065bf1038
SHA512:	58282b83bd6b647508834a7c4f47ebc5aa684833732bd6f3225b5aec362bb687769132cbe3f9be6ab7e176b8d66a20df8f8bfeb4d34f9541fb0281a24fe882ef
SSDEEP:	12288:YqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgacTu:YqDEvCTbMWu7rQYlBQcBiT6rprG8asu
TLSH:	F4159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66D763A1 [Tue Sep 3 19:29:37 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F47C4BE7783h
jmp 00007F47C4BE708Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F47C4BE726Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F47C4BE723Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F47C4BE9E2Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F47C4BE9E78h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F47C4BE9E61h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x95c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x95c8	0x9600	66143c7a4866db347dc53d6571892c58	False	0.286953125	data	5.165453911695592	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x890	data			1.0050182481751824
RT_GROUP_ICON	0xdd048	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd0c0	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd0d4	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd0e8	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd0fc	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd1d8	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 3, 2024 21:44:54.994510889 CEST	49674	443	192.168.2.6	173.222.162.64
Sep 3, 2024 21:44:54.994510889 CEST	49673	443	192.168.2.6	173.222.162.64
Sep 3, 2024 21:44:55.338277102 CEST	49672	443	192.168.2.6	173.222.162.64
Sep 3, 2024 21:45:03.113502979 CEST	49720	443	192.168.2.6	20.197.71.89
Sep 3, 2024 21:45:03.113545895 CEST	443	49720	20.197.71.89	192.168.2.6
Sep 3, 2024 21:45:03.113676071 CEST	49720	443	192.168.2.6	20.197.71.89
Sep 3, 2024 21:45:03.114243984 CEST	49720	443	192.168.2.6	20.197.71.89
Sep 3, 2024 21:45:03.114258051 CEST	443	49720	20.197.71.89	192.168.2.6
Sep 3, 2024 21:45:04.255811930 CEST	49728	443	192.168.2.6	13.107.246.42
Sep 3, 2024 21:45:04.255846977 CEST	443	49728	13.107.246.42	192.168.2.6
Sep 3, 2024 21:45:04.255945921 CEST	49728	443	192.168.2.6	13.107.246.42
Sep 3, 2024 21:45:04.257438898 CEST	49728	443	192.168.2.6	13.107.246.42
Sep 3, 2024 21:45:04.257453918 CEST	443	49728	13.107.246.42	192.168.2.6
Sep 3, 2024 21:45:04.261671066 CEST	49729	443	192.168.2.6	13.107.246.42
Sep 3, 2024 21:45:04.261703014 CEST	443	49729	13.107.246.42	192.168.2.6
Sep 3, 2024 21:45:04.261791945 CEST	49729	443	192.168.2.6	13.107.246.42
Sep 3, 2024 21:45:04.262027979 CEST	49729	443	192.168.2.6	13.107.246.42
Sep 3, 2024 21:45:04.262039900 CEST	443	49729	13.107.246.42	192.168.2.6
Sep 3, 2024 21:45:04.533727884 CEST	443	49720	20.197.71.89	192.168.2.6
Sep 3, 2024 21:45:04.533811092 CEST	49720	443	192.168.2.6	20.197.71.89
Sep 3, 2024 21:45:04.539438009 CEST	49720	443	192.168.2.6	20.197.71.89
Sep 3, 2024 21:45:04.539446115 CEST	443	49720	20.197.71.89	192.168.2.6
Sep 3, 2024 21:45:04.539711952 CEST	443	49720	20.197.71.89	192.168.2.6
Sep 3, 2024 21:45:04.542237043 CEST	49720	443	192.168.2.6	20.197.71.89
Sep 3, 2024 21:45:04.542285919 CEST	49720	443	192.168.2.6	20.197.71.89
Sep 3, 2024 21:45:04.542289972 CEST	443	49720	20.197.71.89	192.168.2.6
Sep 3, 2024 21:45:04.542434931 CEST	49720	443	192.168.2.6	20.197.71.89
Sep 3, 2024 21:45:04.588496923 CEST	443	49720	20.197.71.89	192.168.2.6
Sep 3, 2024 21:45:04.633439064 CEST	49674	443	192.168.2.6	173.222.162.64
Sep 3, 2024 21:45:04.671798944 CEST	49673	443	192.168.2.6	173.222.162.64
Sep 3, 2024 21:45:04.869646072 CEST	443	49720	20.197.71.89	192.168.2.6
Sep 3, 2024 21:45:04.869985104 CEST	443	49720	20.197.71.89	192.168.2.6
Sep 3, 2024 21:45:04.870903969 CEST	49720	443	192.168.2.6	20.197.71.89
Sep 3, 2024 21:45:04.875734091 CEST	49720	443	192.168.2.6	20.197.71.89
Sep 3, 2024 21:45:04.875756025 CEST	443	49720	20.197.71.89	192.168.2.6
Sep 3, 2024 21:45:04.907601118 CEST	443	49728	13.107.246.42	192.168.2.6
Sep 3, 2024 21:45:04.908401966 CEST	49728	443	192.168.2.6	13.107.246.42
Sep 3, 2024 21:45:04.908416986 CEST	443	49728	13.107.246.42	192.168.2.6
Sep 3, 2024 21:45:04.909691095 CEST	443	49728	13.107.246.42	192.168.2.6
Sep 3, 2024 21:45:04.909749031 CEST	49728	443	192.168.2.6	13.107.246.42
Sep 3, 2024 21:45:04.911326885 CEST	443	49729	13.107.246.42	192.168.2.6
Sep 3, 2024 21:45:04.977957964 CEST	49728	443	192.168.2.6	13.107.246.42
Sep 3, 2024 21:45:04.978127003 CEST	443	49728	13.107.246.42	192.168.2.6
Sep 3, 2024 21:45:04.979279041 CEST	49728	443	192.168.2.6	13.107.246.42
Sep 3, 2024 21:45:04.979295969 CEST	443	49728	13.107.246.42	192.168.2.6
Sep 3, 2024 21:45:04.980894089 CEST	49729	443	192.168.2.6	13.107.246.42
Sep 3, 2024 21:45:04.980906963 CEST	443	49729	13.107.246.42	192.168.2.6
Sep 3, 2024 21:45:04.982280970 CEST	443	49729	13.107.246.42	192.168.2.6
Sep 3, 2024 21:45:04.982290030 CEST	443	49729	13.107.246.42	192.168.2.6
Sep 3, 2024 21:45:04.982341051 CEST	49729	443	192.168.2.6	13.107.246.42
Sep 3, 2024 21:45:04.983563900 CEST	49729	443	192.168.2.6	13.107.246.42
Sep 3, 2024 21:45:04.983629942 CEST	443	49729	13.107.246.42	192.168.2.6
Sep 3, 2024 21:45:04.984227896 CEST	49729	443	192.168.2.6	13.107.246.42
Sep 3, 2024 21:45:04.984234095 CEST	443	49729	13.107.246.42	192.168.2.6
Sep 3, 2024 21:45:05.023591042 CEST	49728	443	192.168.2.6	13.107.246.42
Sep 3, 2024 21:45:05.039223909 CEST	49672	443	192.168.2.6	173.222.162.64
Sep 3, 2024 21:45:05.039263964 CEST	49729	443	192.168.2.6	13.107.246.42
Sep 3, 2024 21:45:05.080874920 CEST	443	49728	13.107.246.42	192.168.2.6
Sep 3, 2024 21:45:05.080899000 CEST	443	49728	13.107.246.42	192.168.2.6
Sep 3, 2024 21:45:05.080910921 CEST	443	49728	13.107.246.42	192.168.2.6
Sep 3, 2024 21:45:05.080946922 CEST	443	49728	13.107.246.42	192.168.2.6
Sep 3, 2024 21:45:05.080982924 CEST	49728	443	192.168.2.6	13.107.246.42
Sep 3, 2024 21:45:05.081007004 CEST	443	49728	13.107.246.42	192.168.2.6
Sep 3, 2024 21:45:05.081018925 CEST	49728	443	192.168.2.6	13.107.246.42
Sep 3, 2024 21:45:05.081041098 CEST	49728	443	192.168.2.6	13.107.246.42
Sep 3, 2024 21:45:05.081078053 CEST	443	49728	13.107.246.42	192.168.2.6
Sep 3, 2024 21:45:05.081240892 CEST	49728	443	192.168.2.6	13.107.246.42
Sep 3, 2024 21:45:05.089059114 CEST	443	49729	13.107.246.42	192.168.2.6
Sep 3, 2024 21:45:05.089078903 CEST	443	49729	13.107.246.42	192.168.2.6
Sep 3, 2024 21:45:05.089085102 CEST	443	49729	13.107.246.42	192.168.2.6
Sep 3, 2024 21:45:05.089122057 CEST	443	49729	13.107.246.42	192.168.2.6
Sep 3, 2024 21:45:05.089129925 CEST	49729	443	192.168.2.6	13.107.246.42
Sep 3, 2024 21:45:05.089134932 CEST	443	49729	13.107.246.42	192.168.2.6
Sep 3, 2024 21:45:05.089143991 CEST	443	49729	13.107.246.42	192.168.2.6
Sep 3, 2024 21:45:05.089159012 CEST	443	49729	13.107.246.42	192.168.2.6
Sep 3, 2024 21:45:05.089234114 CEST	49729	443	192.168.2.6	13.107.246.42
Sep 3, 2024 21:45:05.089234114 CEST	49729	443	192.168.2.6	13.107.246.42
Sep 3, 2024 21:45:05.089234114 CEST	49729	443	192.168.2.6	13.107.246.42
Sep 3, 2024 21:45:05.150132895 CEST	49728	443	192.168.2.6	13.107.246.42
Sep 3, 2024 21:45:05.150161028 CEST	443	49728	13.107.246.42	192.168.2.6
Sep 3, 2024 21:45:05.176301956 CEST	443	49729	13.107.246.42	192.168.2.6
Sep 3, 2024 21:45:05.176311016 CEST	443	49729	13.107.246.42	192.168.2.6
Sep 3, 2024 21:45:05.176342964 CEST	443	49729	13.107.246.42	192.168.2.6
Sep 3, 2024 21:45:05.176386118 CEST	49729	443	192.168.2.6	13.107.246.42
Sep 3, 2024 21:45:05.176397085 CEST	443	49729	13.107.246.42	192.168.2.6
Sep 3, 2024 21:45:05.176441908 CEST	49729	443	192.168.2.6	13.107.246.42
Sep 3, 2024 21:45:05.176441908 CEST	49729	443	192.168.2.6	13.107.246.42
Sep 3, 2024 21:45:05.177952051 CEST	443	49729	13.107.246.42	192.168.2.6
Sep 3, 2024 21:45:05.177968025 CEST	443	49729	13.107.246.42	192.168.2.6
Sep 3, 2024 21:45:05.178026915 CEST	49729	443	192.168.2.6	13.107.246.42
Sep 3, 2024 21:45:05.178026915 CEST	49729	443	192.168.2.6	13.107.246.42
Sep 3, 2024 21:45:05.178033113 CEST	443	49729	13.107.246.42	192.168.2.6
Sep 3, 2024 21:45:05.178109884 CEST	49729	443	192.168.2.6	13.107.246.42
Sep 3, 2024 21:45:05.264457941 CEST	443	49729	13.107.246.42	192.168.2.6
Sep 3, 2024 21:45:05.264508963 CEST	443	49729	13.107.246.42	192.168.2.6
Sep 3, 2024 21:45:05.264558077 CEST	49729	443	192.168.2.6	13.107.246.42
Sep 3, 2024 21:45:05.264570951 CEST	443	49729	13.107.246.42	192.168.2.6
Sep 3, 2024 21:45:05.264585972 CEST	443	49729	13.107.246.42	192.168.2.6
Sep 3, 2024 21:45:05.264631033 CEST	49729	443	192.168.2.6	13.107.246.42
Sep 3, 2024 21:45:05.264631033 CEST	49729	443	192.168.2.6	13.107.246.42
Sep 3, 2024 21:45:05.264637947 CEST	443	49729	13.107.246.42	192.168.2.6
Sep 3, 2024 21:45:05.264659882 CEST	49729	443	192.168.2.6	13.107.246.42
Sep 3, 2024 21:45:05.264695883 CEST	443	49729	13.107.246.42	192.168.2.6
Sep 3, 2024 21:45:05.264767885 CEST	49729	443	192.168.2.6	13.107.246.42
Sep 3, 2024 21:45:05.271361113 CEST	49729	443	192.168.2.6	13.107.246.42
Sep 3, 2024 21:45:05.271373034 CEST	443	49729	13.107.246.42	192.168.2.6
Sep 3, 2024 21:45:05.611694098 CEST	49736	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:45:05.611737013 CEST	443	49736	162.159.61.3	192.168.2.6
Sep 3, 2024 21:45:05.611851931 CEST	49736	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:45:05.612171888 CEST	49736	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:45:05.612189054 CEST	443	49736	162.159.61.3	192.168.2.6
Sep 3, 2024 21:45:05.612449884 CEST	49737	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:45:05.612457991 CEST	443	49737	172.64.41.3	192.168.2.6
Sep 3, 2024 21:45:05.612577915 CEST	49737	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:45:05.612844944 CEST	49738	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:45:05.612889051 CEST	49737	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:45:05.612891912 CEST	443	49738	162.159.61.3	192.168.2.6
Sep 3, 2024 21:45:05.612901926 CEST	443	49737	172.64.41.3	192.168.2.6
Sep 3, 2024 21:45:05.612994909 CEST	49738	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:45:05.613219976 CEST	49738	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:45:05.613239050 CEST	443	49738	162.159.61.3	192.168.2.6
Sep 3, 2024 21:45:05.613548040 CEST	49739	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:45:05.613554955 CEST	443	49739	162.159.61.3	192.168.2.6
Sep 3, 2024 21:45:05.613616943 CEST	49739	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:45:05.613786936 CEST	49739	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:45:05.613799095 CEST	443	49739	162.159.61.3	192.168.2.6
Sep 3, 2024 21:45:05.669281960 CEST	49740	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:45:05.669313908 CEST	443	49740	172.64.41.3	192.168.2.6
Sep 3, 2024 21:45:05.669547081 CEST	49740	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:45:05.670197010 CEST	49740	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:45:05.670211077 CEST	443	49740	172.64.41.3	192.168.2.6
Sep 3, 2024 21:45:06.026669979 CEST	49741	443	192.168.2.6	184.28.90.27
Sep 3, 2024 21:45:06.026696920 CEST	443	49741	184.28.90.27	192.168.2.6
Sep 3, 2024 21:45:06.026887894 CEST	49741	443	192.168.2.6	184.28.90.27
Sep 3, 2024 21:45:06.028732061 CEST	49741	443	192.168.2.6	184.28.90.27
Sep 3, 2024 21:45:06.028742075 CEST	443	49741	184.28.90.27	192.168.2.6
Sep 3, 2024 21:45:06.080620050 CEST	443	49739	162.159.61.3	192.168.2.6
Sep 3, 2024 21:45:06.080895901 CEST	49739	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:45:06.080913067 CEST	443	49739	162.159.61.3	192.168.2.6
Sep 3, 2024 21:45:06.081160069 CEST	443	49737	172.64.41.3	192.168.2.6
Sep 3, 2024 21:45:06.081370115 CEST	49737	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:45:06.081377983 CEST	443	49737	172.64.41.3	192.168.2.6
Sep 3, 2024 21:45:06.081963062 CEST	443	49739	162.159.61.3	192.168.2.6
Sep 3, 2024 21:45:06.082027912 CEST	49739	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:45:06.082484007 CEST	443	49737	172.64.41.3	192.168.2.6
Sep 3, 2024 21:45:06.082551003 CEST	49737	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:45:06.083462954 CEST	49739	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:45:06.083540916 CEST	443	49739	162.159.61.3	192.168.2.6
Sep 3, 2024 21:45:06.083611012 CEST	49737	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:45:06.083718061 CEST	49739	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:45:06.083724976 CEST	443	49739	162.159.61.3	192.168.2.6
Sep 3, 2024 21:45:06.083760023 CEST	443	49737	172.64.41.3	192.168.2.6
Sep 3, 2024 21:45:06.083825111 CEST	49737	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:45:06.085455894 CEST	443	49736	162.159.61.3	192.168.2.6
Sep 3, 2024 21:45:06.085481882 CEST	443	49738	162.159.61.3	192.168.2.6
Sep 3, 2024 21:45:06.085643053 CEST	49736	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:45:06.085650921 CEST	443	49736	162.159.61.3	192.168.2.6
Sep 3, 2024 21:45:06.085743904 CEST	49738	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:45:06.085762024 CEST	443	49738	162.159.61.3	192.168.2.6
Sep 3, 2024 21:45:06.086704969 CEST	443	49736	162.159.61.3	192.168.2.6
Sep 3, 2024 21:45:06.086777925 CEST	443	49738	162.159.61.3	192.168.2.6
Sep 3, 2024 21:45:06.086791992 CEST	49736	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:45:06.086833954 CEST	49738	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:45:06.088331938 CEST	49738	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:45:06.088443041 CEST	443	49738	162.159.61.3	192.168.2.6
Sep 3, 2024 21:45:06.088501930 CEST	49736	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:45:06.088538885 CEST	49738	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:45:06.088548899 CEST	443	49738	162.159.61.3	192.168.2.6
Sep 3, 2024 21:45:06.088579893 CEST	443	49736	162.159.61.3	192.168.2.6
Sep 3, 2024 21:45:06.088649988 CEST	49736	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:45:06.088656902 CEST	443	49736	162.159.61.3	192.168.2.6
Sep 3, 2024 21:45:06.128498077 CEST	443	49737	172.64.41.3	192.168.2.6
Sep 3, 2024 21:45:06.129264116 CEST	443	49740	172.64.41.3	192.168.2.6
Sep 3, 2024 21:45:06.129812002 CEST	49740	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:45:06.129826069 CEST	443	49740	172.64.41.3	192.168.2.6
Sep 3, 2024 21:45:06.130819082 CEST	443	49740	172.64.41.3	192.168.2.6
Sep 3, 2024 21:45:06.130894899 CEST	49740	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:45:06.132002115 CEST	49740	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:45:06.132074118 CEST	443	49740	172.64.41.3	192.168.2.6
Sep 3, 2024 21:45:06.132155895 CEST	49740	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:45:06.133672953 CEST	49739	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:45:06.133672953 CEST	49737	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:45:06.133683920 CEST	443	49737	172.64.41.3	192.168.2.6
Sep 3, 2024 21:45:06.133723021 CEST	49738	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:45:06.133749962 CEST	49736	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:45:06.173238039 CEST	49740	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:45:06.173250914 CEST	443	49740	172.64.41.3	192.168.2.6
Sep 3, 2024 21:45:06.183551073 CEST	49737	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:45:06.206610918 CEST	443	49739	162.159.61.3	192.168.2.6
Sep 3, 2024 21:45:06.206691980 CEST	443	49739	162.159.61.3	192.168.2.6
Sep 3, 2024 21:45:06.206820965 CEST	49739	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:45:06.206979990 CEST	49739	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:45:06.206995964 CEST	443	49739	162.159.61.3	192.168.2.6
Sep 3, 2024 21:45:06.207093954 CEST	443	49737	172.64.41.3	192.168.2.6
Sep 3, 2024 21:45:06.207175970 CEST	443	49737	172.64.41.3	192.168.2.6
Sep 3, 2024 21:45:06.207245111 CEST	49737	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:45:06.207380056 CEST	49737	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:45:06.207385063 CEST	443	49737	172.64.41.3	192.168.2.6
Sep 3, 2024 21:45:06.208089113 CEST	443	49738	162.159.61.3	192.168.2.6
Sep 3, 2024 21:45:06.208147049 CEST	443	49738	162.159.61.3	192.168.2.6
Sep 3, 2024 21:45:06.208204031 CEST	49738	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:45:06.208323002 CEST	49738	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:45:06.208338022 CEST	443	49738	162.159.61.3	192.168.2.6
Sep 3, 2024 21:45:06.209068060 CEST	443	49736	162.159.61.3	192.168.2.6
Sep 3, 2024 21:45:06.209131002 CEST	443	49736	162.159.61.3	192.168.2.6
Sep 3, 2024 21:45:06.209194899 CEST	49736	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:45:06.209279060 CEST	49736	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:45:06.209284067 CEST	443	49736	162.159.61.3	192.168.2.6
Sep 3, 2024 21:45:06.212826967 CEST	49740	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:45:06.251759052 CEST	443	49740	172.64.41.3	192.168.2.6
Sep 3, 2024 21:45:06.251816034 CEST	443	49740	172.64.41.3	192.168.2.6
Sep 3, 2024 21:45:06.251889944 CEST	49740	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:45:06.252010107 CEST	49740	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:45:06.252031088 CEST	443	49740	172.64.41.3	192.168.2.6
Sep 3, 2024 21:45:06.613699913 CEST	443	49705	173.222.162.64	192.168.2.6
Sep 3, 2024 21:45:06.613800049 CEST	49705	443	192.168.2.6	173.222.162.64
Sep 3, 2024 21:45:06.676659107 CEST	443	49741	184.28.90.27	192.168.2.6
Sep 3, 2024 21:45:06.676740885 CEST	49741	443	192.168.2.6	184.28.90.27
Sep 3, 2024 21:45:06.679416895 CEST	49741	443	192.168.2.6	184.28.90.27
Sep 3, 2024 21:45:06.679423094 CEST	443	49741	184.28.90.27	192.168.2.6
Sep 3, 2024 21:45:06.679934025 CEST	443	49741	184.28.90.27	192.168.2.6
Sep 3, 2024 21:45:06.727833986 CEST	49741	443	192.168.2.6	184.28.90.27
Sep 3, 2024 21:45:06.768510103 CEST	443	49741	184.28.90.27	192.168.2.6
Sep 3, 2024 21:45:06.949151039 CEST	443	49741	184.28.90.27	192.168.2.6
Sep 3, 2024 21:45:06.949223042 CEST	443	49741	184.28.90.27	192.168.2.6
Sep 3, 2024 21:45:06.949359894 CEST	49741	443	192.168.2.6	184.28.90.27
Sep 3, 2024 21:45:06.949532986 CEST	49741	443	192.168.2.6	184.28.90.27
Sep 3, 2024 21:45:06.949546099 CEST	443	49741	184.28.90.27	192.168.2.6
Sep 3, 2024 21:45:07.022517920 CEST	49742	443	192.168.2.6	184.28.90.27
Sep 3, 2024 21:45:07.022543907 CEST	443	49742	184.28.90.27	192.168.2.6
Sep 3, 2024 21:45:07.022610903 CEST	49742	443	192.168.2.6	184.28.90.27
Sep 3, 2024 21:45:07.025357008 CEST	49742	443	192.168.2.6	184.28.90.27
Sep 3, 2024 21:45:07.025369883 CEST	443	49742	184.28.90.27	192.168.2.6
Sep 3, 2024 21:45:07.103219032 CEST	49743	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:45:07.103260040 CEST	443	49743	172.64.41.3	192.168.2.6
Sep 3, 2024 21:45:07.103328943 CEST	49743	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:45:07.103799105 CEST	49744	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:45:07.103838921 CEST	443	49744	172.64.41.3	192.168.2.6
Sep 3, 2024 21:45:07.103898048 CEST	49744	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:45:07.104232073 CEST	49743	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:45:07.104254961 CEST	443	49743	172.64.41.3	192.168.2.6
Sep 3, 2024 21:45:07.104422092 CEST	49744	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:45:07.104437113 CEST	443	49744	172.64.41.3	192.168.2.6
Sep 3, 2024 21:45:07.571615934 CEST	443	49744	172.64.41.3	192.168.2.6
Sep 3, 2024 21:45:07.582154036 CEST	443	49743	172.64.41.3	192.168.2.6
Sep 3, 2024 21:45:07.597645044 CEST	49743	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:45:07.597673893 CEST	443	49743	172.64.41.3	192.168.2.6
Sep 3, 2024 21:45:07.598038912 CEST	49744	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:45:07.598058939 CEST	443	49744	172.64.41.3	192.168.2.6
Sep 3, 2024 21:45:07.598063946 CEST	443	49743	172.64.41.3	192.168.2.6
Sep 3, 2024 21:45:07.598546028 CEST	443	49744	172.64.41.3	192.168.2.6
Sep 3, 2024 21:45:07.652244091 CEST	49744	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:45:07.652271986 CEST	49743	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:45:07.661067963 CEST	443	49742	184.28.90.27	192.168.2.6
Sep 3, 2024 21:45:07.661155939 CEST	49742	443	192.168.2.6	184.28.90.27
Sep 3, 2024 21:45:07.679984093 CEST	49743	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:45:07.680145979 CEST	443	49743	172.64.41.3	192.168.2.6
Sep 3, 2024 21:45:07.680718899 CEST	49744	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:45:07.680911064 CEST	443	49744	172.64.41.3	192.168.2.6
Sep 3, 2024 21:45:07.729098082 CEST	49743	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:45:07.729235888 CEST	49744	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:45:07.848304987 CEST	49742	443	192.168.2.6	184.28.90.27
Sep 3, 2024 21:45:07.848329067 CEST	443	49742	184.28.90.27	192.168.2.6
Sep 3, 2024 21:45:07.848680973 CEST	443	49742	184.28.90.27	192.168.2.6
Sep 3, 2024 21:45:07.865930080 CEST	49742	443	192.168.2.6	184.28.90.27
Sep 3, 2024 21:45:07.908502102 CEST	443	49742	184.28.90.27	192.168.2.6
Sep 3, 2024 21:45:07.910702944 CEST	49745	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:07.910737038 CEST	443	49745	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:07.910820007 CEST	49746	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:07.910826921 CEST	443	49746	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:07.910857916 CEST	49745	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:07.910887003 CEST	49746	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:07.912683010 CEST	49745	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:07.912695885 CEST	443	49745	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:07.912909985 CEST	49746	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:07.912920952 CEST	443	49746	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:08.051747084 CEST	443	49742	184.28.90.27	192.168.2.6
Sep 3, 2024 21:45:08.051826000 CEST	443	49742	184.28.90.27	192.168.2.6
Sep 3, 2024 21:45:08.051887035 CEST	49742	443	192.168.2.6	184.28.90.27
Sep 3, 2024 21:45:08.054987907 CEST	49742	443	192.168.2.6	184.28.90.27
Sep 3, 2024 21:45:08.055003881 CEST	443	49742	184.28.90.27	192.168.2.6
Sep 3, 2024 21:45:08.127100945 CEST	49747	443	192.168.2.6	142.250.65.164
Sep 3, 2024 21:45:08.127136946 CEST	443	49747	142.250.65.164	192.168.2.6
Sep 3, 2024 21:45:08.127391100 CEST	49747	443	192.168.2.6	142.250.65.164
Sep 3, 2024 21:45:08.127598047 CEST	49747	443	192.168.2.6	142.250.65.164
Sep 3, 2024 21:45:08.127610922 CEST	443	49747	142.250.65.164	192.168.2.6
Sep 3, 2024 21:45:08.388114929 CEST	443	49745	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:08.388391018 CEST	49745	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:08.388411999 CEST	443	49745	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:08.388807058 CEST	443	49745	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:08.388868093 CEST	49745	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:08.389550924 CEST	443	49745	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:08.389609098 CEST	49745	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:08.390577078 CEST	49745	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:08.390636921 CEST	443	49745	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:08.390794039 CEST	49745	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:08.390801907 CEST	443	49745	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:08.410145998 CEST	443	49746	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:08.410350084 CEST	49746	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:08.410361052 CEST	443	49746	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:08.410763979 CEST	443	49746	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:08.410825968 CEST	49746	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:08.411492109 CEST	443	49746	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:08.411550999 CEST	49746	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:08.411720037 CEST	49746	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:08.411781073 CEST	443	49746	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:08.411895037 CEST	49746	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:08.411900997 CEST	443	49746	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:08.431857109 CEST	49745	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:08.462413073 CEST	49746	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:08.566107035 CEST	443	49745	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:08.567167044 CEST	49745	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:08.567238092 CEST	443	49745	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:08.567400932 CEST	443	49745	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:08.567465067 CEST	49745	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:08.567495108 CEST	49745	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:08.591936111 CEST	443	49747	142.250.65.164	192.168.2.6
Sep 3, 2024 21:45:08.592874050 CEST	443	49746	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:08.595127106 CEST	443	49746	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:08.595216036 CEST	49746	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:08.619872093 CEST	49746	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:08.619899988 CEST	443	49746	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:08.620965958 CEST	49747	443	192.168.2.6	142.250.65.164
Sep 3, 2024 21:45:08.620980978 CEST	443	49747	142.250.65.164	192.168.2.6
Sep 3, 2024 21:45:08.622092962 CEST	443	49747	142.250.65.164	192.168.2.6
Sep 3, 2024 21:45:08.622188091 CEST	49747	443	192.168.2.6	142.250.65.164
Sep 3, 2024 21:45:08.623368025 CEST	49747	443	192.168.2.6	142.250.65.164
Sep 3, 2024 21:45:08.623430014 CEST	443	49747	142.250.65.164	192.168.2.6
Sep 3, 2024 21:45:08.623836040 CEST	49747	443	192.168.2.6	142.250.65.164
Sep 3, 2024 21:45:08.623845100 CEST	443	49747	142.250.65.164	192.168.2.6
Sep 3, 2024 21:45:08.665412903 CEST	49747	443	192.168.2.6	142.250.65.164
Sep 3, 2024 21:45:08.721138000 CEST	443	49747	142.250.65.164	192.168.2.6
Sep 3, 2024 21:45:08.721189976 CEST	443	49747	142.250.65.164	192.168.2.6
Sep 3, 2024 21:45:08.721223116 CEST	443	49747	142.250.65.164	192.168.2.6
Sep 3, 2024 21:45:08.721252918 CEST	443	49747	142.250.65.164	192.168.2.6
Sep 3, 2024 21:45:08.721257925 CEST	49747	443	192.168.2.6	142.250.65.164
Sep 3, 2024 21:45:08.721266985 CEST	443	49747	142.250.65.164	192.168.2.6
Sep 3, 2024 21:45:08.721307993 CEST	49747	443	192.168.2.6	142.250.65.164
Sep 3, 2024 21:45:08.721394062 CEST	443	49747	142.250.65.164	192.168.2.6
Sep 3, 2024 21:45:08.721455097 CEST	49747	443	192.168.2.6	142.250.65.164
Sep 3, 2024 21:45:08.723347902 CEST	49747	443	192.168.2.6	142.250.65.164
Sep 3, 2024 21:45:08.723365068 CEST	443	49747	142.250.65.164	192.168.2.6
Sep 3, 2024 21:45:08.870839119 CEST	49748	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:08.870872021 CEST	443	49748	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:08.870975018 CEST	49748	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:08.871217012 CEST	49748	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:08.871231079 CEST	443	49748	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:08.938682079 CEST	49749	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:08.938714981 CEST	443	49749	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:08.938905954 CEST	49749	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:08.939263105 CEST	49749	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:08.939276934 CEST	443	49749	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:09.339102983 CEST	443	49748	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:09.339621067 CEST	49748	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:09.339648008 CEST	443	49748	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:09.340003014 CEST	443	49748	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:09.340066910 CEST	49748	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:09.340727091 CEST	443	49748	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:09.340784073 CEST	49748	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:09.341120005 CEST	49748	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:09.341182947 CEST	443	49748	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:09.383668900 CEST	49748	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:09.383678913 CEST	443	49748	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:09.402792931 CEST	443	49749	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:09.403078079 CEST	49749	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:09.403095961 CEST	443	49749	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:09.403464079 CEST	443	49749	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:09.403527975 CEST	49749	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:09.404201031 CEST	443	49749	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:09.404253006 CEST	49749	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:09.404447079 CEST	49749	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:09.404514074 CEST	443	49749	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:09.430543900 CEST	49748	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:09.446176052 CEST	49749	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:09.446190119 CEST	443	49749	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:09.493036032 CEST	49749	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:13.063549042 CEST	49750	443	192.168.2.6	20.197.71.89
Sep 3, 2024 21:45:13.063596964 CEST	443	49750	20.197.71.89	192.168.2.6
Sep 3, 2024 21:45:13.063678980 CEST	49750	443	192.168.2.6	20.197.71.89
Sep 3, 2024 21:45:13.064229965 CEST	49750	443	192.168.2.6	20.197.71.89
Sep 3, 2024 21:45:13.064239025 CEST	443	49750	20.197.71.89	192.168.2.6
Sep 3, 2024 21:45:14.303919077 CEST	443	49750	20.197.71.89	192.168.2.6
Sep 3, 2024 21:45:14.304023027 CEST	49750	443	192.168.2.6	20.197.71.89
Sep 3, 2024 21:45:14.305989027 CEST	49750	443	192.168.2.6	20.197.71.89
Sep 3, 2024 21:45:14.306001902 CEST	443	49750	20.197.71.89	192.168.2.6
Sep 3, 2024 21:45:14.306247950 CEST	443	49750	20.197.71.89	192.168.2.6
Sep 3, 2024 21:45:14.352564096 CEST	49750	443	192.168.2.6	20.197.71.89
Sep 3, 2024 21:45:14.381987095 CEST	49750	443	192.168.2.6	20.197.71.89
Sep 3, 2024 21:45:14.382042885 CEST	49750	443	192.168.2.6	20.197.71.89
Sep 3, 2024 21:45:14.382051945 CEST	443	49750	20.197.71.89	192.168.2.6
Sep 3, 2024 21:45:14.382380962 CEST	49750	443	192.168.2.6	20.197.71.89
Sep 3, 2024 21:45:14.428503990 CEST	443	49750	20.197.71.89	192.168.2.6
Sep 3, 2024 21:45:14.704859972 CEST	443	49750	20.197.71.89	192.168.2.6
Sep 3, 2024 21:45:14.704981089 CEST	443	49750	20.197.71.89	192.168.2.6
Sep 3, 2024 21:45:14.705040932 CEST	49750	443	192.168.2.6	20.197.71.89
Sep 3, 2024 21:45:14.705111027 CEST	49750	443	192.168.2.6	20.197.71.89
Sep 3, 2024 21:45:14.705127954 CEST	443	49750	20.197.71.89	192.168.2.6
Sep 3, 2024 21:45:15.372266054 CEST	49751	443	192.168.2.6	40.127.169.103
Sep 3, 2024 21:45:15.372294903 CEST	443	49751	40.127.169.103	192.168.2.6
Sep 3, 2024 21:45:15.372441053 CEST	49751	443	192.168.2.6	40.127.169.103
Sep 3, 2024 21:45:15.373343945 CEST	49751	443	192.168.2.6	40.127.169.103
Sep 3, 2024 21:45:15.373356104 CEST	443	49751	40.127.169.103	192.168.2.6
Sep 3, 2024 21:45:16.159715891 CEST	443	49751	40.127.169.103	192.168.2.6
Sep 3, 2024 21:45:16.159801960 CEST	49751	443	192.168.2.6	40.127.169.103
Sep 3, 2024 21:45:16.161377907 CEST	49751	443	192.168.2.6	40.127.169.103
Sep 3, 2024 21:45:16.161384106 CEST	443	49751	40.127.169.103	192.168.2.6
Sep 3, 2024 21:45:16.161626101 CEST	443	49751	40.127.169.103	192.168.2.6
Sep 3, 2024 21:45:16.211774111 CEST	49751	443	192.168.2.6	40.127.169.103
Sep 3, 2024 21:45:16.267404079 CEST	49751	443	192.168.2.6	40.127.169.103
Sep 3, 2024 21:45:16.308504105 CEST	443	49751	40.127.169.103	192.168.2.6
Sep 3, 2024 21:45:16.527493954 CEST	443	49751	40.127.169.103	192.168.2.6
Sep 3, 2024 21:45:16.527518034 CEST	443	49751	40.127.169.103	192.168.2.6
Sep 3, 2024 21:45:16.527525902 CEST	443	49751	40.127.169.103	192.168.2.6
Sep 3, 2024 21:45:16.527544022 CEST	443	49751	40.127.169.103	192.168.2.6
Sep 3, 2024 21:45:16.527578115 CEST	443	49751	40.127.169.103	192.168.2.6
Sep 3, 2024 21:45:16.527605057 CEST	49751	443	192.168.2.6	40.127.169.103
Sep 3, 2024 21:45:16.527622938 CEST	443	49751	40.127.169.103	192.168.2.6
Sep 3, 2024 21:45:16.527659893 CEST	49751	443	192.168.2.6	40.127.169.103
Sep 3, 2024 21:45:16.527687073 CEST	49751	443	192.168.2.6	40.127.169.103
Sep 3, 2024 21:45:16.529026985 CEST	443	49751	40.127.169.103	192.168.2.6
Sep 3, 2024 21:45:16.529112101 CEST	49751	443	192.168.2.6	40.127.169.103
Sep 3, 2024 21:45:16.529119015 CEST	443	49751	40.127.169.103	192.168.2.6
Sep 3, 2024 21:45:16.529131889 CEST	443	49751	40.127.169.103	192.168.2.6
Sep 3, 2024 21:45:16.529172897 CEST	49751	443	192.168.2.6	40.127.169.103
Sep 3, 2024 21:45:16.549516916 CEST	49751	443	192.168.2.6	40.127.169.103
Sep 3, 2024 21:45:16.549540997 CEST	443	49751	40.127.169.103	192.168.2.6
Sep 3, 2024 21:45:16.549551964 CEST	49751	443	192.168.2.6	40.127.169.103
Sep 3, 2024 21:45:16.549559116 CEST	443	49751	40.127.169.103	192.168.2.6
Sep 3, 2024 21:45:22.479612112 CEST	443	49744	172.64.41.3	192.168.2.6
Sep 3, 2024 21:45:22.479688883 CEST	443	49744	172.64.41.3	192.168.2.6
Sep 3, 2024 21:45:22.479779959 CEST	49744	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:45:22.488120079 CEST	443	49743	172.64.41.3	192.168.2.6
Sep 3, 2024 21:45:22.488197088 CEST	443	49743	172.64.41.3	192.168.2.6
Sep 3, 2024 21:45:22.488296032 CEST	49743	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:45:29.798381090 CEST	49755	443	192.168.2.6	20.197.71.89
Sep 3, 2024 21:45:29.798428059 CEST	443	49755	20.197.71.89	192.168.2.6
Sep 3, 2024 21:45:29.798528910 CEST	49755	443	192.168.2.6	20.197.71.89
Sep 3, 2024 21:45:29.799034119 CEST	49755	443	192.168.2.6	20.197.71.89
Sep 3, 2024 21:45:29.799046993 CEST	443	49755	20.197.71.89	192.168.2.6
Sep 3, 2024 21:45:31.042890072 CEST	443	49755	20.197.71.89	192.168.2.6
Sep 3, 2024 21:45:31.043082952 CEST	49755	443	192.168.2.6	20.197.71.89
Sep 3, 2024 21:45:31.047893047 CEST	49755	443	192.168.2.6	20.197.71.89
Sep 3, 2024 21:45:31.047905922 CEST	443	49755	20.197.71.89	192.168.2.6
Sep 3, 2024 21:45:31.048146009 CEST	443	49755	20.197.71.89	192.168.2.6
Sep 3, 2024 21:45:31.050021887 CEST	49755	443	192.168.2.6	20.197.71.89
Sep 3, 2024 21:45:31.050086021 CEST	49755	443	192.168.2.6	20.197.71.89
Sep 3, 2024 21:45:31.050091982 CEST	443	49755	20.197.71.89	192.168.2.6
Sep 3, 2024 21:45:31.050215960 CEST	49755	443	192.168.2.6	20.197.71.89
Sep 3, 2024 21:45:31.092509031 CEST	443	49755	20.197.71.89	192.168.2.6
Sep 3, 2024 21:45:31.374840975 CEST	443	49755	20.197.71.89	192.168.2.6
Sep 3, 2024 21:45:31.375083923 CEST	443	49755	20.197.71.89	192.168.2.6
Sep 3, 2024 21:45:31.375180006 CEST	49755	443	192.168.2.6	20.197.71.89
Sep 3, 2024 21:45:31.375461102 CEST	49755	443	192.168.2.6	20.197.71.89
Sep 3, 2024 21:45:31.375483036 CEST	443	49755	20.197.71.89	192.168.2.6
Sep 3, 2024 21:45:50.065048933 CEST	49756	443	192.168.2.6	20.197.71.89
Sep 3, 2024 21:45:50.065089941 CEST	443	49756	20.197.71.89	192.168.2.6
Sep 3, 2024 21:45:50.065351009 CEST	49756	443	192.168.2.6	20.197.71.89
Sep 3, 2024 21:45:50.066026926 CEST	49756	443	192.168.2.6	20.197.71.89
Sep 3, 2024 21:45:50.066046000 CEST	443	49756	20.197.71.89	192.168.2.6
Sep 3, 2024 21:45:51.363960981 CEST	443	49756	20.197.71.89	192.168.2.6
Sep 3, 2024 21:45:51.364065886 CEST	49756	443	192.168.2.6	20.197.71.89
Sep 3, 2024 21:45:51.365991116 CEST	49756	443	192.168.2.6	20.197.71.89
Sep 3, 2024 21:45:51.366002083 CEST	443	49756	20.197.71.89	192.168.2.6
Sep 3, 2024 21:45:51.366261959 CEST	443	49756	20.197.71.89	192.168.2.6
Sep 3, 2024 21:45:51.368156910 CEST	49756	443	192.168.2.6	20.197.71.89
Sep 3, 2024 21:45:51.368259907 CEST	49756	443	192.168.2.6	20.197.71.89
Sep 3, 2024 21:45:51.368267059 CEST	443	49756	20.197.71.89	192.168.2.6
Sep 3, 2024 21:45:51.368531942 CEST	49756	443	192.168.2.6	20.197.71.89
Sep 3, 2024 21:45:51.416501045 CEST	443	49756	20.197.71.89	192.168.2.6
Sep 3, 2024 21:45:51.708854914 CEST	443	49756	20.197.71.89	192.168.2.6
Sep 3, 2024 21:45:51.709219933 CEST	443	49756	20.197.71.89	192.168.2.6
Sep 3, 2024 21:45:51.709300995 CEST	49756	443	192.168.2.6	20.197.71.89
Sep 3, 2024 21:45:51.710287094 CEST	49756	443	192.168.2.6	20.197.71.89
Sep 3, 2024 21:45:51.710287094 CEST	49756	443	192.168.2.6	20.197.71.89
Sep 3, 2024 21:45:51.710310936 CEST	443	49756	20.197.71.89	192.168.2.6
Sep 3, 2024 21:45:53.471421957 CEST	49757	443	192.168.2.6	40.127.169.103
Sep 3, 2024 21:45:53.471476078 CEST	443	49757	40.127.169.103	192.168.2.6
Sep 3, 2024 21:45:53.471571922 CEST	49757	443	192.168.2.6	40.127.169.103
Sep 3, 2024 21:45:53.471935034 CEST	49757	443	192.168.2.6	40.127.169.103
Sep 3, 2024 21:45:53.471949100 CEST	443	49757	40.127.169.103	192.168.2.6
Sep 3, 2024 21:45:54.296317101 CEST	443	49757	40.127.169.103	192.168.2.6
Sep 3, 2024 21:45:54.296412945 CEST	49757	443	192.168.2.6	40.127.169.103
Sep 3, 2024 21:45:54.297934055 CEST	49757	443	192.168.2.6	40.127.169.103
Sep 3, 2024 21:45:54.297949076 CEST	443	49757	40.127.169.103	192.168.2.6
Sep 3, 2024 21:45:54.298186064 CEST	443	49757	40.127.169.103	192.168.2.6
Sep 3, 2024 21:45:54.305814981 CEST	49757	443	192.168.2.6	40.127.169.103
Sep 3, 2024 21:45:54.352499008 CEST	443	49757	40.127.169.103	192.168.2.6
Sep 3, 2024 21:45:54.384207964 CEST	49748	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:54.384232044 CEST	443	49748	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:54.446748018 CEST	49749	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:54.446777105 CEST	443	49749	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:54.634507895 CEST	443	49757	40.127.169.103	192.168.2.6
Sep 3, 2024 21:45:54.634531975 CEST	443	49757	40.127.169.103	192.168.2.6
Sep 3, 2024 21:45:54.634546995 CEST	443	49757	40.127.169.103	192.168.2.6
Sep 3, 2024 21:45:54.634603977 CEST	49757	443	192.168.2.6	40.127.169.103
Sep 3, 2024 21:45:54.634635925 CEST	443	49757	40.127.169.103	192.168.2.6
Sep 3, 2024 21:45:54.634649992 CEST	49757	443	192.168.2.6	40.127.169.103
Sep 3, 2024 21:45:54.634684086 CEST	49757	443	192.168.2.6	40.127.169.103
Sep 3, 2024 21:45:54.635305882 CEST	443	49757	40.127.169.103	192.168.2.6
Sep 3, 2024 21:45:54.635350943 CEST	443	49757	40.127.169.103	192.168.2.6
Sep 3, 2024 21:45:54.635368109 CEST	49757	443	192.168.2.6	40.127.169.103
Sep 3, 2024 21:45:54.635375023 CEST	443	49757	40.127.169.103	192.168.2.6
Sep 3, 2024 21:45:54.635416031 CEST	49757	443	192.168.2.6	40.127.169.103
Sep 3, 2024 21:45:54.635531902 CEST	443	49757	40.127.169.103	192.168.2.6
Sep 3, 2024 21:45:54.635587931 CEST	49757	443	192.168.2.6	40.127.169.103
Sep 3, 2024 21:45:54.638937950 CEST	49757	443	192.168.2.6	40.127.169.103
Sep 3, 2024 21:45:54.638950109 CEST	443	49757	40.127.169.103	192.168.2.6
Sep 3, 2024 21:45:54.638972998 CEST	49757	443	192.168.2.6	40.127.169.103
Sep 3, 2024 21:45:54.638982058 CEST	443	49757	40.127.169.103	192.168.2.6
Sep 3, 2024 21:45:59.701538086 CEST	49758	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:45:59.701561928 CEST	443	49758	162.159.61.3	192.168.2.6
Sep 3, 2024 21:45:59.701775074 CEST	49758	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:45:59.701945066 CEST	49759	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:45:59.701973915 CEST	443	49759	162.159.61.3	192.168.2.6
Sep 3, 2024 21:45:59.702030897 CEST	49759	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:45:59.702157021 CEST	49758	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:45:59.702174902 CEST	443	49758	162.159.61.3	192.168.2.6
Sep 3, 2024 21:45:59.702294111 CEST	49759	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:45:59.702305079 CEST	443	49759	162.159.61.3	192.168.2.6
Sep 3, 2024 21:46:00.154156923 CEST	443	49759	162.159.61.3	192.168.2.6
Sep 3, 2024 21:46:00.154582977 CEST	49759	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:46:00.154603004 CEST	443	49759	162.159.61.3	192.168.2.6
Sep 3, 2024 21:46:00.154968023 CEST	443	49759	162.159.61.3	192.168.2.6
Sep 3, 2024 21:46:00.155313015 CEST	49759	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:46:00.155397892 CEST	443	49759	162.159.61.3	192.168.2.6
Sep 3, 2024 21:46:00.155478954 CEST	49759	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:46:00.163558960 CEST	443	49758	162.159.61.3	192.168.2.6
Sep 3, 2024 21:46:00.163794041 CEST	49758	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:46:00.163811922 CEST	443	49758	162.159.61.3	192.168.2.6
Sep 3, 2024 21:46:00.164159060 CEST	443	49758	162.159.61.3	192.168.2.6
Sep 3, 2024 21:46:00.164434910 CEST	49758	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:46:00.164511919 CEST	443	49758	162.159.61.3	192.168.2.6
Sep 3, 2024 21:46:00.164740086 CEST	49758	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:46:00.200509071 CEST	443	49759	162.159.61.3	192.168.2.6
Sep 3, 2024 21:46:00.212506056 CEST	443	49758	162.159.61.3	192.168.2.6
Sep 3, 2024 21:46:00.284132957 CEST	443	49759	162.159.61.3	192.168.2.6
Sep 3, 2024 21:46:00.284208059 CEST	443	49759	162.159.61.3	192.168.2.6
Sep 3, 2024 21:46:00.284306049 CEST	49759	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:46:00.284528971 CEST	49759	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:46:00.284544945 CEST	443	49759	162.159.61.3	192.168.2.6
Sep 3, 2024 21:46:00.300209045 CEST	443	49758	162.159.61.3	192.168.2.6
Sep 3, 2024 21:46:00.300283909 CEST	443	49758	162.159.61.3	192.168.2.6
Sep 3, 2024 21:46:00.300374985 CEST	49758	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:46:00.300580978 CEST	49758	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:46:00.300590992 CEST	443	49758	162.159.61.3	192.168.2.6
Sep 3, 2024 21:46:07.482804060 CEST	49744	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:46:07.482832909 CEST	443	49744	172.64.41.3	192.168.2.6
Sep 3, 2024 21:46:07.498079062 CEST	49743	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:46:07.498100042 CEST	443	49743	172.64.41.3	192.168.2.6
Sep 3, 2024 21:46:14.439440012 CEST	49761	443	192.168.2.6	20.197.71.89
Sep 3, 2024 21:46:14.439481974 CEST	443	49761	20.197.71.89	192.168.2.6
Sep 3, 2024 21:46:14.439587116 CEST	49761	443	192.168.2.6	20.197.71.89
Sep 3, 2024 21:46:14.440248966 CEST	49761	443	192.168.2.6	20.197.71.89
Sep 3, 2024 21:46:14.440263033 CEST	443	49761	20.197.71.89	192.168.2.6
Sep 3, 2024 21:46:16.315458059 CEST	443	49761	20.197.71.89	192.168.2.6
Sep 3, 2024 21:46:16.315546989 CEST	49761	443	192.168.2.6	20.197.71.89
Sep 3, 2024 21:46:16.317466974 CEST	49761	443	192.168.2.6	20.197.71.89
Sep 3, 2024 21:46:16.317478895 CEST	443	49761	20.197.71.89	192.168.2.6
Sep 3, 2024 21:46:16.317722082 CEST	443	49761	20.197.71.89	192.168.2.6
Sep 3, 2024 21:46:16.319628000 CEST	49761	443	192.168.2.6	20.197.71.89
Sep 3, 2024 21:46:16.319695950 CEST	49761	443	192.168.2.6	20.197.71.89
Sep 3, 2024 21:46:16.319701910 CEST	443	49761	20.197.71.89	192.168.2.6
Sep 3, 2024 21:46:16.319861889 CEST	49761	443	192.168.2.6	20.197.71.89
Sep 3, 2024 21:46:16.364499092 CEST	443	49761	20.197.71.89	192.168.2.6
Sep 3, 2024 21:46:16.647452116 CEST	443	49761	20.197.71.89	192.168.2.6
Sep 3, 2024 21:46:16.647885084 CEST	443	49761	20.197.71.89	192.168.2.6
Sep 3, 2024 21:46:16.647953987 CEST	49761	443	192.168.2.6	20.197.71.89
Sep 3, 2024 21:46:16.648164988 CEST	49761	443	192.168.2.6	20.197.71.89
Sep 3, 2024 21:46:16.648164988 CEST	49761	443	192.168.2.6	20.197.71.89
Sep 3, 2024 21:46:16.648189068 CEST	443	49761	20.197.71.89	192.168.2.6
Sep 3, 2024 21:46:34.978847980 CEST	49704	80	192.168.2.6	199.232.210.172
Sep 3, 2024 21:46:34.984622002 CEST	80	49704	199.232.210.172	192.168.2.6
Sep 3, 2024 21:46:34.984674931 CEST	49704	80	192.168.2.6	199.232.210.172
Sep 3, 2024 21:46:39.385348082 CEST	49748	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:46:39.385371923 CEST	443	49748	142.250.65.174	192.168.2.6
Sep 3, 2024 21:46:39.447805882 CEST	49749	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:46:39.447823048 CEST	443	49749	142.250.65.174	192.168.2.6
Sep 3, 2024 21:46:48.317945957 CEST	49763	443	192.168.2.6	20.197.71.89
Sep 3, 2024 21:46:48.317982912 CEST	443	49763	20.197.71.89	192.168.2.6
Sep 3, 2024 21:46:48.318067074 CEST	49763	443	192.168.2.6	20.197.71.89
Sep 3, 2024 21:46:48.318737030 CEST	49763	443	192.168.2.6	20.197.71.89
Sep 3, 2024 21:46:48.318749905 CEST	443	49763	20.197.71.89	192.168.2.6
Sep 3, 2024 21:46:49.758385897 CEST	443	49763	20.197.71.89	192.168.2.6
Sep 3, 2024 21:46:49.758483887 CEST	49763	443	192.168.2.6	20.197.71.89
Sep 3, 2024 21:46:49.763402939 CEST	49763	443	192.168.2.6	20.197.71.89
Sep 3, 2024 21:46:49.763417006 CEST	443	49763	20.197.71.89	192.168.2.6
Sep 3, 2024 21:46:49.763659954 CEST	443	49763	20.197.71.89	192.168.2.6
Sep 3, 2024 21:46:49.765358925 CEST	49763	443	192.168.2.6	20.197.71.89
Sep 3, 2024 21:46:49.765425920 CEST	49763	443	192.168.2.6	20.197.71.89
Sep 3, 2024 21:46:49.765430927 CEST	443	49763	20.197.71.89	192.168.2.6
Sep 3, 2024 21:46:49.765559912 CEST	49763	443	192.168.2.6	20.197.71.89
Sep 3, 2024 21:46:49.812500000 CEST	443	49763	20.197.71.89	192.168.2.6
Sep 3, 2024 21:46:50.097790956 CEST	443	49763	20.197.71.89	192.168.2.6
Sep 3, 2024 21:46:50.098058939 CEST	443	49763	20.197.71.89	192.168.2.6
Sep 3, 2024 21:46:50.098130941 CEST	49763	443	192.168.2.6	20.197.71.89
Sep 3, 2024 21:46:50.098392010 CEST	49763	443	192.168.2.6	20.197.71.89
Sep 3, 2024 21:46:50.098407984 CEST	443	49763	20.197.71.89	192.168.2.6
Sep 3, 2024 21:46:50.098421097 CEST	49763	443	192.168.2.6	20.197.71.89
Sep 3, 2024 21:46:52.494796991 CEST	49744	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:46:52.494827986 CEST	443	49744	172.64.41.3	192.168.2.6
Sep 3, 2024 21:46:52.510283947 CEST	49743	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:46:52.510308981 CEST	443	49743	172.64.41.3	192.168.2.6
Sep 3, 2024 21:47:02.073776007 CEST	49764	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:47:02.073803902 CEST	443	49764	162.159.61.3	192.168.2.6
Sep 3, 2024 21:47:02.073956966 CEST	49765	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:47:02.073985100 CEST	49764	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:47:02.073992968 CEST	443	49765	162.159.61.3	192.168.2.6
Sep 3, 2024 21:47:02.074325085 CEST	49764	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:47:02.074337959 CEST	443	49764	162.159.61.3	192.168.2.6
Sep 3, 2024 21:47:02.074358940 CEST	49765	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:47:02.074480057 CEST	49765	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:47:02.074491978 CEST	443	49765	162.159.61.3	192.168.2.6
Sep 3, 2024 21:47:02.536164045 CEST	443	49765	162.159.61.3	192.168.2.6
Sep 3, 2024 21:47:02.536561966 CEST	49765	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:47:02.536587954 CEST	443	49765	162.159.61.3	192.168.2.6
Sep 3, 2024 21:47:02.536925077 CEST	443	49765	162.159.61.3	192.168.2.6
Sep 3, 2024 21:47:02.537255049 CEST	49765	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:47:02.537307024 CEST	443	49765	162.159.61.3	192.168.2.6
Sep 3, 2024 21:47:02.545655012 CEST	443	49764	162.159.61.3	192.168.2.6
Sep 3, 2024 21:47:02.545885086 CEST	49764	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:47:02.545905113 CEST	443	49764	162.159.61.3	192.168.2.6
Sep 3, 2024 21:47:02.546242952 CEST	443	49764	162.159.61.3	192.168.2.6
Sep 3, 2024 21:47:02.546663046 CEST	49764	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:47:02.546727896 CEST	443	49764	162.159.61.3	192.168.2.6
Sep 3, 2024 21:47:02.586762905 CEST	49765	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:47:02.586779118 CEST	49764	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:47:02.628952980 CEST	49766	443	192.168.2.6	23.55.235.170
Sep 3, 2024 21:47:02.628993988 CEST	443	49766	23.55.235.170	192.168.2.6
Sep 3, 2024 21:47:02.629050970 CEST	49766	443	192.168.2.6	23.55.235.170
Sep 3, 2024 21:47:02.629252911 CEST	49766	443	192.168.2.6	23.55.235.170
Sep 3, 2024 21:47:02.629267931 CEST	443	49766	23.55.235.170	192.168.2.6
Sep 3, 2024 21:47:03.126900911 CEST	443	49766	23.55.235.170	192.168.2.6
Sep 3, 2024 21:47:03.127405882 CEST	49766	443	192.168.2.6	23.55.235.170
Sep 3, 2024 21:47:03.127434015 CEST	443	49766	23.55.235.170	192.168.2.6
Sep 3, 2024 21:47:03.127758980 CEST	443	49766	23.55.235.170	192.168.2.6
Sep 3, 2024 21:47:03.128098965 CEST	49766	443	192.168.2.6	23.55.235.170
Sep 3, 2024 21:47:03.128159046 CEST	443	49766	23.55.235.170	192.168.2.6
Sep 3, 2024 21:47:03.128246069 CEST	49766	443	192.168.2.6	23.55.235.170
Sep 3, 2024 21:47:03.172498941 CEST	443	49766	23.55.235.170	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 3, 2024 21:45:01.125888109 CEST	53	63764	1.1.1.1	192.168.2.6
Sep 3, 2024 21:45:02.061049938 CEST	55915	53	192.168.2.6	1.1.1.1
Sep 3, 2024 21:45:02.061265945 CEST	64716	53	192.168.2.6	1.1.1.1
Sep 3, 2024 21:45:03.496953964 CEST	53	55494	1.1.1.1	192.168.2.6
Sep 3, 2024 21:45:03.501740932 CEST	53	59742	1.1.1.1	192.168.2.6
Sep 3, 2024 21:45:05.603419065 CEST	56902	53	192.168.2.6	1.1.1.1
Sep 3, 2024 21:45:05.603576899 CEST	52244	53	192.168.2.6	1.1.1.1
Sep 3, 2024 21:45:05.603956938 CEST	49880	53	192.168.2.6	1.1.1.1
Sep 3, 2024 21:45:05.604072094 CEST	58478	53	192.168.2.6	1.1.1.1
Sep 3, 2024 21:45:05.604573011 CEST	63857	53	192.168.2.6	1.1.1.1
Sep 3, 2024 21:45:05.604754925 CEST	64496	53	192.168.2.6	1.1.1.1
Sep 3, 2024 21:45:05.605185032 CEST	57980	53	192.168.2.6	1.1.1.1
Sep 3, 2024 21:45:05.605333090 CEST	53659	53	192.168.2.6	1.1.1.1
Sep 3, 2024 21:45:05.610702038 CEST	53	52244	1.1.1.1	192.168.2.6
Sep 3, 2024 21:45:05.610786915 CEST	53	58478	1.1.1.1	192.168.2.6
Sep 3, 2024 21:45:05.611301899 CEST	53	49880	1.1.1.1	192.168.2.6
Sep 3, 2024 21:45:05.611366034 CEST	53	63857	1.1.1.1	192.168.2.6
Sep 3, 2024 21:45:05.611731052 CEST	53	64496	1.1.1.1	192.168.2.6
Sep 3, 2024 21:45:05.612196922 CEST	53	56902	1.1.1.1	192.168.2.6
Sep 3, 2024 21:45:05.612206936 CEST	53	57980	1.1.1.1	192.168.2.6
Sep 3, 2024 21:45:05.612833023 CEST	53	53659	1.1.1.1	192.168.2.6
Sep 3, 2024 21:45:05.657723904 CEST	55511	53	192.168.2.6	1.1.1.1
Sep 3, 2024 21:45:05.657963037 CEST	53465	53	192.168.2.6	1.1.1.1
Sep 3, 2024 21:45:05.664654016 CEST	53	55511	1.1.1.1	192.168.2.6
Sep 3, 2024 21:45:05.664753914 CEST	53	53465	1.1.1.1	192.168.2.6
Sep 3, 2024 21:45:06.793941021 CEST	49185	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:45:07.102762938 CEST	49185	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:45:07.243244886 CEST	443	49185	172.64.41.3	192.168.2.6
Sep 3, 2024 21:45:07.243257999 CEST	443	49185	172.64.41.3	192.168.2.6
Sep 3, 2024 21:45:07.243269920 CEST	443	49185	172.64.41.3	192.168.2.6
Sep 3, 2024 21:45:07.243330956 CEST	443	49185	172.64.41.3	192.168.2.6
Sep 3, 2024 21:45:07.243403912 CEST	443	49185	172.64.41.3	192.168.2.6
Sep 3, 2024 21:45:07.244420052 CEST	49185	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:45:07.246701956 CEST	49185	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:45:07.247150898 CEST	49185	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:45:07.247435093 CEST	49185	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:45:07.247776985 CEST	49185	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:45:07.249443054 CEST	49185	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:45:07.342449903 CEST	443	49185	172.64.41.3	192.168.2.6
Sep 3, 2024 21:45:07.342837095 CEST	443	49185	172.64.41.3	192.168.2.6
Sep 3, 2024 21:45:07.342847109 CEST	443	49185	172.64.41.3	192.168.2.6
Sep 3, 2024 21:45:07.342855930 CEST	443	49185	172.64.41.3	192.168.2.6
Sep 3, 2024 21:45:07.342938900 CEST	443	49185	172.64.41.3	192.168.2.6
Sep 3, 2024 21:45:07.344096899 CEST	443	49185	172.64.41.3	192.168.2.6
Sep 3, 2024 21:45:07.345356941 CEST	443	49185	172.64.41.3	192.168.2.6
Sep 3, 2024 21:45:07.345803976 CEST	443	49185	172.64.41.3	192.168.2.6
Sep 3, 2024 21:45:07.346405983 CEST	443	49185	172.64.41.3	192.168.2.6
Sep 3, 2024 21:45:07.425762892 CEST	49185	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:45:07.426078081 CEST	49185	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:45:07.426877022 CEST	49185	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:45:07.521533966 CEST	443	49185	172.64.41.3	192.168.2.6
Sep 3, 2024 21:45:07.680902958 CEST	49185	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:45:07.752492905 CEST	49185	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:45:07.753073931 CEST	49185	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:45:07.848362923 CEST	443	49185	172.64.41.3	192.168.2.6
Sep 3, 2024 21:45:07.848603010 CEST	443	49185	172.64.41.3	192.168.2.6
Sep 3, 2024 21:45:07.849359989 CEST	443	49185	172.64.41.3	192.168.2.6
Sep 3, 2024 21:45:07.849730968 CEST	443	49185	172.64.41.3	192.168.2.6
Sep 3, 2024 21:45:07.909715891 CEST	49185	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:45:08.005387068 CEST	49185	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:45:08.005472898 CEST	49185	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:45:08.102062941 CEST	443	49185	172.64.41.3	192.168.2.6
Sep 3, 2024 21:45:08.125827074 CEST	443	49185	172.64.41.3	192.168.2.6
Sep 3, 2024 21:45:08.125869036 CEST	443	49185	172.64.41.3	192.168.2.6
Sep 3, 2024 21:45:08.126370907 CEST	49185	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:45:08.569317102 CEST	60479	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:08.870389938 CEST	60479	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:09.016720057 CEST	443	60479	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:09.017940998 CEST	443	60479	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:09.021464109 CEST	60479	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:09.023164988 CEST	443	60479	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:09.023181915 CEST	443	60479	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:09.023192883 CEST	443	60479	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:09.023217916 CEST	443	60479	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:09.023463964 CEST	60479	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:09.024674892 CEST	60479	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:09.027055025 CEST	60479	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:09.027221918 CEST	60479	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:09.028135061 CEST	60479	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:09.028692007 CEST	60479	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:09.129261017 CEST	443	60479	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:09.129369020 CEST	443	60479	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:09.129657984 CEST	60479	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:09.131565094 CEST	443	60479	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:09.158133984 CEST	443	60479	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:09.158444881 CEST	60479	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:09.212882996 CEST	443	60479	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:09.213360071 CEST	60479	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:09.216516018 CEST	443	60479	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:09.216753960 CEST	60479	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:09.219189882 CEST	443	60479	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:09.219690084 CEST	443	60479	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:09.220257998 CEST	60479	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:09.315232992 CEST	443	60479	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:16.590126038 CEST	60479	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:16.590296030 CEST	60479	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:16.689466953 CEST	443	60479	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:16.727927923 CEST	60479	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:16.804361105 CEST	443	60479	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:16.807075024 CEST	60479	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:16.807538033 CEST	443	60479	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:16.862000942 CEST	60479	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:16.930425882 CEST	443	60479	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:37.776995897 CEST	60479	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:37.777039051 CEST	60479	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:37.881649017 CEST	443	60479	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:37.915625095 CEST	60479	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:37.962789059 CEST	443	60479	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:37.963176012 CEST	60479	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:37.964822054 CEST	443	60479	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:37.993380070 CEST	60479	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:38.086183071 CEST	443	60479	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:38.167489052 CEST	60479	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:38.167555094 CEST	60479	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:38.266454935 CEST	443	60479	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:38.305959940 CEST	60479	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:38.326201916 CEST	60479	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:38.326256037 CEST	60479	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:38.349942923 CEST	443	60479	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:38.350183010 CEST	443	60479	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:38.350191116 CEST	60479	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:38.381858110 CEST	60479	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:38.434206009 CEST	443	60479	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:38.461740017 CEST	60479	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:38.473447084 CEST	443	60479	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:38.514471054 CEST	443	60479	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:38.514729977 CEST	60479	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:38.516557932 CEST	443	60479	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:38.555278063 CEST	60479	443	192.168.2.6	142.250.65.174
Sep 3, 2024 21:45:38.638124943 CEST	443	60479	142.250.65.174	192.168.2.6
Sep 3, 2024 21:45:59.701250076 CEST	59744	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:46:00.010083914 CEST	59744	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:46:00.163038015 CEST	443	59744	162.159.61.3	192.168.2.6
Sep 3, 2024 21:46:00.163156986 CEST	443	59744	162.159.61.3	192.168.2.6
Sep 3, 2024 21:46:00.164201975 CEST	443	59744	162.159.61.3	192.168.2.6
Sep 3, 2024 21:46:00.164897919 CEST	443	59744	162.159.61.3	192.168.2.6
Sep 3, 2024 21:46:00.164911032 CEST	443	59744	162.159.61.3	192.168.2.6
Sep 3, 2024 21:46:00.164927006 CEST	443	59744	162.159.61.3	192.168.2.6
Sep 3, 2024 21:46:00.165155888 CEST	59744	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:46:00.166415930 CEST	59744	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:46:00.167188883 CEST	59744	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:46:00.167339087 CEST	59744	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:46:00.261738062 CEST	443	59744	162.159.61.3	192.168.2.6
Sep 3, 2024 21:46:00.261749029 CEST	443	59744	162.159.61.3	192.168.2.6
Sep 3, 2024 21:46:00.261758089 CEST	443	59744	162.159.61.3	192.168.2.6
Sep 3, 2024 21:46:00.262094975 CEST	443	59744	162.159.61.3	192.168.2.6
Sep 3, 2024 21:46:00.262207031 CEST	59744	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:46:00.262279987 CEST	59744	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:46:00.356904984 CEST	443	59744	162.159.61.3	192.168.2.6
Sep 3, 2024 21:46:00.384984016 CEST	59744	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:46:08.356302977 CEST	52357	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:46:08.356374025 CEST	52357	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:46:08.356725931 CEST	52357	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:46:08.356842995 CEST	52357	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:46:08.805135012 CEST	443	52357	172.64.41.3	192.168.2.6
Sep 3, 2024 21:46:08.806312084 CEST	52357	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:46:08.842591047 CEST	52357	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:46:08.904095888 CEST	443	52357	172.64.41.3	192.168.2.6
Sep 3, 2024 21:46:08.904109955 CEST	443	52357	172.64.41.3	192.168.2.6
Sep 3, 2024 21:46:08.904118061 CEST	443	52357	172.64.41.3	192.168.2.6
Sep 3, 2024 21:46:08.904129028 CEST	443	52357	172.64.41.3	192.168.2.6
Sep 3, 2024 21:46:08.904664993 CEST	52357	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:46:08.904880047 CEST	52357	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:46:09.003122091 CEST	443	52357	172.64.41.3	192.168.2.6
Sep 3, 2024 21:46:09.003917933 CEST	52357	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:46:09.119725943 CEST	443	52357	172.64.41.3	192.168.2.6
Sep 3, 2024 21:46:09.120527983 CEST	443	52357	172.64.41.3	192.168.2.6
Sep 3, 2024 21:46:09.120662928 CEST	443	52357	172.64.41.3	192.168.2.6
Sep 3, 2024 21:46:09.121746063 CEST	52357	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:46:09.123485088 CEST	55969	443	192.168.2.6	142.251.40.110
Sep 3, 2024 21:46:09.123624086 CEST	55969	443	192.168.2.6	142.251.40.110
Sep 3, 2024 21:46:09.495080948 CEST	55969	443	192.168.2.6	142.251.40.110
Sep 3, 2024 21:46:09.588321924 CEST	443	55969	142.251.40.110	192.168.2.6
Sep 3, 2024 21:46:09.588347912 CEST	443	55969	142.251.40.110	192.168.2.6
Sep 3, 2024 21:46:09.589095116 CEST	55969	443	192.168.2.6	142.251.40.110
Sep 3, 2024 21:46:09.589099884 CEST	443	55969	142.251.40.110	192.168.2.6
Sep 3, 2024 21:46:09.589252949 CEST	55969	443	192.168.2.6	142.251.40.110
Sep 3, 2024 21:46:09.589340925 CEST	55969	443	192.168.2.6	142.251.40.110
Sep 3, 2024 21:46:09.589694023 CEST	55969	443	192.168.2.6	142.251.40.110
Sep 3, 2024 21:46:09.589715958 CEST	55969	443	192.168.2.6	142.251.40.110
Sep 3, 2024 21:46:09.589886904 CEST	55969	443	192.168.2.6	142.251.40.110
Sep 3, 2024 21:46:09.589896917 CEST	55969	443	192.168.2.6	142.251.40.110
Sep 3, 2024 21:46:09.605843067 CEST	52357	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:46:09.605956078 CEST	52357	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:46:09.683639050 CEST	443	55969	142.251.40.110	192.168.2.6
Sep 3, 2024 21:46:09.684011936 CEST	55969	443	192.168.2.6	142.251.40.110
Sep 3, 2024 21:46:09.684226036 CEST	443	55969	142.251.40.110	192.168.2.6
Sep 3, 2024 21:46:09.684237003 CEST	443	55969	142.251.40.110	192.168.2.6
Sep 3, 2024 21:46:09.684540987 CEST	443	55969	142.251.40.110	192.168.2.6
Sep 3, 2024 21:46:09.684550047 CEST	443	55969	142.251.40.110	192.168.2.6
Sep 3, 2024 21:46:09.684636116 CEST	55969	443	192.168.2.6	142.251.40.110
Sep 3, 2024 21:46:09.684792042 CEST	55969	443	192.168.2.6	142.251.40.110
Sep 3, 2024 21:46:09.705959082 CEST	443	52357	172.64.41.3	192.168.2.6
Sep 3, 2024 21:46:09.706854105 CEST	443	52357	172.64.41.3	192.168.2.6
Sep 3, 2024 21:46:09.707672119 CEST	443	52357	172.64.41.3	192.168.2.6
Sep 3, 2024 21:46:09.707859993 CEST	52357	443	192.168.2.6	172.64.41.3
Sep 3, 2024 21:46:09.708770990 CEST	59616	443	192.168.2.6	172.253.115.84
Sep 3, 2024 21:46:09.708898067 CEST	59616	443	192.168.2.6	172.253.115.84
Sep 3, 2024 21:46:09.765794039 CEST	443	55969	142.251.40.110	192.168.2.6
Sep 3, 2024 21:46:09.766207933 CEST	55969	443	192.168.2.6	142.251.40.110
Sep 3, 2024 21:46:09.767509937 CEST	443	55969	142.251.40.110	192.168.2.6
Sep 3, 2024 21:46:09.767658949 CEST	443	55969	142.251.40.110	192.168.2.6
Sep 3, 2024 21:46:09.769128084 CEST	55969	443	192.168.2.6	142.251.40.110
Sep 3, 2024 21:46:09.769570112 CEST	443	55969	142.251.40.110	192.168.2.6
Sep 3, 2024 21:46:09.770349026 CEST	55969	443	192.168.2.6	142.251.40.110
Sep 3, 2024 21:46:09.863369942 CEST	443	55969	142.251.40.110	192.168.2.6
Sep 3, 2024 21:46:10.158524036 CEST	443	59616	172.253.115.84	192.168.2.6
Sep 3, 2024 21:46:10.158838987 CEST	443	59616	172.253.115.84	192.168.2.6
Sep 3, 2024 21:46:10.158858061 CEST	443	59616	172.253.115.84	192.168.2.6
Sep 3, 2024 21:46:10.158870935 CEST	443	59616	172.253.115.84	192.168.2.6
Sep 3, 2024 21:46:10.158999920 CEST	443	59616	172.253.115.84	192.168.2.6
Sep 3, 2024 21:46:10.159404993 CEST	59616	443	192.168.2.6	172.253.115.84
Sep 3, 2024 21:46:10.160257101 CEST	59616	443	192.168.2.6	172.253.115.84
Sep 3, 2024 21:46:10.160913944 CEST	59616	443	192.168.2.6	172.253.115.84
Sep 3, 2024 21:46:10.259655952 CEST	443	59616	172.253.115.84	192.168.2.6
Sep 3, 2024 21:46:10.259711981 CEST	443	59616	172.253.115.84	192.168.2.6
Sep 3, 2024 21:46:10.260221958 CEST	443	59616	172.253.115.84	192.168.2.6
Sep 3, 2024 21:46:10.304117918 CEST	443	59616	172.253.115.84	192.168.2.6
Sep 3, 2024 21:46:10.304143906 CEST	443	59616	172.253.115.84	192.168.2.6
Sep 3, 2024 21:46:10.304153919 CEST	443	59616	172.253.115.84	192.168.2.6
Sep 3, 2024 21:46:10.307054996 CEST	59616	443	192.168.2.6	172.253.115.84
Sep 3, 2024 21:46:10.307491064 CEST	59616	443	192.168.2.6	172.253.115.84
Sep 3, 2024 21:46:10.307590961 CEST	59616	443	192.168.2.6	172.253.115.84
Sep 3, 2024 21:46:10.431533098 CEST	443	59616	172.253.115.84	192.168.2.6
Sep 3, 2024 21:46:38.699826002 CEST	55969	443	192.168.2.6	142.251.40.110
Sep 3, 2024 21:46:38.795428991 CEST	443	55969	142.251.40.110	192.168.2.6
Sep 3, 2024 21:46:38.797735929 CEST	55969	443	192.168.2.6	142.251.40.110
Sep 3, 2024 21:46:38.821269035 CEST	443	55969	142.251.40.110	192.168.2.6
Sep 3, 2024 21:46:38.822666883 CEST	55969	443	192.168.2.6	142.251.40.110
Sep 3, 2024 21:46:38.917757034 CEST	443	55969	142.251.40.110	192.168.2.6
Sep 3, 2024 21:46:38.949799061 CEST	55969	443	192.168.2.6	142.251.40.110
Sep 3, 2024 21:46:38.974453926 CEST	443	55969	142.251.40.110	192.168.2.6
Sep 3, 2024 21:46:38.974848032 CEST	55969	443	192.168.2.6	142.251.40.110
Sep 3, 2024 21:46:38.975620985 CEST	443	55969	142.251.40.110	192.168.2.6
Sep 3, 2024 21:46:39.012300014 CEST	55969	443	192.168.2.6	142.251.40.110
Sep 3, 2024 21:46:39.095666885 CEST	443	55969	142.251.40.110	192.168.2.6
Sep 3, 2024 21:46:41.781202078 CEST	55969	443	192.168.2.6	142.251.40.110
Sep 3, 2024 21:46:41.781250954 CEST	55969	443	192.168.2.6	142.251.40.110
Sep 3, 2024 21:46:41.875916004 CEST	443	55969	142.251.40.110	192.168.2.6
Sep 3, 2024 21:46:41.957840919 CEST	443	55969	142.251.40.110	192.168.2.6
Sep 3, 2024 21:46:41.959005117 CEST	55969	443	192.168.2.6	142.251.40.110
Sep 3, 2024 21:46:41.959836006 CEST	443	55969	142.251.40.110	192.168.2.6
Sep 3, 2024 21:46:41.994275093 CEST	55969	443	192.168.2.6	142.251.40.110
Sep 3, 2024 21:46:42.080498934 CEST	443	55969	142.251.40.110	192.168.2.6
Sep 3, 2024 21:47:02.073529005 CEST	55220	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:47:02.385020971 CEST	55220	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:47:02.521748066 CEST	443	55220	162.159.61.3	192.168.2.6
Sep 3, 2024 21:47:02.522080898 CEST	443	55220	162.159.61.3	192.168.2.6
Sep 3, 2024 21:47:02.522094011 CEST	443	55220	162.159.61.3	192.168.2.6
Sep 3, 2024 21:47:02.522105932 CEST	443	55220	162.159.61.3	192.168.2.6
Sep 3, 2024 21:47:02.522119999 CEST	443	55220	162.159.61.3	192.168.2.6
Sep 3, 2024 21:47:02.522427082 CEST	55220	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:47:02.524199009 CEST	55220	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:47:02.524374962 CEST	55220	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:47:02.524642944 CEST	55220	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:47:02.524775982 CEST	55220	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:47:02.622270107 CEST	443	55220	162.159.61.3	192.168.2.6
Sep 3, 2024 21:47:02.622288942 CEST	443	55220	162.159.61.3	192.168.2.6
Sep 3, 2024 21:47:02.622298002 CEST	443	55220	162.159.61.3	192.168.2.6
Sep 3, 2024 21:47:02.622307062 CEST	443	55220	162.159.61.3	192.168.2.6
Sep 3, 2024 21:47:02.622670889 CEST	55220	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:47:02.622742891 CEST	55220	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:47:02.623908997 CEST	443	55220	162.159.61.3	192.168.2.6
Sep 3, 2024 21:47:02.625669003 CEST	443	55220	162.159.61.3	192.168.2.6
Sep 3, 2024 21:47:02.625802994 CEST	443	55220	162.159.61.3	192.168.2.6
Sep 3, 2024 21:47:02.628288031 CEST	55220	443	192.168.2.6	162.159.61.3
Sep 3, 2024 21:47:02.721210957 CEST	443	55220	162.159.61.3	192.168.2.6
Sep 3, 2024 21:47:02.759601116 CEST	55220	443	192.168.2.6	162.159.61.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 3, 2024 21:45:02.061049938 CEST	192.168.2.6	1.1.1.1	0x96e3	Standard query (0)	bzib.nelreports.net	A (IP address)	IN (0x0001)	false
Sep 3, 2024 21:45:02.061265945 CEST	192.168.2.6	1.1.1.1	0x2629	Standard query (0)	bzib.nelreports.net	65	IN (0x0001)	false
Sep 3, 2024 21:45:05.603419065 CEST	192.168.2.6	1.1.1.1	0xb83c	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Sep 3, 2024 21:45:05.603576899 CEST	192.168.2.6	1.1.1.1	0xd64	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Sep 3, 2024 21:45:05.603956938 CEST	192.168.2.6	1.1.1.1	0xb71c	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Sep 3, 2024 21:45:05.604072094 CEST	192.168.2.6	1.1.1.1	0x6f1e	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Sep 3, 2024 21:45:05.604573011 CEST	192.168.2.6	1.1.1.1	0xa5fb	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Sep 3, 2024 21:45:05.604754925 CEST	192.168.2.6	1.1.1.1	0xd4db	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Sep 3, 2024 21:45:05.605185032 CEST	192.168.2.6	1.1.1.1	0x3ad3	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Sep 3, 2024 21:45:05.605333090 CEST	192.168.2.6	1.1.1.1	0xe6c2	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Sep 3, 2024 21:45:05.657723904 CEST	192.168.2.6	1.1.1.1	0xa0db	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Sep 3, 2024 21:45:05.657963037 CEST	192.168.2.6	1.1.1.1	0xfa34	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 3, 2024 21:45:02.070996046 CEST	1.1.1.1	192.168.2.6	0x2629	No error (0)	bzib.nelreports.net	bzib.nelreports.net.akamaized.net		CNAME (Canonical name)	IN (0x0001)	false
Sep 3, 2024 21:45:02.071130991 CEST	1.1.1.1	192.168.2.6	0x96e3	No error (0)	bzib.nelreports.net	bzib.nelreports.net.akamaized.net		CNAME (Canonical name)	IN (0x0001)	false
Sep 3, 2024 21:45:04.241467953 CEST	1.1.1.1	192.168.2.6	0xfd83	No error (0)	shed.dual-low.s-part-0014.t-0009.t-msedge.net	s-part-0014.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Sep 3, 2024 21:45:04.241467953 CEST	1.1.1.1	192.168.2.6	0xfd83	No error (0)	s-part-0014.t-0009.t-msedge.net		13.107.246.42	A (IP address)	IN (0x0001)	false
Sep 3, 2024 21:45:05.610702038 CEST	1.1.1.1	192.168.2.6	0xd64	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Sep 3, 2024 21:45:05.610786915 CEST	1.1.1.1	192.168.2.6	0x6f1e	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Sep 3, 2024 21:45:05.611301899 CEST	1.1.1.1	192.168.2.6	0xb71c	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Sep 3, 2024 21:45:05.611301899 CEST	1.1.1.1	192.168.2.6	0xb71c	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Sep 3, 2024 21:45:05.611366034 CEST	1.1.1.1	192.168.2.6	0xa5fb	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Sep 3, 2024 21:45:05.611366034 CEST	1.1.1.1	192.168.2.6	0xa5fb	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Sep 3, 2024 21:45:05.611731052 CEST	1.1.1.1	192.168.2.6	0xd4db	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Sep 3, 2024 21:45:05.612196922 CEST	1.1.1.1	192.168.2.6	0xb83c	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Sep 3, 2024 21:45:05.612196922 CEST	1.1.1.1	192.168.2.6	0xb83c	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Sep 3, 2024 21:45:05.612206936 CEST	1.1.1.1	192.168.2.6	0x3ad3	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Sep 3, 2024 21:45:05.612206936 CEST	1.1.1.1	192.168.2.6	0x3ad3	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Sep 3, 2024 21:45:05.612833023 CEST	1.1.1.1	192.168.2.6	0xe6c2	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Sep 3, 2024 21:45:05.664654016 CEST	1.1.1.1	192.168.2.6	0xa0db	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Sep 3, 2024 21:45:05.664654016 CEST	1.1.1.1	192.168.2.6	0xa0db	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Sep 3, 2024 21:45:05.664753914 CEST	1.1.1.1	192.168.2.6	0xfa34	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false

HTTP Request Dependency Graph

edgeassetservice.azureedge.net

chrome.cloudflare-dns.com

fs.microsoft.com

https:

www.google.com

slscr.update.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.2.6	49720	20.197.71.89	443

Timestamp	Bytes transferred	Direction	Data
2024-09-03 19:45:04 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 4a 32 75 42 53 7a 63 68 51 30 71 39 66 54 58 2f 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 30 32 39 31 32 33 32 35 33 31 62 34 62 62 66 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: J2uBSzchQ0q9fTX/.1Context: 50291232531b4bbf
2024-09-03 19:45:04 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-09-03 19:45:04 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 4a 32 75 42 53 7a 63 68 51 30 71 39 66 54 58 2f 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 30 32 39 31 32 33 32 35 33 31 62 34 62 62 66 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 53 71 69 32 54 58 6e 47 6a 6c 77 41 75 33 31 33 39 32 4d 37 33 46 62 33 4e 4c 73 2b 5a 51 52 69 67 6e 53 33 5a 46 50 4f 62 6b 53 47 6b 46 65 6b 33 37 75 4f 79 59 59 75 7a 53 48 72 73 39 62 5a 6b 76 49 32 4d 71 62 43 42 41 71 65 36 36 2b 67 75 39 6e 6e 70 41 4c 58 61 43 6c 2f 4d 41 39 42 4d 44 35 49 31 6a 36 31 4f 30 59 65 37 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: J2uBSzchQ0q9fTX/.2Context: 50291232531b4bbf<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAASqi2TXnGjlwAu31392M73Fb3NLs+ZQRignS3ZFPObkSGkFek37uOyYYuzSHrs9bZkvI2MqbCBAqe66+gu9nnpALXaCl/MA9BMD5I1j61O0Ye7
2024-09-03 19:45:04 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 4a 32 75 42 53 7a 63 68 51 30 71 39 66 54 58 2f 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 30 32 39 31 32 33 32 35 33 31 62 34 62 62 66 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: J2uBSzchQ0q9fTX/.3Context: 50291232531b4bbf<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2024-09-03 19:45:04 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-09-03 19:45:04 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 61 49 6c 39 70 67 50 54 2b 55 53 52 6e 61 6e 68 49 79 49 4e 67 51 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: aIl9pgPT+USRnanhIyINgQ.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49728	13.107.246.42	443	7444	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-03 19:45:04 UTC	486	OUT	GET /assets/arbitration_priority_list/4.0.5/asset?assetgroup=ArbitrationService HTTP/1.1 Host: edgeassetservice.azureedge.net Connection: keep-alive Edge-Asset-Group: ArbitrationService Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-09-03 19:45:05 UTC	552	IN	HTTP/1.1 200 OK Date: Tue, 03 Sep 2024 19:45:04 GMT Content-Type: application/octet-stream Content-Length: 11989 Connection: close Last-Modified: Fri, 30 Aug 2024 17:05:10 GMT ETag: 0x8DCC915E7CD8385 x-ms-request-id: 1b6aa40f-801e-0039-70c1-fc28a3000000 x-ms-version: 2009-09-19 x-ms-lease-status: unlocked x-ms-blob-type: BlockBlob x-azure-ref: 20240903T194504Z-16579567576fh7f86y3uqsyhx000000009p000000000r59k Cache-Control: public, max-age=604800 x-fd-int-roxy-purgeid: 0 X-Cache-Info: L1_T2 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-09-03 19:45:05 UTC	11989	IN	Data Raw: 7b 0d 0a 20 20 22 63 6f 6e 66 69 67 56 65 72 73 69 6f 6e 22 3a 20 33 32 2c 0d 0a 20 20 22 50 72 69 76 69 6c 65 67 65 64 45 78 70 65 72 69 65 6e 63 65 73 22 3a 20 5b 0d 0a 20 20 20 20 22 53 68 6f 72 65 6c 69 6e 65 50 72 69 76 69 6c 65 67 65 64 45 78 70 65 72 69 65 6e 63 65 49 44 22 2c 0d 0a 20 20 20 20 22 53 48 4f 50 50 49 4e 47 5f 41 55 54 4f 5f 53 48 4f 57 5f 43 4f 55 50 4f 4e 53 5f 43 48 45 43 4b 4f 55 54 22 2c 0d 0a 20 20 20 20 22 53 48 4f 50 50 49 4e 47 5f 41 55 54 4f 5f 53 48 4f 57 5f 4c 4f 57 45 52 5f 50 52 49 43 45 5f 46 4f 55 4e 44 22 2c 0d 0a 20 20 20 20 22 53 48 4f 50 50 49 4e 47 5f 41 55 54 4f 5f 53 48 4f 57 5f 42 49 4e 47 5f 53 45 41 52 43 48 22 2c 0d 0a 20 20 20 20 22 53 48 4f 50 50 49 4e 47 5f 41 55 54 4f 5f 53 48 4f 57 5f 52 45 42 41 54 45 Data Ascii: { "configVersion": 32, "PrivilegedExperiences": [ "ShorelinePrivilegedExperienceID", "SHOPPING_AUTO_SHOW_COUPONS_CHECKOUT", "SHOPPING_AUTO_SHOW_LOWER_PRICE_FOUND", "SHOPPING_AUTO_SHOW_BING_SEARCH", "SHOPPING_AUTO_SHOW_REBATE

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49729	13.107.246.42	443	7444	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-03 19:45:04 UTC	711	OUT	GET /assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtractionDomainsConfig HTTP/1.1 Host: edgeassetservice.azureedge.net Connection: keep-alive Edge-Asset-Group: EntityExtractionDomainsConfig Sec-Mesh-Client-Edge-Version: 117.0.2045.55 Sec-Mesh-Client-Edge-Channel: stable Sec-Mesh-Client-OS: Windows Sec-Mesh-Client-OS-Version: 10.0.19045 Sec-Mesh-Client-Arch: x86_64 Sec-Mesh-Client-WebView: 0 Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-09-03 19:45:05 UTC	576	IN	HTTP/1.1 200 OK Date: Tue, 03 Sep 2024 19:45:05 GMT Content-Type: application/octet-stream Content-Length: 70207 Connection: close Content-Encoding: gzip Last-Modified: Fri, 02 Aug 2024 18:10:35 GMT ETag: 0x8DCB31E67C22927 x-ms-request-id: 3afe9785-e01e-0066-3464-fbda5d000000 x-ms-version: 2009-09-19 x-ms-lease-status: unlocked x-ms-blob-type: BlockBlob x-azure-ref: 20240903T194505Z-165795675762gt5gbs4b9bazh800000009k000000000nw3c Cache-Control: public, max-age=604800 x-fd-int-roxy-purgeid: 0 X-Cache-Info: L1_T2 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-09-03 19:45:05 UTC	15808	IN	Data Raw: 1f 8b 08 08 1a 21 ad 66 02 ff 61 73 73 65 74 00 ec bd 0b 97 db 36 b2 30 f8 57 b2 b9 33 b3 dd 89 d5 d6 5b dd d9 cd fa f4 d3 f1 f8 39 6d 3b 19 db f1 d5 01 49 48 a2 45 91 0c 1f 6a ab c3 be bf 7d 0b 05 80 00 08 50 52 db ce 77 ef b7 67 67 9c 16 09 14 0a 40 a1 50 a8 2a 14 c0 3f bf f7 93 78 16 ce bf ff e9 bb 3f bf 2f 92 25 8d a7 51 b8 0a 0b 78 ef 8d bb dd 07 df 7d 9f 92 39 9d fa 65 91 cc 66 90 38 1c f4 59 62 40 67 a4 8c 8a 69 94 f8 24 a2 d3 15 49 11 81 c7 f0 c0 df 0e 3c 00 94 97 e3 6b de f1 08 7b a5 11 7b a5 51 67 9e e1 6b 8c af 71 a7 cc f1 15 81 69 de 59 7d c6 d7 02 5f 8b 0e a5 ec d5 c7 5c 3f ef f8 b7 ec 35 20 ec 35 20 9d 60 89 af 14 5f 69 27 40 e0 19 e6 ce 48 27 c4 8a 66 21 be 86 1d 78 60 af 19 be 66 9d 19 e6 2e b0 ec 82 76 c2 08 5f 31 77 91 75 16 3c b7 c4 d7 Data Ascii: !fasset60W3[9m;IHEj}PRwgg@P*?x?/%Qx}9ef8Yb@gi$I<k{{QgkqiY}_\?5 5 `_i'@H'f!x`f.v_1wu<
2024-09-03 19:45:05 UTC	16384	IN	Data Raw: c5 f3 e8 07 bb 82 71 ba da 2a 0b c7 62 2c 30 96 c2 52 09 74 65 c0 2a 8a c3 88 95 9c 7c 3e a9 79 09 d4 fa 9a 9f 30 4a 49 28 2b d7 97 ff 7a 7b f9 fa cd f4 c9 05 68 2b 37 9c c1 08 01 cb 2f 28 f3 02 34 de 08 0c a6 34 da 38 c6 ec 48 27 33 28 96 9f 45 d9 4f 9f 12 f7 54 d2 47 a6 39 87 08 81 e9 6d 4f c1 43 97 10 bf ad 59 55 67 39 13 fe 1e 05 67 65 16 87 6c 9b f5 cb 90 60 eb 3d ea 25 09 33 8b f9 4a fb 10 ef 11 3b 7c e8 61 60 14 a0 60 b9 7c 16 e7 69 54 b1 c3 22 c0 e0 29 df c2 05 4c 8f bc f0 67 5e 04 75 33 51 9a b7 e1 61 1a 61 48 f5 c3 30 f7 62 91 d5 a8 34 39 2a 97 ff 2d f5 aa c1 c2 6c 78 e0 35 33 d1 42 b3 75 c4 be 3b f4 d0 68 83 51 a7 81 2d a0 ff 0d 5d 10 62 ed 7f 55 a5 99 9f 25 2b 2f a4 4d 09 21 65 43 c7 04 cf 93 19 f3 c1 d0 b6 e9 14 38 59 31 29 8b 4d 52 3a c4 97 Data Ascii: qb,0Rte\|>y0JI(+z{h+7/(448H'3(EOTG9mOCYUg9gel`=%3J;\|a``\|iT")Lg^u3QaaH0b49*-lx53Bu;hQ-]bU%+/M!eC8Y1)MR:
2024-09-03 19:45:05 UTC	16384	IN	Data Raw: c1 f4 52 a7 67 b3 99 ff bc b7 c2 8e 7c d3 4d 9a a5 bf dc f0 20 15 b1 bc 1f 82 9a 8d 98 a7 af db 80 6b 74 e7 ab 7c e6 18 7d 9a 2b 3e 34 2d 1a e7 c0 d5 e8 b4 a0 0e d4 7d 19 bb 69 52 58 a2 33 32 78 db 4b 2d cd 54 dd d2 2b 9c a0 29 69 1a ba 4a ee 0a 4d 33 5a 7b a7 1a 83 5f f3 f7 fe 2c 2f 84 3b 39 d0 56 82 ef 75 a4 f3 69 57 af 58 09 8c 2a 1d 24 b9 4e 6b cf 63 d0 74 99 e3 02 0f 26 7f 1a 86 a9 a8 69 fa 5a d8 25 83 c1 ea f8 fd 12 62 16 86 38 17 5a 19 6f 13 03 00 e6 6a 07 a4 40 be bb 20 de a6 de bf d1 06 75 32 1f c3 4f 67 41 ad 31 bd b0 9c ee 44 47 33 2a 92 9c d3 f6 35 64 a9 b1 d3 f6 b1 c7 a7 b4 80 af ea c1 2a 6c dd 81 a0 0b 67 ca d2 b2 11 7c 8d dc 39 47 56 d1 bd 08 e8 ec 3e 4f c9 56 d6 7a d3 9a 56 4d 17 50 41 9b 17 9b 37 36 da 2e 7c a4 ba 63 f5 72 cd 6b 58 b5 9b Data Ascii: Rg\|M kt\|}+>4-}iRX32xK-T+)iJM3Z{_,/;9VuiWX$Nkct&iZ%b8Zoj@ u2OgA1DG35d*lg\|9GV>OVzVMPA76.\|crkX
2024-09-03 19:45:05 UTC	16384	IN	Data Raw: 41 9e 48 c8 71 d7 39 94 dd f7 b6 3f 2a 48 d1 b5 2e 37 a4 97 5f 43 54 c9 8d d7 76 7a 14 e4 6f 3b 80 f7 6a 61 e8 6f 47 e9 2d cb 60 84 66 2b c0 b9 77 09 1b c0 32 5c aa 6c 0e 25 81 ed a0 5e 61 25 37 6f 3c a5 bc 1f 04 1a dd b1 04 1d c9 73 16 3a 58 a8 69 4d 12 c1 5e e9 66 5f 14 6c e4 9e d4 61 25 e1 2f c3 fc b8 ed df 80 5d 2b 3a 5b 4c 56 c9 72 1f 59 1d 6a 72 0b d2 b0 4c 8e d5 67 db 16 79 41 90 65 4f 4b 68 63 f6 d1 e5 db b6 6a 18 e6 ca 5f 04 79 2e 71 69 5d 0e 19 cc d9 f6 58 27 58 af 1c 18 04 f1 98 d2 bf 15 1e 37 ce e0 1e 88 54 83 3c 82 f8 a8 05 5f b0 1b 3f 2f 02 8f 31 a4 e9 1d ed 45 e6 e4 85 e6 b9 66 4c fd cd 8d e4 58 f7 79 73 8b 47 40 25 b6 0d 7f 78 ff a8 fe e7 7d 69 4a fc 00 c7 b0 37 a9 44 f0 40 1e e8 bd 41 8a b4 0a 5d 5a 2c 0e 60 f7 fb 81 3b 35 42 38 50 3b bc Data Ascii: AHq9?*H.7_CTvzo;jaoG-`f+w2\l%^a%7o<s:XiM^f_la%/]+:[LVrYjrLgyAeOKhcj_y.qi]X'X7T<_?/1EfLXysG@%x}iJ7D@A]Z,`;5B8P;
2024-09-03 19:45:05 UTC	5247	IN	Data Raw: 9a 2a 83 ab 27 93 58 c5 2b d2 9c af 2b 4e 0f 79 ac a9 56 57 20 b1 61 ca d2 f5 ed 38 df 10 b9 60 88 4c 48 ac b1 cd 10 b5 8f 76 49 19 f2 b6 d5 54 1d d1 9c b1 20 7a d3 64 f7 91 a2 0c 4d 73 6d e0 da be ee e6 87 03 9f 5e f7 4f 98 9c 12 cd 88 68 4c 2e b1 48 00 60 c3 31 74 31 8d 87 b4 32 56 02 4f bf e1 a9 3b c0 40 d6 24 8e 10 55 c7 c3 e7 8c f3 78 28 78 d3 94 de b0 5a 4d 22 eb 28 5c 22 00 98 8e 15 1a f8 ab ac 54 f4 5d 80 d0 a5 aa 6e 87 83 fd d6 f1 b0 c0 82 f7 f4 5e ef 2f 2b b8 62 a2 13 a1 4d ae 60 cf 59 3c b1 b1 f4 40 4d 41 74 7c ac 2c 5a 9e ef f4 d2 81 6d 69 e1 d3 8b 73 2c 84 2c 06 37 fd 72 38 10 a5 b2 13 51 f1 a0 a2 06 7d 3f 89 8f 72 35 a0 58 a0 46 79 2f b7 1f cc 57 92 ec c8 b4 b5 f2 5c 65 e7 30 5a 93 e3 b1 8e 5f f5 91 44 87 44 19 1d 59 83 cf 54 85 de 92 34 2e Data Ascii: *'X++NyVW a8`LHvIT zdMsm^OhL.H`1t12VO;@$Ux(xZM"(\"T]n^/+bM`Y<@MAt\|,Zmis,,7r8Q}?r5XFy/W\e0Z_DDYT4.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49739	162.159.61.3	443	7444	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-03 19:45:06 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-09-03 19:45:06 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-09-03 19:45:06 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Tue, 03 Sep 2024 19:45:06 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8bd83cfd7dbf4321-EWR alt-svc: h3=":443"; ma=86400
2024-09-03 19:45:06 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 01 1e 00 04 8e fa 41 a3 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcomA)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49737	172.64.41.3	443	7444	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-03 19:45:06 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-09-03 19:45:06 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-09-03 19:45:06 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Tue, 03 Sep 2024 19:45:06 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8bd83cfd7cb67d20-EWR alt-svc: h3=":443"; ma=86400
2024-09-03 19:45:06 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 01 04 00 04 8e fb 28 c3 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom()

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49738	162.159.61.3	443	7444	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-03 19:45:06 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-09-03 19:45:06 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-09-03 19:45:06 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Tue, 03 Sep 2024 19:45:06 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8bd83cfd7cbb420a-EWR alt-svc: h3=":443"; ma=86400
2024-09-03 19:45:06 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 01 03 00 04 8e fb 20 63 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom c)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49736	162.159.61.3	443	7444	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-03 19:45:06 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-09-03 19:45:06 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-09-03 19:45:06 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Tue, 03 Sep 2024 19:45:06 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8bd83cfd794f17f5-EWR alt-svc: h3=":443"; ma=86400
2024-09-03 19:45:06 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 01 11 00 04 8e fb 28 e3 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom()

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49740	172.64.41.3	443	7444	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-03 19:45:06 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-09-03 19:45:06 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-09-03 19:45:06 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Tue, 03 Sep 2024 19:45:06 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8bd83cfdc9468c9c-EWR alt-svc: h3=":443"; ma=86400
2024-09-03 19:45:06 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 00 e0 00 04 8e fa 48 63 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcomHc)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49741	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-09-03 19:45:06 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-09-03 19:45:06 UTC	467	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF67) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=248434 Date: Tue, 03 Sep 2024 19:45:06 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49742	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-09-03 19:45:07 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-09-03 19:45:08 UTC	515	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=248487 Date: Tue, 03 Sep 2024 19:45:07 GMT Content-Length: 55 Connection: close X-CID: 2
2024-09-03 19:45:08 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	49745	142.250.65.174	443	7444	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-03 19:45:08 UTC	567	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9
2024-09-03 19:45:08 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Tue, 03 Sep 2024 19:45:08 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	49746	142.250.65.174	443	7444	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-03 19:45:08 UTC	567	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9
2024-09-03 19:45:08 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Tue, 03 Sep 2024 19:45:08 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	49747	142.250.65.164	443	7444	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-03 19:45:08 UTC	887	OUT	GET /favicon.ico HTTP/1.1 Host: www.google.com Connection: keep-alive sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55 sec-ch-ua-arch: "x86" sec-ch-ua-full-version: "117.0.2045.55" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.55", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.150" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9
2024-09-03 19:45:08 UTC	705	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="static-on-bigtable" Report-To: {"group":"static-on-bigtable","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/static-on-bigtable"}]} Content-Length: 5430 X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Date: Tue, 03 Sep 2024 17:33:23 GMT Expires: Wed, 11 Sep 2024 17:33:23 GMT Cache-Control: public, max-age=691200 Last-Modified: Tue, 22 Oct 2019 18:30:00 GMT Content-Type: image/x-icon Vary: Accept-Encoding Age: 7905 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-09-03 19:45:08 UTC	685	IN	Data Raw: 00 00 01 00 02 00 10 10 00 00 01 00 20 00 68 04 00 00 26 00 00 00 20 20 00 00 01 00 20 00 a8 10 00 00 8e 04 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 20 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 30 fd fd fd 96 fd fd fd d8 fd fd fd f9 fd fd fd f9 fd fd fd d7 fd fd fd 94 fe fe fe 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd 99 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 95 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd c1 ff ff ff ff fa fd f9 ff b4 d9 a7 ff 76 ba 5d ff 58 ab 3a ff 58 aa 3a ff 72 b8 59 ff ac d5 9d ff f8 fb f6 ff ff Data Ascii: h& ( 0.v]X:X:rY
2024-09-03 19:45:08 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d8 fd fd fd 99 ff ff ff ff 92 cf fb ff 37 52 ec ff 38 46 ea ff d0 d4 fa ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 96 fe fe fe 32 ff ff ff ff f9 f9 fe ff 56 62 ed ff 35 43 ea ff 3b 49 eb ff 95 9c f4 ff cf d2 fa ff d1 d4 fa ff 96 9d f4 ff 52 5e ed ff e1 e3 fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 30 00 00 00 00 fd fd fd 9d ff ff ff ff e8 ea fd ff 58 63 ee ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 6c 76 f0 ff ff ff ff ff ff ff ff ff fd fd fd 98 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd c3 ff ff ff ff f9 f9 fe ff a5 ac f6 ff 5d 69 ee ff 3c 4a Data Ascii: 7R8F2Vb5C;IR^0Xc5C5C5C5C5C5Clv]i<J
2024-09-03 19:45:08 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff fd fd fd d0 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fd fd fd 8b ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff b1 d8 a3 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 60 a5 35 ff ca 8e 3e ff f9 c1 9f ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 87 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 25 fd fd fd fb ff ff ff ff ff ff ff ff ff ff ff ff c2 e0 b7 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 6e b6 54 ff 9f ce 8d ff b7 da aa ff b8 db ab ff a5 d2 95 ff 7b bc 64 ff 54 a8 35 ff 53 a8 34 ff 77 a0 37 ff e3 89 41 ff f4 85 42 ff f4 85 42 ff Data Ascii: S4S4S4S4S4S4S4S4S4S4S4S4S4S4`5>%S4S4S4S4S4S4nT{dT5S4w7ABB
2024-09-03 19:45:08 UTC	1390	IN	Data Raw: ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff fb d5 bf ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd ea fd fd fd cb ff ff ff ff ff ff ff ff ff ff ff ff 46 cd fc ff 05 bc fb ff 05 bc fb ff 05 bc fb ff 21 ae f9 ff fb fb ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd c8 fd fd fd 9c ff ff ff ff ff ff ff ff ff ff ff ff 86 df fd ff 05 bc fb ff 05 bc fb ff 15 93 f5 ff 34 49 eb ff b3 b8 f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: BBBBBBF!4I
2024-09-03 19:45:08 UTC	575	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d2 fe fe fe 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd 8d fd fd fd fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd fb fd fd fd 8b fe fe fe 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 27 fd fd fd 9f fd fd fd f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: $'

Session ID	Source IP	Source Port	Destination IP	Destination Port
13	192.168.2.6	49750	20.197.71.89	443

Timestamp	Bytes transferred	Direction	Data
2024-09-03 19:45:14 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 6f 43 76 4e 4c 31 56 4b 4a 45 47 71 73 69 2b 38 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 31 37 33 34 32 31 33 34 61 38 62 63 31 64 38 39 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: oCvNL1VKJEGqsi+8.1Context: 17342134a8bc1d89
2024-09-03 19:45:14 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-09-03 19:45:14 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 6f 43 76 4e 4c 31 56 4b 4a 45 47 71 73 69 2b 38 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 31 37 33 34 32 31 33 34 61 38 62 63 31 64 38 39 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 53 71 69 32 54 58 6e 47 6a 6c 77 41 75 33 31 33 39 32 4d 37 33 46 62 33 4e 4c 73 2b 5a 51 52 69 67 6e 53 33 5a 46 50 4f 62 6b 53 47 6b 46 65 6b 33 37 75 4f 79 59 59 75 7a 53 48 72 73 39 62 5a 6b 76 49 32 4d 71 62 43 42 41 71 65 36 36 2b 67 75 39 6e 6e 70 41 4c 58 61 43 6c 2f 4d 41 39 42 4d 44 35 49 31 6a 36 31 4f 30 59 65 37 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: oCvNL1VKJEGqsi+8.2Context: 17342134a8bc1d89<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAASqi2TXnGjlwAu31392M73Fb3NLs+ZQRignS3ZFPObkSGkFek37uOyYYuzSHrs9bZkvI2MqbCBAqe66+gu9nnpALXaCl/MA9BMD5I1j61O0Ye7
2024-09-03 19:45:14 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 6f 43 76 4e 4c 31 56 4b 4a 45 47 71 73 69 2b 38 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 31 37 33 34 32 31 33 34 61 38 62 63 31 64 38 39 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: oCvNL1VKJEGqsi+8.3Context: 17342134a8bc1d89<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2024-09-03 19:45:14 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-09-03 19:45:14 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 43 70 43 34 6a 63 71 62 55 45 2b 68 6c 5a 56 35 67 72 61 64 36 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: CpC4jcqbUE+hlZV5grad6g.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.6	49751	40.127.169.103	443

Timestamp	Bytes transferred	Direction	Data
2024-09-03 19:45:16 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=kmCaG8x8tzDDLSy&MD=U4hRGUfS HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-09-03 19:45:16 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: b3e50939-68ed-4374-9306-997a0fff867f MS-RequestId: 8edbac86-ae51-4bd8-8a62-98d74f84830c MS-CV: matMjouJukaGnOd9.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Tue, 03 Sep 2024 19:45:15 GMT Connection: close Content-Length: 24490
2024-09-03 19:45:16 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-09-03 19:45:16 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port
15	192.168.2.6	49755	20.197.71.89	443

Timestamp	Bytes transferred	Direction	Data
2024-09-03 19:45:31 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 2b 35 6c 6e 65 69 2f 35 52 55 61 6a 57 56 51 5a 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 61 65 36 65 35 33 33 35 34 61 37 64 37 39 66 38 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: +5lnei/5RUajWVQZ.1Context: ae6e53354a7d79f8
2024-09-03 19:45:31 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-09-03 19:45:31 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 2b 35 6c 6e 65 69 2f 35 52 55 61 6a 57 56 51 5a 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 61 65 36 65 35 33 33 35 34 61 37 64 37 39 66 38 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 53 71 69 32 54 58 6e 47 6a 6c 77 41 75 33 31 33 39 32 4d 37 33 46 62 33 4e 4c 73 2b 5a 51 52 69 67 6e 53 33 5a 46 50 4f 62 6b 53 47 6b 46 65 6b 33 37 75 4f 79 59 59 75 7a 53 48 72 73 39 62 5a 6b 76 49 32 4d 71 62 43 42 41 71 65 36 36 2b 67 75 39 6e 6e 70 41 4c 58 61 43 6c 2f 4d 41 39 42 4d 44 35 49 31 6a 36 31 4f 30 59 65 37 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: +5lnei/5RUajWVQZ.2Context: ae6e53354a7d79f8<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAASqi2TXnGjlwAu31392M73Fb3NLs+ZQRignS3ZFPObkSGkFek37uOyYYuzSHrs9bZkvI2MqbCBAqe66+gu9nnpALXaCl/MA9BMD5I1j61O0Ye7
2024-09-03 19:45:31 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 2b 35 6c 6e 65 69 2f 35 52 55 61 6a 57 56 51 5a 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 61 65 36 65 35 33 33 35 34 61 37 64 37 39 66 38 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: +5lnei/5RUajWVQZ.3Context: ae6e53354a7d79f8<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2024-09-03 19:45:31 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-09-03 19:45:31 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 38 79 59 79 70 52 75 37 36 55 69 45 2b 33 77 77 46 44 37 45 42 51 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: 8yYypRu76UiE+3wwFD7EBQ.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
16	192.168.2.6	49756	20.197.71.89	443

Timestamp	Bytes transferred	Direction	Data
2024-09-03 19:45:51 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 6f 70 34 4b 2f 56 37 65 34 55 79 58 2b 79 6b 43 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 38 37 30 34 37 34 35 36 64 31 33 64 39 62 62 39 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: op4K/V7e4UyX+ykC.1Context: 87047456d13d9bb9
2024-09-03 19:45:51 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-09-03 19:45:51 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 6f 70 34 4b 2f 56 37 65 34 55 79 58 2b 79 6b 43 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 38 37 30 34 37 34 35 36 64 31 33 64 39 62 62 39 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 53 71 69 32 54 58 6e 47 6a 6c 77 41 75 33 31 33 39 32 4d 37 33 46 62 33 4e 4c 73 2b 5a 51 52 69 67 6e 53 33 5a 46 50 4f 62 6b 53 47 6b 46 65 6b 33 37 75 4f 79 59 59 75 7a 53 48 72 73 39 62 5a 6b 76 49 32 4d 71 62 43 42 41 71 65 36 36 2b 67 75 39 6e 6e 70 41 4c 58 61 43 6c 2f 4d 41 39 42 4d 44 35 49 31 6a 36 31 4f 30 59 65 37 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: op4K/V7e4UyX+ykC.2Context: 87047456d13d9bb9<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAASqi2TXnGjlwAu31392M73Fb3NLs+ZQRignS3ZFPObkSGkFek37uOyYYuzSHrs9bZkvI2MqbCBAqe66+gu9nnpALXaCl/MA9BMD5I1j61O0Ye7
2024-09-03 19:45:51 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 6f 70 34 4b 2f 56 37 65 34 55 79 58 2b 79 6b 43 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 38 37 30 34 37 34 35 36 64 31 33 64 39 62 62 39 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: op4K/V7e4UyX+ykC.3Context: 87047456d13d9bb9<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2024-09-03 19:45:51 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-09-03 19:45:51 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 43 78 69 67 76 6d 4d 51 32 30 32 46 6a 69 63 48 75 78 74 34 58 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: CxigvmMQ202FjicHuxt4Xg.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.6	49757	40.127.169.103	443

Timestamp	Bytes transferred	Direction	Data
2024-09-03 19:45:54 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=kmCaG8x8tzDDLSy&MD=U4hRGUfS HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-09-03 19:45:54 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440" MS-CorrelationId: c023a68c-318d-44a2-86e5-92f60e87f89b MS-RequestId: b015e28a-66a0-484d-b3ac-38d9249afe7e MS-CV: OqYduPwO1E6OPek5.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Tue, 03 Sep 2024 19:45:53 GMT Connection: close Content-Length: 30005
2024-09-03 19:45:54 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK\|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
2024-09-03 19:45:54 UTC	14181	IN	Data Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.6	49759	162.159.61.3	443	7444	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-03 19:46:00 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-09-03 19:46:00 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 04 65 64 67 65 09 6d 69 63 72 6f 73 6f 66 74 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 51 00 0c 00 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: edgemicrosoftcom)QM
2024-09-03 19:46:00 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Tue, 03 Sep 2024 19:46:00 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8bd83e4f797f43b2-EWR alt-svc: h3=":443"; ma=86400
2024-09-03 19:46:00 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 04 00 00 00 01 04 65 64 67 65 09 6d 69 63 72 6f 73 6f 66 74 03 63 6f 6d 00 00 01 00 01 c0 0c 00 05 00 01 00 00 0e 0d 00 2d 12 65 64 67 65 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 0b 64 75 61 6c 2d 61 2d 30 30 33 36 08 61 2d 6d 73 65 64 67 65 03 6e 65 74 00 c0 30 00 05 00 01 00 00 00 39 00 02 c0 43 c0 43 00 01 00 01 00 00 00 39 00 04 cc 4f c5 ef c0 43 00 01 00 01 00 00 00 39 00 04 0d 6b 15 ef 00 00 29 04 d0 00 00 00 00 01 3e 00 0c 01 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: edgemicrosoftcom-edge-microsoft-comdual-a-0036a-msedgenet09CC9OC9k)>:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.6	49758	162.159.61.3	443	7444	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-03 19:46:00 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-09-03 19:46:00 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 04 65 64 67 65 09 6d 69 63 72 6f 73 6f 66 74 03 63 6f 6d 00 00 41 00 01 00 00 29 10 00 00 00 00 00 00 51 00 0c 00 4d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: edgemicrosoftcomA)QM
2024-09-03 19:46:00 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Tue, 03 Sep 2024 19:46:00 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8bd83e4f9a65421d-EWR alt-svc: h3=":443"; ma=86400
2024-09-03 19:46:00 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 01 00 01 04 65 64 67 65 09 6d 69 63 72 6f 73 6f 66 74 03 63 6f 6d 00 00 41 00 01 c0 0c 00 05 00 01 00 00 0d d9 00 2d 12 65 64 67 65 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 0b 64 75 61 6c 2d 61 2d 30 30 33 36 08 61 2d 6d 73 65 64 67 65 03 6e 65 74 00 c0 4f 00 06 00 01 00 00 00 b9 00 23 03 6e 73 31 c0 4f 06 6d 73 6e 68 73 74 c0 11 78 2b 22 e5 00 00 07 08 00 00 03 84 00 24 ea 00 00 00 00 f0 00 00 29 04 d0 00 00 00 00 01 3d 00 0c 01 39 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: edgemicrosoftcomA-edge-microsoft-comdual-a-0036a-msedgenetO#ns1Omsnhstx+"$)=9

Session ID	Source IP	Source Port	Destination IP	Destination Port
20	192.168.2.6	49761	20.197.71.89	443

Timestamp	Bytes transferred	Direction	Data
2024-09-03 19:46:16 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 36 53 75 30 4e 66 6e 55 6f 55 71 43 4b 36 42 56 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 37 31 63 62 34 38 35 37 65 38 66 32 63 38 39 33 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: 6Su0NfnUoUqCK6BV.1Context: 71cb4857e8f2c893
2024-09-03 19:46:16 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-09-03 19:46:16 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 36 53 75 30 4e 66 6e 55 6f 55 71 43 4b 36 42 56 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 37 31 63 62 34 38 35 37 65 38 66 32 63 38 39 33 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 53 71 69 32 54 58 6e 47 6a 6c 77 41 75 33 31 33 39 32 4d 37 33 46 62 33 4e 4c 73 2b 5a 51 52 69 67 6e 53 33 5a 46 50 4f 62 6b 53 47 6b 46 65 6b 33 37 75 4f 79 59 59 75 7a 53 48 72 73 39 62 5a 6b 76 49 32 4d 71 62 43 42 41 71 65 36 36 2b 67 75 39 6e 6e 70 41 4c 58 61 43 6c 2f 4d 41 39 42 4d 44 35 49 31 6a 36 31 4f 30 59 65 37 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: 6Su0NfnUoUqCK6BV.2Context: 71cb4857e8f2c893<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAASqi2TXnGjlwAu31392M73Fb3NLs+ZQRignS3ZFPObkSGkFek37uOyYYuzSHrs9bZkvI2MqbCBAqe66+gu9nnpALXaCl/MA9BMD5I1j61O0Ye7
2024-09-03 19:46:16 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 36 53 75 30 4e 66 6e 55 6f 55 71 43 4b 36 42 56 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 37 31 63 62 34 38 35 37 65 38 66 32 63 38 39 33 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: 6Su0NfnUoUqCK6BV.3Context: 71cb4857e8f2c893<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2024-09-03 19:46:16 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-09-03 19:46:16 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 52 59 77 68 69 6c 41 6b 37 6b 75 4a 67 6b 46 33 44 73 2b 6e 55 41 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: RYwhilAk7kuJgkF3Ds+nUA.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
21	192.168.2.6	49763	20.197.71.89	443

Timestamp	Bytes transferred	Direction	Data
2024-09-03 19:46:49 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 73 42 6c 2b 59 52 4a 48 4f 55 32 45 59 6c 69 66 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 39 34 66 34 35 31 66 38 34 36 61 39 30 66 64 38 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: sBl+YRJHOU2EYlif.1Context: 94f451f846a90fd8
2024-09-03 19:46:49 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-09-03 19:46:49 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 73 42 6c 2b 59 52 4a 48 4f 55 32 45 59 6c 69 66 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 39 34 66 34 35 31 66 38 34 36 61 39 30 66 64 38 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 53 71 69 32 54 58 6e 47 6a 6c 77 41 75 33 31 33 39 32 4d 37 33 46 62 33 4e 4c 73 2b 5a 51 52 69 67 6e 53 33 5a 46 50 4f 62 6b 53 47 6b 46 65 6b 33 37 75 4f 79 59 59 75 7a 53 48 72 73 39 62 5a 6b 76 49 32 4d 71 62 43 42 41 71 65 36 36 2b 67 75 39 6e 6e 70 41 4c 58 61 43 6c 2f 4d 41 39 42 4d 44 35 49 31 6a 36 31 4f 30 59 65 37 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: sBl+YRJHOU2EYlif.2Context: 94f451f846a90fd8<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAASqi2TXnGjlwAu31392M73Fb3NLs+ZQRignS3ZFPObkSGkFek37uOyYYuzSHrs9bZkvI2MqbCBAqe66+gu9nnpALXaCl/MA9BMD5I1j61O0Ye7
2024-09-03 19:46:49 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 73 42 6c 2b 59 52 4a 48 4f 55 32 45 59 6c 69 66 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 39 34 66 34 35 31 66 38 34 36 61 39 30 66 64 38 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: sBl+YRJHOU2EYlif.3Context: 94f451f846a90fd8<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2024-09-03 19:46:50 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-09-03 19:46:50 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 61 4a 42 70 2b 53 6a 64 44 6b 71 6b 2b 65 66 51 76 69 68 7a 33 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: aJBp+SjdDkqk+efQvihz3g.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.6	49766	23.55.235.170	443	7444	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-03 19:47:03 UTC	442	OUT	OPTIONS /api/report?cat=bingbusiness HTTP/1.1 Host: bzib.nelreports.net Connection: keep-alive Origin: https://business.bing.com Access-Control-Request-Method: POST Access-Control-Request-Headers: content-type User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8

Target ID:	0
Start time:	15:44:56
Start date:	03/09/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x6c0000
File size:	917'504 bytes
MD5 hash:	722A21A12025094CEFD6DE00AB539383
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	15:44:57
Start date:	03/09/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
Imagebase:	0x7ff715da0000
File size:	4'210'216 bytes
MD5 hash:	BF154738460E4AB1D388970E1AB13FAB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	15:44:57
Start date:	03/09/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2096 --field-trial-handle=2044,i,12484681974237658777,1687954805475692513,262144 --disable-features=TranslateUI /prefetch:3
Imagebase:	0x7ff715da0000
File size:	4'210'216 bytes
MD5 hash:	BF154738460E4AB1D388970E1AB13FAB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	15:44:57
Start date:	03/09/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Imagebase:	0x7ff715da0000
File size:	4'210'216 bytes
MD5 hash:	BF154738460E4AB1D388970E1AB13FAB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	15:44:58
Start date:	03/09/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2444 --field-trial-handle=2244,i,13084584308620272339,12385267225017742810,262144 --disable-features=TranslateUI /prefetch:3
Imagebase:	0x7ff715da0000
File size:	4'210'216 bytes
MD5 hash:	BF154738460E4AB1D388970E1AB13FAB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	15:45:02
Start date:	03/09/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=5584 --field-trial-handle=2244,i,13084584308620272339,12385267225017742810,262144 --disable-features=TranslateUI /prefetch:8
Imagebase:	0x7ff715da0000
File size:	4'210'216 bytes
MD5 hash:	BF154738460E4AB1D388970E1AB13FAB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	15:45:02
Start date:	03/09/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6264 --field-trial-handle=2244,i,13084584308620272339,12385267225017742810,262144 --disable-features=TranslateUI /prefetch:8
Imagebase:	0x7ff715da0000
File size:	4'210'216 bytes
MD5 hash:	BF154738460E4AB1D388970E1AB13FAB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	15:45:02
Start date:	03/09/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=4708 --field-trial-handle=2244,i,13084584308620272339,12385267225017742810,262144 --disable-features=TranslateUI /prefetch:8
Imagebase:	0x7ff6f2da0000
File size:	1'255'976 bytes
MD5 hash:	F8CEC3E43A6305AC9BA3700131594306
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	15:45:02
Start date:	03/09/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.55\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=4708 --field-trial-handle=2244,i,13084584308620272339,12385267225017742810,262144 --disable-features=TranslateUI /prefetch:8
Imagebase:	0x7ff6f2da0000
File size:	1'255'976 bytes
MD5 hash:	F8CEC3E43A6305AC9BA3700131594306
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	15:45:12
Start date:	03/09/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Imagebase:	0x7ff715da0000
File size:	4'210'216 bytes
MD5 hash:	BF154738460E4AB1D388970E1AB13FAB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	15:45:13
Start date:	03/09/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2892 --field-trial-handle=2268,i,12884952612469409044,15485051548793608583,262144 /prefetch:3
Imagebase:	0x7ff715da0000
File size:	4'210'216 bytes
MD5 hash:	BF154738460E4AB1D388970E1AB13FAB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	15:45:14
Start date:	03/09/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=4320 --field-trial-handle=2268,i,12884952612469409044,15485051548793608583,262144 /prefetch:8
Imagebase:	0x7ff715da0000
File size:	4'210'216 bytes
MD5 hash:	BF154738460E4AB1D388970E1AB13FAB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	15:45:21
Start date:	03/09/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Imagebase:	0x7ff715da0000
File size:	4'210'216 bytes
MD5 hash:	BF154738460E4AB1D388970E1AB13FAB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	15:45:21
Start date:	03/09/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=3104 --field-trial-handle=2592,i,12348527883109594420,1140331440356557210,262144 /prefetch:3
Imagebase:	0x7ff715da0000
File size:	4'210'216 bytes
MD5 hash:	BF154738460E4AB1D388970E1AB13FAB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5%
Total number of Nodes:	1383
Total number of Limit Nodes:	45

Executed Functions

Function 006C42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 006C430D

Part of subcall function 006C6B57: _wcslen.LIBCMT ref: 006C6B6A

GetCurrentProcess.KERNEL32(?,0075CB64,00000000,?,?), ref: 006C4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 006C4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 006C4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 006C4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 006C4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 006C447B
GetSystemInfo.KERNEL32(?,?,?), ref: 006C44A0

Strings

kernel32.dll, xrefs: 006C444F
|O, xrefs: 007036F8
GetNativeSystemInfo, xrefs: 006C4460

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 30b74a0290120210353925b2f932c93c3df2cf77a6fa66d31c483d7240a0c085
Instruction ID: a9a8cd5a7ce82a5437a2a74a02e437db84dfddc3ce94df8be3eb07dc3fe56268
Opcode Fuzzy Hash: 30b74a0290120210353925b2f932c93c3df2cf77a6fa66d31c483d7240a0c085
Instruction Fuzzy Hash: 18A1046590A3C2DFC716C7797C806E43FF9AB22300B98C99FD44193A62D62C452BCB2D

Function 006C42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,006C50AA,?,?,00000000,00000000), ref: 006C42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,006C50AA,?,?,00000000,00000000), ref: 006C42C9
LoadResource.KERNEL32(?,00000000,?,?,006C50AA,?,?,00000000,00000000,?,?,?,?,?,?,006C4F20), ref: 007035BE
SizeofResource.KERNEL32(?,00000000,?,?,006C50AA,?,?,00000000,00000000,?,?,?,?,?,?,006C4F20), ref: 007035D3
LockResource.KERNEL32(006C50AA,?,?,006C50AA,?,?,00000000,00000000,?,?,?,?,?,?,006C4F20,?), ref: 007035E6

Strings

SCRIPT, xrefs: 006C42BF

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 171b728836e7144ddee6ed17e99d0ab772dbd2d1b1b84eb22033f13eb8ea8799
Instruction ID: 7d0ae5c5b71b4dbe094147a26ee833d7e017c7d081fe3c347e493125c75c2de5
Opcode Fuzzy Hash: 171b728836e7144ddee6ed17e99d0ab772dbd2d1b1b84eb22033f13eb8ea8799
Instruction Fuzzy Hash: C1117C70200704BFD7228B65DC49FA77BBAEFC5B52F20816DF806962A0DBB5DD00D620

Function 00702BA5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 006C2B6B

Part of subcall function 006C3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,H,?,006C2E7F,?,?,?,00000000), ref: 006C3A78

Part of subcall function 006C9CB3: _wcslen.LIBCMT ref: 006C9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00782224), ref: 00702C10
ShellExecuteW.SHELL32(00000000,?,?,00782224), ref: 00702C17

Strings

H, xrefs: 00702BD9
runas, xrefs: 00702C0B

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: H$runas
API String ID: 448630720-2048298539
Opcode ID: 389334d38b292fedc94e999167f0b8e1f7988ba803ea2274236aecba4e3e6738
Instruction ID: 1a747b6bc2aee2420ceb966a9ed74aa77a8c9fb0bea6b181708a15a4d34c0407
Opcode Fuzzy Hash: 389334d38b292fedc94e999167f0b8e1f7988ba803ea2274236aecba4e3e6738
Instruction Fuzzy Hash: AC1129712083825ACB85FF60E855FBEBBA6DF94310F44842DF446431B3CF28890AC71A

Function 0072DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00705222), ref: 0072DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0072DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0072DBEE
FindClose.KERNEL32(00000000), ref: 0072DBFA

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 644299b6ecb85dd045469698cdab35c1a1067894cded75e3c44043e412c2876c
Instruction ID: 5535610780dbd0225c22d82becd95b1036ffc9713fcd587019f858714e2a8f3c
Opcode Fuzzy Hash: 644299b6ecb85dd045469698cdab35c1a1067894cded75e3c44043e412c2876c
Instruction Fuzzy Hash: 63F0A030810B245F92316B78AC0D9AA376CEE01336F108702F836D20E0EBF85D94C6AA

Function 0074AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0074B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0074B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0074B1D4
_wcslen.LIBCMT ref: 0074B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0074B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0074B236
_wcslen.LIBCMT ref: 0074B332

Part of subcall function 007305A7: GetStdHandle.KERNEL32(000000F6), ref: 007305C6

_wcslen.LIBCMT ref: 0074B34B
_wcslen.LIBCMT ref: 0074B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0074B3B6
GetLastError.KERNEL32(00000000), ref: 0074B407
CloseHandle.KERNEL32(?), ref: 0074B439
CloseHandle.KERNEL32(00000000), ref: 0074B44A
CloseHandle.KERNEL32(00000000), ref: 0074B45C
CloseHandle.KERNEL32(00000000), ref: 0074B46E
CloseHandle.KERNEL32(?), ref: 0074B4E3

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 11865fa8eb34dc85c4a702ad0284c33ded901a8afeb9ea043b310d3e3f11d8e4
Instruction ID: a4dd78860c5d1b8198947dafcdfe3cbb445c8d4090a9a01617a885751d1062c5
Opcode Fuzzy Hash: 11865fa8eb34dc85c4a702ad0284c33ded901a8afeb9ea043b310d3e3f11d8e4
Instruction Fuzzy Hash: AAF1AA316083409FC714EF24C895B6EBBE6EF85310F14895DF8999B2A2CB75EC04CB96

Function 006CD730 Relevance: 21.6, APIs: 14, Instructions: 625sleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 006CD807
timeGetTime.WINMM ref: 006CDA07
Sleep.KERNELBASE(0000000A), ref: 006CDBB1

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 3ff23e8b856f3ade5ea30f116876bf8cf43960689bf5a164b08a8057069ed4f2
Instruction ID: b67989a2b93eb88ff4e151ca3eff16eb55d05ba40fb5471716867719d4330745
Opcode Fuzzy Hash: 3ff23e8b856f3ade5ea30f116876bf8cf43960689bf5a164b08a8057069ed4f2
Instruction Fuzzy Hash: 8642E070608341EFD728DF28C844FBAB7A2FF45300F14856EE55587292D778E896CB96

Function 006C2CD4 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 006C2D07
RegisterClassExW.USER32(00000030), ref: 006C2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006C2D42
InitCommonControlsEx.COMCTL32(?), ref: 006C2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006C2D6F
LoadIconW.USER32(000000A9), ref: 006C2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 006C2D94

Strings

@K, xrefs: 006C2D80, 006C2D8E
+, xrefs: 006C2CF0
TaskbarCreated, xrefs: 006C2D37
AutoIt v3 GUI, xrefs: 006C2D23
0, xrefs: 006C2CE9

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$@K$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-2080319267
Opcode ID: 469bbc67c4cf4025d3d9c85c9ec9c0c735c6765ee57e4ee1ee7b95ba3033e025
Instruction ID: 29da7571db28482ff09ebd3244338412e123c3461650273465216683ea508176
Opcode Fuzzy Hash: 469bbc67c4cf4025d3d9c85c9ec9c0c735c6765ee57e4ee1ee7b95ba3033e025
Instruction Fuzzy Hash: 4421E0B1D01349AFDB01DFA4EC89BDDBBB4FB08712F00811AF911A62A0D7B91555CFA8

Function 006C344D Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006C3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,H,?,006C2E7F,?,?,?,00000000), ref: 006C3A78

Part of subcall function 006C3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 006C3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 006C356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0070318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 007031CE
RegCloseKey.ADVAPI32(?), ref: 00703210
_wcslen.LIBCMT ref: 00703277
_wcslen.LIBCMT ref: 00703286

Strings

(X, xrefs: 006C349D
\Include\, xrefs: 006C3527
\, xrefs: 0070328C
Software\AutoIt v3\AutoIt, xrefs: 006C3560
Include, xrefs: 00703184, 007031C5

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: (X$Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-3274645429
Opcode ID: b08d111e1e806ac868979109f389af3ec40021af64dd418c3332ce1cbd8d6c38
Instruction ID: 16c9e305b8169d00e8696eec1086ee58a3cd444a825c307302964cf802d65788
Opcode Fuzzy Hash: b08d111e1e806ac868979109f389af3ec40021af64dd418c3332ce1cbd8d6c38
Instruction Fuzzy Hash: 8271A471405300AEC344EF65DC86DABBBE9FF85340F40852EF545C32A1DB789A4ACBA9

Function 0070065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0070039A: CreateFileW.KERNELBASE(00000000,00000000,?,00700704,?,?,00000000,?,00700704,00000000,0000000C), ref: 007003B7

GetLastError.KERNEL32 ref: 0070076F
__dosmaperr.LIBCMT ref: 00700776
GetFileType.KERNELBASE(00000000), ref: 00700782
GetLastError.KERNEL32 ref: 0070078C
__dosmaperr.LIBCMT ref: 00700795
CloseHandle.KERNEL32(00000000), ref: 007007B5
CloseHandle.KERNEL32(?), ref: 007008FF
GetLastError.KERNEL32 ref: 00700931
__dosmaperr.LIBCMT ref: 00700938

Strings

H, xrefs: 007008BD

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: edc85344ac02081f830d7f981b5606afd11d9ab71d2ba957112001329877384f
Instruction ID: 5b71e1f8f9fbaf80745788e29bc2bdb3de5821fb39650ba04642f249664acbf5
Opcode Fuzzy Hash: edc85344ac02081f830d7f981b5606afd11d9ab71d2ba957112001329877384f
Instruction Fuzzy Hash: 47A13332A10248CFDF19EF68D855BAE3BE1AB06320F14425EF8159B2D1D7399D12CBD6

Function 006C2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 006C2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 006C2B9D
LoadIconW.USER32(00000063), ref: 006C2BB3
LoadIconW.USER32(000000A4), ref: 006C2BC5
LoadIconW.USER32(000000A2), ref: 006C2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 006C2BEF
RegisterClassExW.USER32(?), ref: 006C2C40

Part of subcall function 006C2CD4: GetSysColorBrush.USER32(0000000F), ref: 006C2D07
Part of subcall function 006C2CD4: RegisterClassExW.USER32(00000030), ref: 006C2D31
Part of subcall function 006C2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006C2D42
Part of subcall function 006C2CD4: InitCommonControlsEx.COMCTL32(?), ref: 006C2D5F
Part of subcall function 006C2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006C2D6F
Part of subcall function 006C2CD4: LoadIconW.USER32(000000A9), ref: 006C2D85
Part of subcall function 006C2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 006C2D94

Strings

AutoIt v3, xrefs: 006C2C2F
#, xrefs: 006C2C16
0, xrefs: 006C2C0F

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: ec18a55fa2b380e3f361ae86dcf5afd61e44b0872f1993b5fd055afaa0409513
Instruction ID: de4b7d8932e5ba332cd564b0a9ba4ad586e5ecb6ec2ff9dc44d0e025486bbe9b
Opcode Fuzzy Hash: ec18a55fa2b380e3f361ae86dcf5afd61e44b0872f1993b5fd055afaa0409513
Instruction Fuzzy Hash: C0214970E00319AFDB119FA5EC55BAD7FB4FB08B50F44C12BE504A66A0D7B90561CF98

Function 006CB710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 006CBB4E

Strings

x#y, xrefs: 00710207
x#y, xrefs: 00710168
p%y, xrefs: 006CBB32
p#y, xrefs: 0071024F
p#y, xrefs: 006CBB6B
p#y, xrefs: 00710263
p#y, xrefs: 006CBA72
p%y, xrefs: 006CB8DC

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: p#y$p#y$p#y$p#y$p%y$p%y$x#y$x#y
API String ID: 1385522511-2921100589
Opcode ID: 8feb086870dcb692d18b396734bf421be1c2449d67a7745cfda98ea5f4b6b457
Instruction ID: c246344207214cb8ce2a07a1d446848b809ab50d6d0bdfb818f6dfcb40f1609a
Opcode Fuzzy Hash: 8feb086870dcb692d18b396734bf421be1c2449d67a7745cfda98ea5f4b6b457
Instruction Fuzzy Hash: 0B328D34A00209AFDB14DF58C895FBE77BAEF45310F15805EE915AB391C7B8AD82CB91

Function 006C3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,006C316A,?,?), ref: 006C31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,006C316A,?,?), ref: 006C3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 006C3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,006C316A,?,?), ref: 006C3232
CreatePopupMenu.USER32 ref: 006C3246
PostQuitMessage.USER32(00000000), ref: 006C3267

Strings

TaskbarCreated, xrefs: 006C322D

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 3e851ed67f1f32dea26be9cc767144be52e855f51e97f09d1534d8ada96554d3
Instruction ID: 8889b0c0fe4371a5d4ca4a296c8b7fe90b46b1c6489df5e474d449e1005141b0
Opcode Fuzzy Hash: 3e851ed67f1f32dea26be9cc767144be52e855f51e97f09d1534d8ada96554d3
Instruction Fuzzy Hash: 57411831240325AEDF151B389D0DFF93A6AE705340F48C12EF50185BA2C76DDF129BA9

Function 006C2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 006C2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 006C2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,006C1CAD,?), ref: 006C2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,006C1CAD,?), ref: 006C2CCF

Strings

AutoIt v3, xrefs: 006C2C89, 006C2C8E, 006C2C8F
edit, xrefs: 006C2CAC

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: cf50ba6c2a59cffb189bd4f080d94d862e3b4c41f73b6d053bb7ee7bee210771
Instruction ID: c480e97cec7bfc8cacb901260d92740d7f61c41b06731a4d3f3a3ffe4f118150
Opcode Fuzzy Hash: cf50ba6c2a59cffb189bd4f080d94d862e3b4c41f73b6d053bb7ee7bee210771
Instruction Fuzzy Hash: C8F0DA755403917EEB311727AC08FB72EBDD7CAF51B40805AF904A29A0C6B91866DAB8

Function 006C10F3 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 153
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006C1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 006C1BF4
Part of subcall function 006C1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 006C1BFC
Part of subcall function 006C1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 006C1C07
Part of subcall function 006C1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 006C1C12
Part of subcall function 006C1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 006C1C1A
Part of subcall function 006C1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 006C1C22

Part of subcall function 006C1B4A: RegisterWindowMessageW.USER32(00000004,?,006C12C4), ref: 006C1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 006C136A
OleInitialize.OLE32 ref: 006C1388
CloseHandle.KERNEL32(00000000,00000000), ref: 007024AB

Strings

h=, xrefs: 006C116A
8u, xrefs: 006C1115

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: 8u$h=
API String ID: 1986988660-28852275
Opcode ID: 74835c98670835fb6a9e9be42300f1ec6556c6dd21d818f18cc59ac6db22a2a9
Instruction ID: 25e777e4e00d2a3335ae6ab8373d8b149cac91b31e153493d9c01b11e2de9ff0
Opcode Fuzzy Hash: 74835c98670835fb6a9e9be42300f1ec6556c6dd21d818f18cc59ac6db22a2a9
Instruction Fuzzy Hash: 8371CAB48113428FC785DF69A945AA43AE1FB893943C6C22F941ACB361EB384472CF4C

Function 0072E97B Relevance: 7.5, APIs: 5, Instructions: 47
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0072E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0072E9A5
Sleep.KERNEL32(00000000), ref: 0072E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0072E9B7
Sleep.KERNELBASE ref: 0072E9F3

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 3a5a953c8f3a7697ea8c92922d2e8829929a6e75793109e278c0d8738792cfd3
Instruction ID: f3434813a0d681437b6127fa497c50e139ec8b931fd0770881b7ade0af64d15d
Opcode Fuzzy Hash: 3a5a953c8f3a7697ea8c92922d2e8829929a6e75793109e278c0d8738792cfd3
Instruction Fuzzy Hash: 14015B71C0163DDBCF00ABE4E8596DDBB78BB08701F004546E542B2241DB78A594C7A6

Function 006C3923 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 007033A2

Part of subcall function 006C6B57: _wcslen.LIBCMT ref: 006C6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 006C3A04

Strings

, xrefs: 006C3986, 007033C9
Line: , xrefs: 007033EB

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line: $
API String ID: 2289894680-1764292345
Opcode ID: 8c88b86dc057605c3a35b65f353bc51a5359ae1f184bcca38cb9e3720f5a75f3
Instruction ID: b552a86b9402421fdecf315a802873782b6f1a4c237ccdc9a450dec7a73c6820
Opcode Fuzzy Hash: 8c88b86dc057605c3a35b65f353bc51a5359ae1f184bcca38cb9e3720f5a75f3
Instruction Fuzzy Hash: BF31F871408351AED761EB20DC45FFBB7E9EB40310F008A1EF59983291EB749655C7CA

Function 006C3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,006C3B0F,SwapMouseButtons,00000004,?), ref: 006C3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,006C3B0F,SwapMouseButtons,00000004,?), ref: 006C3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,006C3B0F,SwapMouseButtons,00000004,?), ref: 006C3B83

Strings

Control Panel\Mouse, xrefs: 006C3B3E

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 3204bf287a92c18c3b38fbc1ddc7f08d72237fb6d4ea7b07406a05110742f360
Instruction ID: 3ff73724fa8896ef4618922b28102b87499305f7d3a0a78b5b4d18ee04fec493
Opcode Fuzzy Hash: 3204bf287a92c18c3b38fbc1ddc7f08d72237fb6d4ea7b07406a05110742f360
Instruction Fuzzy Hash: 11112AB5510218FFDB218FA5DC44EFFB7B9EF24755B10845AB805D7210E2719E409BA4

Function 006C2DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00702C8C

Part of subcall function 006C3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006C3A97,?,?,006C2E7F,?,?,?,00000000), ref: 006C3AC2

Part of subcall function 006C2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006C2DC4

Strings

`ex, xrefs: 00702C85
X, xrefs: 00702C5A

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`ex
API String ID: 779396738-4019381938
Opcode ID: d949a1e789da6cf9291ce47bf816a55c94322b70fe81dc285711ac8861236cfd
Instruction ID: 93e3b256e518cf8d3d6564a860872c5f50a3ea8bed98671d93921bab70a31854
Opcode Fuzzy Hash: d949a1e789da6cf9291ce47bf816a55c94322b70fe81dc285711ac8861236cfd
Instruction Fuzzy Hash: FE21A871A002989FDB41EF94C859BEE7BFDEF48314F00805DE505B7281DBB85A498F65

Function 006DFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 006E0668

Part of subcall function 006E32A4: RaiseException.KERNEL32(?,?,?,006E068A,?,00791444,?,?,?,?,?,?,006E068A,006C1129,00788738,006C1129), ref: 006E3304

__CxxThrowException@8.LIBVCRUNTIME ref: 006E0685

Strings

Unknown exception, xrefs: 006E0692

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 474279b57d00bb5a6430fbd807997ddd0ff2e30cf0aec37f445dcfacb4b23e4a
Instruction ID: b8c8048210f732737b56d381b25cc17004f75051d24ef441ef37459df4aa261a
Opcode Fuzzy Hash: 474279b57d00bb5a6430fbd807997ddd0ff2e30cf0aec37f445dcfacb4b23e4a
Instruction Fuzzy Hash: DBF02234D0138C77CB40B7A6D84AD9E777F5E00300BA0403AB924D6692EFB1DBA6CA84

Function 0072C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 006C3923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 006C3A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0072C259
KillTimer.USER32(?,00000001,?,?), ref: 0072C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0072C270

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 6df1cb55df2b24c75e1d68dffcab7be71fafa9228b5d51c7f1d2a56a1fb84227
Instruction ID: d0c2a20a287cebcbf08fea3a7603ebea4b812aa2b23e2ba1a73cfeb64118fa45
Opcode Fuzzy Hash: 6df1cb55df2b24c75e1d68dffcab7be71fafa9228b5d51c7f1d2a56a1fb84227
Instruction Fuzzy Hash: C831C370904364AFEB63CF649855BEBBBECAF16308F00449ED2DA93241C7785A85CB55

Function 006F86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,006F85CC,?,00788CC8,0000000C), ref: 006F8704
GetLastError.KERNEL32(?,006F85CC,?,00788CC8,0000000C), ref: 006F870E
__dosmaperr.LIBCMT ref: 006F8739

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: 1a0f465cdaae48069d52170b1747d26d3e1cf2da7a1bf165565ba7f5c7030f2f
Instruction ID: 0908fa942d8c65a967ba274221e1e30e2b8a417c48824d20032f032fe3d36519
Opcode Fuzzy Hash: 1a0f465cdaae48069d52170b1747d26d3e1cf2da7a1bf165565ba7f5c7030f2f
Instruction Fuzzy Hash: 03016B33605A6C1EC660633868497BE278B4B82779F39019DFB05CB2D3EEA48C818198

Function 006CDB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 006CDB7B
DispatchMessageW.USER32(?), ref: 006CDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006CDB9F
Sleep.KERNELBASE(0000000A), ref: 006CDBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00711CC9

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 684bbad10ed3a08912e1d47132f9f830b32d50cf63900d4162c319225dfd3c69
Instruction ID: af173e0686d3153f696d7bf958a3cdac44a5aa9511bd78d548308086c760d9c5
Opcode Fuzzy Hash: 684bbad10ed3a08912e1d47132f9f830b32d50cf63900d4162c319225dfd3c69
Instruction Fuzzy Hash: EDF089305443419BE730CB60DC45FEA73ADEF44311F508929E619C70C0DB789485DB29

Function 006D1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 006D17F6

Strings

CALL, xrefs: 006D17C6

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: e268058e79d0f0119ecc521c988db95917319b8cb34cf3a6593d42210ae13de3
Instruction ID: 5560f4c0d0a2733ac20689f2b58f80a9a8b472cbf1f111f1b48bbadd4b3741cc
Opcode Fuzzy Hash: e268058e79d0f0119ecc521c988db95917319b8cb34cf3a6593d42210ae13de3
Instruction Fuzzy Hash: C522AEB0A08341EFC714DF18C480A6ABBF2BF86314F14855EF4968B3A1D7B5E955CB52

Function 006C4ECB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 006C4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,006C4EDD,?,H,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006C4E9C
Part of subcall function 006C4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 006C4EAE
Part of subcall function 006C4E90: FreeLibrary.KERNEL32(00000000,?,?,006C4EDD,?,H,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006C4EC0

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,H,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006C4EFD

Part of subcall function 006C4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00703CDE,?,H,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006C4E62
Part of subcall function 006C4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 006C4E74
Part of subcall function 006C4E59: FreeLibrary.KERNEL32(00000000,?,?,00703CDE,?,H,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006C4E87

Strings

H, xrefs: 006C4ED1

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID: H
API String ID: 2632591731-69643886
Opcode ID: fa6b1c70ad0c4e6a7f6668a1ac83d15c6fb48bbfcad8f3f330657200089b923b
Instruction ID: 8745e8618b002ce770d67a9ff1eba3c013342c29135dfae9f25746951dddf3cd
Opcode Fuzzy Hash: fa6b1c70ad0c4e6a7f6668a1ac83d15c6fb48bbfcad8f3f330657200089b923b
Instruction Fuzzy Hash: CB112332600305AADB10EB60DC22FFD77A6EF94710F10842EF452A71C2EEB5AA459758

Function 006C3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 006C3908

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 437258c643c19657e8e0d6248615436fa4c9497b90950a32cf79c86783999d52
Instruction ID: d310366dda577868b9d6f715792ef69013d312caaa7bbb25ad335815bce409de
Opcode Fuzzy Hash: 437258c643c19657e8e0d6248615436fa4c9497b90950a32cf79c86783999d52
Instruction Fuzzy Hash: 8F319C706057118FD361DF24D885BA7BBF8FB49308F00492EF59983380E7B5AA44CB96

Function 006DF645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 006DF661

Part of subcall function 006CD730: GetInputState.USER32 ref: 006CD807

Sleep.KERNEL32(00000000), ref: 0071F2DE

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 1ac65d556b3f02cd3f017add06bfa3697275980eff7db356427aba2728ccbcd5
Instruction ID: 4c46f9689b9ad9cb64e427c841bc552c7a0ec7c79c54360ba9fb3841a115def4
Opcode Fuzzy Hash: 1ac65d556b3f02cd3f017add06bfa3697275980eff7db356427aba2728ccbcd5
Instruction Fuzzy Hash: B5F08C712407059FD350EF69D44AFAAB7E9FF59761F00402EE85AC73A0DBB0A800CB98

Function 00752598 Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,000000FE,00000000,00000000,00000000,00000000,00000013,00000001,?), ref: 00752649

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 2844b1fe19653889996684e70601a04cf95cc55295e7a06a80fd28b80dc7d5df
Instruction ID: 84b2ff27efbda707f2f44e4b311202b40385375cf04c10c4cfe9e9ecf361ca00
Opcode Fuzzy Hash: 2844b1fe19653889996684e70601a04cf95cc55295e7a06a80fd28b80dc7d5df
Instruction Fuzzy Hash: 3A210474200215AFD750DF14C8D0EB6B799EF46369B5080ACEC668B393CBB5ED46CB90

Function 007513B7 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000001,?), ref: 00751420

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: c45deade439737f5815d3695fe99cbb341fc3ca9d27053f6dc1339768fadbea2
Instruction ID: 722104358fa1605b9a9324193fdd2055015f8c89caa7956d5aa12afebe31bdd7
Opcode Fuzzy Hash: c45deade439737f5815d3695fe99cbb341fc3ca9d27053f6dc1339768fadbea2
Instruction Fuzzy Hash: B031D030604242AFD714EF25C495BA9B7A2FF85326F44816CE81A4F282DBB8FC45CBC0

Function 006F8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 006F8440

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 215bb2b72df2e978f5f9f42806448e9f4f07fa4adba1cdd16052365d1fcd9fbe
Instruction ID: 092f4c6b6a520d4c9a1fef83c4c321fb7f39c274bd48607371817db41b871dff
Opcode Fuzzy Hash: 215bb2b72df2e978f5f9f42806448e9f4f07fa4adba1cdd16052365d1fcd9fbe
Instruction Fuzzy Hash: 1411487190410AAFCB05DF58E9419EE7BF5EF48310F104099F908AB312DB30EA11CBA4

Function 007529BF Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?,?,?,007514B5,?), ref: 00752A01

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 078ecf1bd6e5130eaf5fbd973727c7361c02b026be95abec8b5edf935a745780
Instruction ID: b0c4dcfbdeda1929f3643d1b18b5cf6ba98abe9733b1e62493c87bc30c49ec95
Opcode Fuzzy Hash: 078ecf1bd6e5130eaf5fbd973727c7361c02b026be95abec8b5edf935a745780
Instruction Fuzzy Hash: D201B5367046419FE325CA2CC454BA23792EBC6316F29C468C8479B252DBBAFC47C790

Function 006EE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 1e9e79b8bf44371711e811898ad7473e18188b14380faffd662fb8b1ccbc5bab
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 6AF0F932512B549BC6313B679C05BA6339B9F52375F10071DF620932D2DF75D4028AAD

Function 0075149E Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?), ref: 007514EB

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: bc020798d80979d797d94faba6085fbd563b42090f6eba06111a415e5a07da63
Instruction ID: f51d85cb5f3a52a0ecc03ed0192a0f2945a3fa686176f8e580880b710ff82746
Opcode Fuzzy Hash: bc020798d80979d797d94faba6085fbd563b42090f6eba06111a415e5a07da63
Instruction Fuzzy Hash: 1301D4353047819FD320CF69C440A66BB95FF85326794C05DEC4A8B702D7B6DD86C780

Function 006F3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00791444,?,006DFDF5,?,?,006CA976,00000010,00791440,006C13FC,?,006C13C6,?,006C1129), ref: 006F3852

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 387f6b5265c29455d96b3d316f969a99fdb82b7a70e494ee0075c57c972b07ac
Instruction ID: 4574db731cd619f261472d1c8d2f9b0ff74f9aa9b64d95565b5afac0cbb3fbed
Opcode Fuzzy Hash: 387f6b5265c29455d96b3d316f969a99fdb82b7a70e494ee0075c57c972b07ac
Instruction Fuzzy Hash: 34E0E53110137CAAD661267B9D01BFA375BAF427F0F050025BE2592780DF19DE0282E4

Function 006C4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,H,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006C4F6D

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: b38bffd205655b95b0add2ec4faa89695341fde4d115cff7ae8ad28f065b0372
Instruction ID: 3f54a6147dff7cc0763c2b1d21405e2548bc5bf7af15f96196c4fca710ff16cf
Opcode Fuzzy Hash: b38bffd205655b95b0add2ec4faa89695341fde4d115cff7ae8ad28f065b0372
Instruction Fuzzy Hash: 9FF03971105752CFDB34DF64D4A0EA2BBE6EF54329320C97EE1EA82621CB329844DF10

Function 00752A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00752A66

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 7cee3d808a18adcb2bd1f4d9370c1f92e078583f00e880aa647a87bcdaaaa3b2
Instruction ID: 011bf5489d00672af02cacfee6d7e95130ecd03febf73bb572b4a44b7c429298
Opcode Fuzzy Hash: 7cee3d808a18adcb2bd1f4d9370c1f92e078583f00e880aa647a87bcdaaaa3b2
Instruction Fuzzy Hash: B2E0DF32340226AAC750EA30EC848FA734CEB11396B108536EC1AC2101DB7C9A9A86A0

Function 006C2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006C2DC4

Part of subcall function 006C6B57: _wcslen.LIBCMT ref: 006C6B6A

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 90cc822e030f4081646088b1f1ce17ed63cbe6b28dfb098adba5eb8e5eebc747
Instruction ID: 3d8a9e5588bebf5909c51a382bbc871d74ee23e0d78ff1b2a7cba14a41406b74
Opcode Fuzzy Hash: 90cc822e030f4081646088b1f1ce17ed63cbe6b28dfb098adba5eb8e5eebc747
Instruction Fuzzy Hash: 18E0CD726002245BC711D258DC05FEA77DDDFC8790F044175FD09E7248D964AD808554

Function 006C2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 006C3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 006C3908

Part of subcall function 006CD730: GetInputState.USER32 ref: 006CD807

SetCurrentDirectoryW.KERNEL32(?), ref: 006C2B6B

Part of subcall function 006C30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 006C314E

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 7d41e9aebca442581038a9d2c8ee30843d3b2cd6cbb6f20d43597c72762b0a80
Instruction ID: cea36a99b3c190443c89e5927019a3f6e40e924a7c04ddfa5b7617c2895b690f
Opcode Fuzzy Hash: 7d41e9aebca442581038a9d2c8ee30843d3b2cd6cbb6f20d43597c72762b0a80
Instruction Fuzzy Hash: 77E0262230035506CB48BB30A816FBDB35BCBD5351F40843EF04283272CE288957426E

Function 00723D03 Relevance: 1.5, APIs: 1, Instructions: 18windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00723D18

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: MessageSendTimeout
String ID:
API String ID: 1599653421-0
Opcode ID: 176c9c0f3d37125ddcbd70ff7f49bcdedee83e302867e47a5a1763ed4ce25fca
Instruction ID: 1a8cc142e239cf1b749f1cc6de8795d2628d380fddd2ec9eea4f9f728dc4669f
Opcode Fuzzy Hash: 176c9c0f3d37125ddcbd70ff7f49bcdedee83e302867e47a5a1763ed4ce25fca
Instruction Fuzzy Hash: DCD012E06A03087EFB0083718C0BEBB329CC316A82F008BA47A02D64C1D9A4DE080130

Function 0070039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00700704,?,?,00000000,?,00700704,00000000,0000000C), ref: 007003B7

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d5edfbb7d07d85de61100e86eb23d535316a86893b4e00d6916055e0c5355c23
Instruction ID: 78354ec68e066b45a57d815b2e1dc6242e43dfab428df7409a4c9ae96fbc009a
Opcode Fuzzy Hash: d5edfbb7d07d85de61100e86eb23d535316a86893b4e00d6916055e0c5355c23
Instruction Fuzzy Hash: FAD06C3204020DBFDF028F84DD06EDA3BAAFB48714F018000BE1856020C776E821AB94

Function 006C1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 006C1CBC

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 0c88d100ff10ab9b097272ca9b81dc899b27240be47e6da5fc863297aef77d79
Instruction ID: 40662c71f369ff333a971df343cca03031f3b3e19626c78d1069047cad3281f8
Opcode Fuzzy Hash: 0c88d100ff10ab9b097272ca9b81dc899b27240be47e6da5fc863297aef77d79
Instruction Fuzzy Hash: D7C09B35280305AFF21557D0BC5AF507764A348B01F54C002F60D555E3D3F51832D658

Non-executed Functions

Function 00759576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 006D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006D9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0075961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0075965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0075969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007596C9
SendMessageW.USER32 ref: 007596F2
GetKeyState.USER32(00000011), ref: 0075978B
GetKeyState.USER32(00000009), ref: 00759798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007597AE
GetKeyState.USER32(00000010), ref: 007597B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007597E9
SendMessageW.USER32 ref: 00759810
SendMessageW.USER32(?,00001030,?,00757E95), ref: 00759918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0075992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00759941
SetCapture.USER32(?), ref: 0075994A
ClientToScreen.USER32(?,?), ref: 007599AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 007599BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007599D6
ReleaseCapture.USER32 ref: 007599E1
GetCursorPos.USER32(?), ref: 00759A19
ScreenToClient.USER32(?,?), ref: 00759A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00759A80
SendMessageW.USER32 ref: 00759AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00759AEB
SendMessageW.USER32 ref: 00759B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00759B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00759B4A
GetCursorPos.USER32(?), ref: 00759B68
ScreenToClient.USER32(?,?), ref: 00759B75
GetParent.USER32(?), ref: 00759B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00759BFA
SendMessageW.USER32 ref: 00759C2B
ClientToScreen.USER32(?,?), ref: 00759C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00759CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00759CDE
SendMessageW.USER32 ref: 00759D01
ClientToScreen.USER32(?,?), ref: 00759D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00759D82

Part of subcall function 006D9944: GetWindowLongW.USER32(?,000000EB), ref: 006D9952

GetWindowLongW.USER32(?,000000F0), ref: 00759E05

Strings

@GUI_DRAGID, xrefs: 0075997D
p#y, xrefs: 00759990
F, xrefs: 00759D07

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#y
API String ID: 3429851547-3268430869
Opcode ID: e062dd2d18a10a765269d9b4b5e8b4597134d9f322db98bb197937be9b787a3a
Instruction ID: 0cdabc7adbdef9889947b16166c61576b4fe46bffa6c43fe895b1f48d0bada51
Opcode Fuzzy Hash: e062dd2d18a10a765269d9b4b5e8b4597134d9f322db98bb197937be9b787a3a
Instruction Fuzzy Hash: 5642AD30204341EFDB21CF24CD44BEABBE5EF48321F10495DFA59872A0D7B9A869DB95

Function 00754873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 007548F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00754908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00754927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0075494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0075495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0075497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 007549AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 007549D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00754A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00754A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00754A7E
IsMenu.USER32(?), ref: 00754A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00754AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00754B20
GetWindowLongW.USER32(?,000000F0), ref: 00754B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00754BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00754C82
wsprintfW.USER32 ref: 00754CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00754CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00754CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00754D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00754D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00754D5A

Strings

%d/%02d/%02d, xrefs: 00754CA8

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 880f95163e3bb8db4a1499f95735c690a4973ea6f2778a405c74c699d252f2a6
Instruction ID: 2bc904241beb6f5a43562a6946f976dce0de325194c17f307c49896436b39a09
Opcode Fuzzy Hash: 880f95163e3bb8db4a1499f95735c690a4973ea6f2778a405c74c699d252f2a6
Instruction Fuzzy Hash: 3B12FF71A00344ABEB258F28CC49FEE7BF8EF44315F144159F916DA2E1DBB89A85CB50

Function 006DF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 006DF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0071F474
IsIconic.USER32(00000000), ref: 0071F47D
ShowWindow.USER32(00000000,00000009), ref: 0071F48A
SetForegroundWindow.USER32(00000000), ref: 0071F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0071F4AA
GetCurrentThreadId.KERNEL32 ref: 0071F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0071F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0071F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0071F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0071F4DE
SetForegroundWindow.USER32(00000000), ref: 0071F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0071F4F6
keybd_event.USER32(00000012,00000000), ref: 0071F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0071F50B
keybd_event.USER32(00000012,00000000), ref: 0071F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0071F519
keybd_event.USER32(00000012,00000000), ref: 0071F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0071F528
keybd_event.USER32(00000012,00000000), ref: 0071F52D
SetForegroundWindow.USER32(00000000), ref: 0071F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0071F557

Strings

Shell_TrayWnd, xrefs: 0071F46F

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 84a8af94b3010f9b747aade00536b8d09778cc6c1d050bad7d2a2520125c5097
Instruction ID: a5f45597a8005e8ef1c9b5c3b4f6d756bc6911adb379176969b3afb7bf93cfa8
Opcode Fuzzy Hash: 84a8af94b3010f9b747aade00536b8d09778cc6c1d050bad7d2a2520125c5097
Instruction Fuzzy Hash: F631D471A40318BFEB216BB54C4AFFF3E6DEB44B11F204065FA00E61D1D6F45D50AA64

Function 00721201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 007216C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0072170D
Part of subcall function 007216C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0072173A
Part of subcall function 007216C3: GetLastError.KERNEL32 ref: 0072174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00721286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 007212A8
CloseHandle.KERNEL32(?), ref: 007212B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 007212D1
GetProcessWindowStation.USER32 ref: 007212EA
SetProcessWindowStation.USER32(00000000), ref: 007212F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00721310

Part of subcall function 007210BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007211FC), ref: 007210D4
Part of subcall function 007210BF: CloseHandle.KERNEL32(?,?,007211FC), ref: 007210E9

Strings

winsta0, xrefs: 007212CC
, xrefs: 0072125A
Zx, xrefs: 00721392
default, xrefs: 0072130B

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Zx
API String ID: 22674027-2903830162
Opcode ID: df211dc3218b0e8249e95f237ed1ba4e01ca9d22a2d920dffc50af4f85346a1b
Instruction ID: ff2d49bc95d482248838106e54899499e65bf7afec8165b32712a4da8a844e8b
Opcode Fuzzy Hash: df211dc3218b0e8249e95f237ed1ba4e01ca9d22a2d920dffc50af4f85346a1b
Instruction Fuzzy Hash: 0B81CF71900398AFDF21AFA4EC49FEE7BB9FF04700F148129F915A61A0C7798A45CB65

Function 00720B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007210F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00721114
Part of subcall function 007210F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00720B9B,?,?,?), ref: 00721120
Part of subcall function 007210F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00720B9B,?,?,?), ref: 0072112F
Part of subcall function 007210F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00720B9B,?,?,?), ref: 00721136
Part of subcall function 007210F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0072114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00720BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00720C00
GetLengthSid.ADVAPI32(?), ref: 00720C17
GetAce.ADVAPI32(?,00000000,?), ref: 00720C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00720C6D
GetLengthSid.ADVAPI32(?), ref: 00720C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00720C8C
HeapAlloc.KERNEL32(00000000), ref: 00720C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00720CB4
CopySid.ADVAPI32(00000000), ref: 00720CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00720CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00720D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00720D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00720D45
HeapFree.KERNEL32(00000000), ref: 00720D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00720D55
HeapFree.KERNEL32(00000000), ref: 00720D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00720D65
HeapFree.KERNEL32(00000000), ref: 00720D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00720D78
HeapFree.KERNEL32(00000000), ref: 00720D7F

Part of subcall function 00721193: GetProcessHeap.KERNEL32(00000008,00720BB1,?,00000000,?,00720BB1,?), ref: 007211A1
Part of subcall function 00721193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00720BB1,?), ref: 007211A8
Part of subcall function 00721193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00720BB1,?), ref: 007211B7

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 7beea98e632300e1957a0297eaa6214a573365fbe04eea9eeb7f58ef1b973e24
Instruction ID: fa235d16f581f796e5310a68f4a42e0e16dc42706bfcf5d32791646244c242c1
Opcode Fuzzy Hash: 7beea98e632300e1957a0297eaa6214a573365fbe04eea9eeb7f58ef1b973e24
Instruction Fuzzy Hash: BA718CB1A0131AAFDF119FA4EC45BEEBBB8FF04311F048115E914A6192D7B9A905CFB0

Function 0073EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0075CC08), ref: 0073EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0073EB37
GetClipboardData.USER32(0000000D), ref: 0073EB43
CloseClipboard.USER32 ref: 0073EB4F
GlobalLock.KERNEL32(00000000), ref: 0073EB87
CloseClipboard.USER32 ref: 0073EB91
GlobalUnlock.KERNEL32(00000000,00000000), ref: 0073EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0073EBC9
GetClipboardData.USER32(00000001), ref: 0073EBD1
GlobalLock.KERNEL32(00000000), ref: 0073EBE2
GlobalUnlock.KERNEL32(00000000,?), ref: 0073EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0073EC38
GetClipboardData.USER32(0000000F), ref: 0073EC44
GlobalLock.KERNEL32(00000000), ref: 0073EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0073EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0073EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0073ECD2
GlobalUnlock.KERNEL32(00000000,?,?), ref: 0073ECF3
CountClipboardFormats.USER32 ref: 0073ED14
CloseClipboard.USER32 ref: 0073ED59

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 52a8439bdf3221818bb40964f65aadcae68cb23dd6a7e873efdba069248d70cd
Instruction ID: 56b8fe87087c5b9cdb989dc7e25e691a9d6369c7744a3ae9293e5d24057f700f
Opcode Fuzzy Hash: 52a8439bdf3221818bb40964f65aadcae68cb23dd6a7e873efdba069248d70cd
Instruction Fuzzy Hash: B361CE742043019FE302EF24D889FBAB7A5EF84704F14855DF456972E2CB79D905CBA6

Function 0073698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 007369BE
FindClose.KERNEL32(00000000), ref: 00736A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00736A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00736A75

Part of subcall function 006C9CB3: _wcslen.LIBCMT ref: 006C9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00736AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00736ADF

Strings

%4d, xrefs: 00736BB1
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00736B32
%02d, xrefs: 00736C00, 00736C0A, 00736C5A, 00736CAA, 00736CFA, 00736D4A
%03d, xrefs: 00736DA2
%4d%02d%02d%02d%02d%02d, xrefs: 00736B6A

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: f86af7a63505b5c9389554e8b184175aaf50ae616f64e51796468362b3870feb
Instruction ID: c62fe6d510edf8f3b3e50a3dde89f46dc89fa1e6fcabc90bf98cfe7da91d6b4c
Opcode Fuzzy Hash: f86af7a63505b5c9389554e8b184175aaf50ae616f64e51796468362b3870feb
Instruction Fuzzy Hash: 9BD15FB2508300AEC354EBA4C885EBBB7EDEF88704F04491EF595D7191EB78DA04CB66

Function 00739642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00739663
GetFileAttributesW.KERNEL32(?), ref: 007396A1
SetFileAttributesW.KERNEL32(?,?), ref: 007396BB
FindNextFileW.KERNEL32(00000000,?), ref: 007396D3
FindClose.KERNEL32(00000000), ref: 007396DE
FindFirstFileW.KERNEL32(*.*,?), ref: 007396FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0073974A
SetCurrentDirectoryW.KERNEL32(00786B7C), ref: 00739768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00739772
FindClose.KERNEL32(00000000), ref: 0073977F
FindClose.KERNEL32(00000000), ref: 0073978F

Strings

*.*, xrefs: 007396F5

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 5efdd87cf3db3c21d5dcc095180522b88ee2635d780c2d6ef7125824103e91ce
Instruction ID: 90a0d933bc670c9722c09a2af5410dba08f26aa30eba2dec6f8618cd9326cf50
Opcode Fuzzy Hash: 5efdd87cf3db3c21d5dcc095180522b88ee2635d780c2d6ef7125824103e91ce
Instruction Fuzzy Hash: 1031C37254131AAFEF11AFB4DC49ADE77ACAF09321F108155FA05E20E1DBB8DE448A14

Function 0073979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 007397BE
FindNextFileW.KERNEL32(00000000,?), ref: 00739819
FindClose.KERNEL32(00000000), ref: 00739824
FindFirstFileW.KERNEL32(*.*,?), ref: 00739840
SetCurrentDirectoryW.KERNEL32(?), ref: 00739890
SetCurrentDirectoryW.KERNEL32(00786B7C), ref: 007398AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 007398B8
FindClose.KERNEL32(00000000), ref: 007398C5
FindClose.KERNEL32(00000000), ref: 007398D5

Part of subcall function 0072DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0072DB00

Strings

*.*, xrefs: 0073983B

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: b1e61f4658880864ffb11053bdb50ff5f257a7dcdc57c504aff71fc51b67e480
Instruction ID: 7e34c3f82db4e00fa7ef5b25d99d1c0e16d10312ffea5b900f0a443947c1a536
Opcode Fuzzy Hash: b1e61f4658880864ffb11053bdb50ff5f257a7dcdc57c504aff71fc51b67e480
Instruction Fuzzy Hash: D831F47254031A7EEF10EFB4EC48ADE77ACAF46325F108155EA50A20A1DBB8DE45CF24

Function 0074BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0074C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0074B6AE,?,?), ref: 0074C9B5
Part of subcall function 0074C998: _wcslen.LIBCMT ref: 0074C9F1
Part of subcall function 0074C998: _wcslen.LIBCMT ref: 0074CA68
Part of subcall function 0074C998: _wcslen.LIBCMT ref: 0074CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0074BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0074BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0074BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0074C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0074C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0074C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0074C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0074C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0074C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0074C382
RegCloseKey.ADVAPI32(00000000), ref: 0074C38F

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 3eb818d3d4a30991d77e9f1f5024f3651ea7cbd206f717b688ceb95a538f2498
Instruction ID: 5b6ec5f863c9465a36ffb44c6d33b4e1d9247afd58282a31ab4c74271da24aca
Opcode Fuzzy Hash: 3eb818d3d4a30991d77e9f1f5024f3651ea7cbd206f717b688ceb95a538f2498
Instruction Fuzzy Hash: FC026E71604200AFD755DF24C895E2ABBE5EF89318F18C49DF84ACB2A2DB35EC45CB52

Function 00738195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00738257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00738267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00738273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00738310
SetCurrentDirectoryW.KERNEL32(?), ref: 00738324
SetCurrentDirectoryW.KERNEL32(?), ref: 00738356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0073838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00738395

Strings

*.*, xrefs: 0073839B

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: b997d594d0400aebbe42e922770afe330c87d9a78b2c4fdeb61ff592327665f4
Instruction ID: 8ba84226baf583982e440d771adf48aaf3007b89174be87f1304ba5a53efcb65
Opcode Fuzzy Hash: b997d594d0400aebbe42e922770afe330c87d9a78b2c4fdeb61ff592327665f4
Instruction Fuzzy Hash: CE6179B25043459FD750EF60C844EAEB3E9FF89310F04891EF98987252DB39E905CB96

Function 0072D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 006C3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006C3A97,?,?,006C2E7F,?,?,?,00000000), ref: 006C3AC2

Part of subcall function 0072E199: GetFileAttributesW.KERNEL32(?,0072CF95), ref: 0072E19A

FindFirstFileW.KERNEL32(?,?), ref: 0072D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0072D1DD
MoveFileW.KERNEL32(?,?), ref: 0072D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0072D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0072D237

Part of subcall function 0072D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0072D21C,?,?), ref: 0072D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0072D253
FindClose.KERNEL32(00000000), ref: 0072D264

Strings

\*.*, xrefs: 0072D0CD, 0072D0D6, 0072D0EB

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 3180d975aaed58476ff8ed5bbe808d9621111346865fe004aca3f572e13ba4cf
Instruction ID: a0e35236e4367f0fb450b99a3784a8d378850f548efb7c48554f192bb0f8c54f
Opcode Fuzzy Hash: 3180d975aaed58476ff8ed5bbe808d9621111346865fe004aca3f572e13ba4cf
Instruction Fuzzy Hash: C6613B3180126D9ACF55EBE0E956EFDB7B6EF15300F208169E40277191EB389F09CB65

Function 0073ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0073ED91
EmptyClipboard.USER32 ref: 0073ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0073EDAC
CloseClipboard.USER32 ref: 0073EEA3

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 6a1da63b0e6da08b349c7c47d6dd52cfc764060682457b8e56f55812a75bc995
Instruction ID: 5367d3fe973bfc481f0703083b37853d95a409db22359b068492825573d7f122
Opcode Fuzzy Hash: 6a1da63b0e6da08b349c7c47d6dd52cfc764060682457b8e56f55812a75bc995
Instruction Fuzzy Hash: 3D41AD35204611AFE321DF15D888F6ABBE1FF44329F14C09DE4298B6A2C779ED42CB94

Function 0072E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 007216C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0072170D
Part of subcall function 007216C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0072173A
Part of subcall function 007216C3: GetLastError.KERNEL32 ref: 0072174A

ExitWindowsEx.USER32(?,00000000), ref: 0072E932

Strings

SeShutdownPrivilege, xrefs: 0072E902
, xrefs: 0072E920
, xrefs: 0072E95C
@, xrefs: 0072E925

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: ca9701a211129c3d9d2c79782b4e23646f9699185d7d1f36dcf0ca5b1b9c0407
Instruction ID: 1f5b25e05fb655632a776be7fc73766db06731c538ac8a444ef1a00dfaefae09
Opcode Fuzzy Hash: ca9701a211129c3d9d2c79782b4e23646f9699185d7d1f36dcf0ca5b1b9c0407
Instruction Fuzzy Hash: C7012672610330AFEB2422B4BC8ABBF725CA714741F154427F842E20D1E9AC6C808295

Function 00741204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00741276
WSAGetLastError.WSOCK32 ref: 00741283
bind.WSOCK32(00000000,?,00000010), ref: 007412BA
WSAGetLastError.WSOCK32 ref: 007412C5
closesocket.WSOCK32(00000000), ref: 007412F4
listen.WSOCK32(00000000,00000005), ref: 00741303
WSAGetLastError.WSOCK32 ref: 0074130D
closesocket.WSOCK32(00000000), ref: 0074133C

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 8d9b6163205dbc2eb214294e3e8b7fe5884c4e67c19236c97acc2468ba431072
Instruction ID: e706e740d603a40433eef5b6279ae6ce7f806422429739e779a127f99c5a1d65
Opcode Fuzzy Hash: 8d9b6163205dbc2eb214294e3e8b7fe5884c4e67c19236c97acc2468ba431072
Instruction Fuzzy Hash: D8414F316002009FD710EF64C499B69BBE6FF46318F58819CD8569F296C7B5ED81CBA1

Function 006FB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 006FB9D4
_free.LIBCMT ref: 006FB9F8
_free.LIBCMT ref: 006FBB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00763700), ref: 006FBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0079121C,000000FF,00000000,0000003F,00000000,?,?), ref: 006FBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00791270,000000FF,?,0000003F,00000000,?), ref: 006FBC36
_free.LIBCMT ref: 006FBD4B

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 93768d17186e705b7204a5f808aa09402298c1ad27f35049f5d63d36f7f5d1d5
Instruction ID: f7554da7bd8712f8b739397534133c1f9e426a3ce1ef1f475dabda566eff4768
Opcode Fuzzy Hash: 93768d17186e705b7204a5f808aa09402298c1ad27f35049f5d63d36f7f5d1d5
Instruction Fuzzy Hash: 9AC11571A0420DAFCB20AF69DC41AFA7BBBEF41350F18519EE694D7251EB309E428B54

Function 0072D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 006C3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006C3A97,?,?,006C2E7F,?,?,?,00000000), ref: 006C3AC2

Part of subcall function 0072E199: GetFileAttributesW.KERNEL32(?,0072CF95), ref: 0072E19A

FindFirstFileW.KERNEL32(?,?), ref: 0072D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0072D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0072D481
FindClose.KERNEL32(00000000), ref: 0072D498
FindClose.KERNEL32(00000000), ref: 0072D4A1

Strings

\*.*, xrefs: 0072D3F2

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: dadfd5b2fd476d9d7d4e37a559d742a0fa7fe66b09aa29e12ed0295f2e535312
Instruction ID: 2def58c4c6ef9ec82eb5def013eea37037a038e476f4992eaee4f82e1b61f0e9
Opcode Fuzzy Hash: dadfd5b2fd476d9d7d4e37a559d742a0fa7fe66b09aa29e12ed0295f2e535312
Instruction Fuzzy Hash: 27317E310083959FC355FF60D855EAF77A9FE91304F408A1DF8D593191EB34AA09876A

Function 006FE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 006FE645

Strings

1#INF, xrefs: 006FF852
1#SNAN, xrefs: 006FF844
1#QNAN, xrefs: 006FF84B
1#IND, xrefs: 006FF83D

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 127badb2983f73ced833e18bbcbaff3dc4ac0736943225fd6c83417f7e6d81b5
Instruction ID: 1640e73ce96dd42e3b999f50c856cf88e7d2de2626fbb53d3589ad6aef6544f0
Opcode Fuzzy Hash: 127badb2983f73ced833e18bbcbaff3dc4ac0736943225fd6c83417f7e6d81b5
Instruction Fuzzy Hash: 68C22971E086288FDB65CF289D407EAB7B6EF44304F1441EAD94EE7251E779AE818F40

Function 0073648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007364DC
CoInitialize.OLE32(00000000), ref: 00736639
CoCreateInstance.OLE32(0075FCF8,00000000,00000001,0075FB68,?), ref: 00736650
CoUninitialize.OLE32 ref: 007368D4

Strings

.lnk, xrefs: 007364BA, 00736524, 007365E0

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 4c393c78b6ca5f52257bd990c5e95cb41e46c7b516a0a1bb5d9da59ce0356609
Instruction ID: afc143345d403b325c58cf2bb3d30af786a339f706af39f8888c122eac12a123
Opcode Fuzzy Hash: 4c393c78b6ca5f52257bd990c5e95cb41e46c7b516a0a1bb5d9da59ce0356609
Instruction Fuzzy Hash: A0D13A71508301AFD354EF24C881E6BB7E9FF98704F00896DF5958B2A2DB71E905CBA6

Function 007422DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 007422E8

Part of subcall function 0073E4EC: GetWindowRect.USER32(?,?), ref: 0073E504

GetDesktopWindow.USER32 ref: 00742312
GetWindowRect.USER32(00000000), ref: 00742319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00742355
GetCursorPos.USER32(?), ref: 00742381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 007423DF

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 3c6c0ecac69c62014e813e9b040454da9a3bf7e69ebefb45caf32c47bdfa5315
Instruction ID: ab8749777621e80c26a3dfe6efde4279cf31a35cf0ecf33cd810df5cdcea5f9f
Opcode Fuzzy Hash: 3c6c0ecac69c62014e813e9b040454da9a3bf7e69ebefb45caf32c47bdfa5315
Instruction Fuzzy Hash: 7F313F72104315AFC721DF54DC08F9BBBA9FF88314F404A1AF88497182DB78EA19CB96

Function 00739B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 006C9CB3: _wcslen.LIBCMT ref: 006C9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00739B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00739C8B

Part of subcall function 00733874: GetInputState.USER32 ref: 007338CB
Part of subcall function 00733874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00733966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00739BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00739C75

Strings

*.*, xrefs: 00739B5D

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 239309a74d4b7abccbfdbb1460851aa3a0e7035997e2312fbbdfae868d5992ad
Instruction ID: abbf72a9769a79cf226755aa8d8eb97475d819e359a3699ab06e3e33b7aed869
Opcode Fuzzy Hash: 239309a74d4b7abccbfdbb1460851aa3a0e7035997e2312fbbdfae868d5992ad
Instruction Fuzzy Hash: 2F41B27190420A9FDF55DF64C849BEEBBB5EF05300F244159E905A2192DB749E84CF64

Function 006D997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 006D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006D9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 006D9A4E
GetSysColor.USER32(0000000F), ref: 006D9B23
SetBkColor.GDI32(?,00000000), ref: 006D9B36

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 53f9bbce03e2b117403d098ac0345da07b3a3f72fd4772b2ed0feef1562ac909
Instruction ID: b7410b26b7160a11a9c5c3997583c7d942c800adfb0c1d0cfc77a375f0af6d79
Opcode Fuzzy Hash: 53f9bbce03e2b117403d098ac0345da07b3a3f72fd4772b2ed0feef1562ac909
Instruction Fuzzy Hash: E0A14A71908544FEE728AA3C8C5DEFB26AFDB86350F19420BF902C67D1DA2D9D42C275

Function 00741806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0074304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0074307A
Part of subcall function 0074304E: _wcslen.LIBCMT ref: 0074309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0074185D
WSAGetLastError.WSOCK32 ref: 00741884
bind.WSOCK32(00000000,?,00000010), ref: 007418DB
WSAGetLastError.WSOCK32 ref: 007418E6
closesocket.WSOCK32(00000000), ref: 00741915

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 77545af0a3415446acfdd8bd460aedfe72c47f213ce644787b8ea4c9fae89c2f
Instruction ID: ef0b2b18982b64852716cd0a3266ec84649f809f4263ed8c21318036eb527071
Opcode Fuzzy Hash: 77545af0a3415446acfdd8bd460aedfe72c47f213ce644787b8ea4c9fae89c2f
Instruction Fuzzy Hash: BD51A371A00210AFEB10AF24C886F7A77EAEB44718F44845CF91A5F3D3C775AD418BA5

Function 00751C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00751CC0
IsWindowEnabled.USER32 ref: 00751CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00751CDB
IsIconic.USER32 ref: 00751CE9
IsZoomed.USER32 ref: 00751CF7

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 49269df4402021a9effd11362df6525ba0a7e98e0deba25bda93aa823b7be92e
Instruction ID: 3b5778fa2f9d7bbe49a6b95253d3a5c4a06744d1869fbda519a4e0433e0b991b
Opcode Fuzzy Hash: 49269df4402021a9effd11362df6525ba0a7e98e0deba25bda93aa823b7be92e
Instruction Fuzzy Hash: 0E21B4317402005FD7218F1AC884FA67BA5EF85327B99805CEC458B351D7BAEC46CBA4

Function 006C8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 006C83FA
VUUU, xrefs: 006C83E8
ERCP, xrefs: 006C813C
VUUU, xrefs: 006C843C
VUUU, xrefs: 00705DF0

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 0ef8db6c512a4774e1955d7789f4234a698d25e3a51415cf3d3dab6edc888b20
Instruction ID: 55507b32d3ea54cd61b994066eda7a44aff503220e863c3c4201dd8a3ef2539d
Opcode Fuzzy Hash: 0ef8db6c512a4774e1955d7789f4234a698d25e3a51415cf3d3dab6edc888b20
Instruction Fuzzy Hash: 71A23D70A0061ACFDF34CF58C954BBEB7B2FB54314F24829AD815A7285EB789D918F90

Function 00728298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 007282AA

Strings

|, xrefs: 007282DA
tbx, xrefs: 007284F4
(, xrefs: 007282F0

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tbx$|
API String ID: 1659193697-2462544763
Opcode ID: b1f9a96aa9d233e42b3c403038d06503cd8af619e1efc040581a2041c07e6eef
Instruction ID: 767a1a584f10eb7769037600690a205d1ab09091b208b5835221d0acf7f19600
Opcode Fuzzy Hash: b1f9a96aa9d233e42b3c403038d06503cd8af619e1efc040581a2041c07e6eef
Instruction Fuzzy Hash: 6F324474A00615DFCB68CF59D080A6AB7F0FF48710B15C56EE49ADB3A2EB74E981CB44

Function 0074A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0074A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0074A6BA

Part of subcall function 006C9CB3: _wcslen.LIBCMT ref: 006C9CBD

Process32NextW.KERNEL32(00000000,?), ref: 0074A79C
CloseHandle.KERNEL32(00000000), ref: 0074A7AB

Part of subcall function 006DCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00703303,?), ref: 006DCE8A

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 3db7a44c44c1a604b2aa99d881393f1f07212d1dfe030a66b7f9569307f11873
Instruction ID: c28d0e386865edf420f65124e62f4b4d4b8ee49e1de87bb857486f34c5e47040
Opcode Fuzzy Hash: 3db7a44c44c1a604b2aa99d881393f1f07212d1dfe030a66b7f9569307f11873
Instruction Fuzzy Hash: 6D516E71508300AFD350EF24C886E6BBBE9FF89754F40892DF58A97251EB34D904CBA6

Function 0072AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0072AAAC
SetKeyboardState.USER32(00000080), ref: 0072AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0072AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0072AB88

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 6ef7d41091d959e7e1295886167cadc6e29b037a381b3c413432d1f44e288136
Instruction ID: 34630c71a5837f6c5304b09cfca8b6b95aa24e646fa023ce3a07308ea854c303
Opcode Fuzzy Hash: 6ef7d41091d959e7e1295886167cadc6e29b037a381b3c413432d1f44e288136
Instruction Fuzzy Hash: E131F6B0A40368BFFF358A64AC09BFA7BA6EF44310F04821AF581965D1D37D8985C766

Function 0073CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0073CE89
GetLastError.KERNEL32(?,00000000), ref: 0073CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0073CEFE

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: c6449ad1a9b958e60b207ad669b00fbbefa90d6208fd6178553b4893a1dc06b3
Instruction ID: 76e11d8aa1d1a7c86dd256173aa424190b3d85a4defc079a43ec346bf5feb03f
Opcode Fuzzy Hash: c6449ad1a9b958e60b207ad669b00fbbefa90d6208fd6178553b4893a1dc06b3
Instruction Fuzzy Hash: D621CFB2540705AFE722DF65C948BA777FCEB00314F10841EE546E2152E778EE04CB54

Function 00735C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00735CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00735D17
FindClose.KERNEL32(?), ref: 00735D5F

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 3236ea680a4004a4ef3bcadd14e4b06f0f5f71f752926524f1847cbeb781b6a7
Instruction ID: 87098f6d535e6f3f1944a12ac90354731d38121779a3450fd70b6a476f14f10e
Opcode Fuzzy Hash: 3236ea680a4004a4ef3bcadd14e4b06f0f5f71f752926524f1847cbeb781b6a7
Instruction Fuzzy Hash: 67518874604B019FD714CF28C494E9AB7E5FF49324F14855EE99A8B3A2CB34ED05CB91

Function 006F2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 006F271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 006F2724
UnhandledExceptionFilter.KERNEL32(?), ref: 006F2731

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 1dd17893e18f026c24c9b414b7912e83e489c9e9b303864465198e3d2e165497
Instruction ID: 0cb07830281f6a08329d01308b21cc3502a969e327ab38f10f7b7e342ab00bf2
Opcode Fuzzy Hash: 1dd17893e18f026c24c9b414b7912e83e489c9e9b303864465198e3d2e165497
Instruction Fuzzy Hash: BB31B27490131D9BCB61DF69DC887D8BBB9BF08310F5041EAE50CA6261E7749F818F49

Function 007351CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007351DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00735238
SetErrorMode.KERNEL32(00000000), ref: 007352A1

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 4439454dc1151bf7345387cf45256b0072d081c536bfcc821f9b741da414b96f
Instruction ID: f219486e7daaac7fda8e508999797fc47f40d9858467c86ed40237d649805f72
Opcode Fuzzy Hash: 4439454dc1151bf7345387cf45256b0072d081c536bfcc821f9b741da414b96f
Instruction Fuzzy Hash: A1314C75A00618DFDB00DF54D888FAEBBB5FF48314F088099E805AB362DB75E856CB94

Function 007216C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 006DFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 006E0668
Part of subcall function 006DFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 006E0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0072170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0072173A
GetLastError.KERNEL32 ref: 0072174A

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 73e778ee4b1bc1398748621b96361d09cda35b5421f592150fdadcb28e4071bd
Instruction ID: f8a9366ad2b33de8917caca156655924ef177ad94f9e62a867f21dd9e1bc1383
Opcode Fuzzy Hash: 73e778ee4b1bc1398748621b96361d09cda35b5421f592150fdadcb28e4071bd
Instruction Fuzzy Hash: B01191B2804308AFD7189F54EC86EABB7BAFF44725B20852EE05657241EB74BC418B24

Function 0072D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0072D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0072D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0072D650

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: fd044a92e9be8b89b6584f31c93460dd4a2fa0e59a0b42f910b301aa4b906bd1
Instruction ID: 462b7c421c6b348324c0491f59a6eab653ce1d10a3276c352c3c1a6a8ef4eb45
Opcode Fuzzy Hash: fd044a92e9be8b89b6584f31c93460dd4a2fa0e59a0b42f910b301aa4b906bd1
Instruction Fuzzy Hash: A9117C71E01328BFDB208F94AC44FAFBBBCEB45B50F108115F914E7290C2B44A018BA1

Function 00721663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0072168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 007216A1
FreeSid.ADVAPI32(?), ref: 007216B1

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 8254781409281eb5e44f6ac01cdc59953081c157a7306f6e5c96b7603bc855cb
Instruction ID: 6d3549e93b1b6627ee152bfa434beacfe2db49b237b38907af370fa99aca7c6c
Opcode Fuzzy Hash: 8254781409281eb5e44f6ac01cdc59953081c157a7306f6e5c96b7603bc855cb
Instruction Fuzzy Hash: 6DF0F471950309FFDB00DFE49C89AAEBBBCFB08605F508565E601E2181E778AA448A54

Function 006E4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(006F28E9,?,006E4CBE,006F28E9,007888B8,0000000C,006E4E15,006F28E9,00000002,00000000,?,006F28E9), ref: 006E4D09
TerminateProcess.KERNEL32(00000000,?,006E4CBE,006F28E9,007888B8,0000000C,006E4E15,006F28E9,00000002,00000000,?,006F28E9), ref: 006E4D10
ExitProcess.KERNEL32 ref: 006E4D22

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: cd77f57af6b4943716ff6f9c05dec2ea297078f7055ef725c7e1f2802eeae438
Instruction ID: 584fe844afc67d098059470857b8e670307d94a968dc20a012138827ab96295c
Opcode Fuzzy Hash: cd77f57af6b4943716ff6f9c05dec2ea297078f7055ef725c7e1f2802eeae438
Instruction Fuzzy Hash: 06E0B67100178CAFCF12AF65DD09B983F6AEF81782B108058FD05CA223CB79DD42CA88

Function 006FC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 006FC36C

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 224e7ab9b4cb5cf917190c2e693321ab3ec7604e1f26b6374efeb100286151e4
Instruction ID: 5ecda6d7be5d889dfab87054b916ea2c28e95ad0a132dc546f0696b4c8a7162d
Opcode Fuzzy Hash: 224e7ab9b4cb5cf917190c2e693321ab3ec7604e1f26b6374efeb100286151e4
Instruction Fuzzy Hash: B541287290021DAFCB209FB9DD49EFB77BAEB84364F10426DFA05D7280E6719E418B54

Function 0071D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0071D28C

Strings

X64, xrefs: 0071D2A8

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 0eac50dfd68a80c055741ddb786c1fda6f3d005a4e2e4d7b317c299a8dd79e61
Instruction ID: 05ad6ce7423de2cb01268092597384d2fd0145d8edca1302fd19834dfade000c
Opcode Fuzzy Hash: 0eac50dfd68a80c055741ddb786c1fda6f3d005a4e2e4d7b317c299a8dd79e61
Instruction Fuzzy Hash: 82D0C9B480121DEECF90DB90DC88DD9B3BCBB04305F104152F106A2140D77895498F10

Function 006ECAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: b690dcba8dfa86a717ec1ab709e09a6c43bebce9b52b76b57260f61fd1f57beb
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 62022C71E012599FDF14CFA9C8806EEBBF2EF48724F254169D919EB380D731A942CB94

Function 006CCAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00710C40
p#y, xrefs: 006CCF7F

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#y
API String ID: 0-2013953717
Opcode ID: 409aa01099c9c217101a6187c79a569764135eb688a69ebadd90765884da933f
Instruction ID: f6a25004e41542235ecac608db8f04e29bfba0faf5cab2d924d220ec23323c56
Opcode Fuzzy Hash: 409aa01099c9c217101a6187c79a569764135eb688a69ebadd90765884da933f
Instruction Fuzzy Hash: 7F3248709002189BCF14DF94C895FFDB7B6FF05314F14805DE81AAB292D775AA86CBA4

Function 007368EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00736918
FindClose.KERNEL32(00000000), ref: 00736961

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 03b0103fd0a8e315631ba381fd8b771e88bfa5d0c76342d5fc3a2828ae18faeb
Instruction ID: 727b5d46b0a9d2b8ed499edaad714e70d2e861cd161cd5b726273bd6c23e474b
Opcode Fuzzy Hash: 03b0103fd0a8e315631ba381fd8b771e88bfa5d0c76342d5fc3a2828ae18faeb
Instruction Fuzzy Hash: D5118E71604210AFD710DF29D484B26BBE5FF85329F14C69DE4698F6A2CB74EC05CB91

Function 007337B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00744891,?,?,00000035,?), ref: 007337E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00744891,?,?,00000035,?), ref: 007337F4

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 6122282abf57ef656d7614e386b907598d3a6e0db3763c61277de23564da39fe
Instruction ID: 12c7a38995f4e0c2543541aebd6b246b12b22c747dbf13a7413bce00e5f45241
Opcode Fuzzy Hash: 6122282abf57ef656d7614e386b907598d3a6e0db3763c61277de23564da39fe
Instruction Fuzzy Hash: 58F0E5B06053296AE72017668C8DFEB3AAEEFC4761F000265F509D2291D9B49904C7B0

Function 0072B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0072B25D
keybd_event.USER32(?,7694C0D0,?,00000000), ref: 0072B270

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 355963c607df978cec5cd026a7e6acdd2e1b5be566b5c73f49b7416af25b191f
Instruction ID: 3858379173afbf21e9251c3e20c94750bfd3fb60a04df5673e72b432cb9e5763
Opcode Fuzzy Hash: 355963c607df978cec5cd026a7e6acdd2e1b5be566b5c73f49b7416af25b191f
Instruction Fuzzy Hash: FDF0F97180434DABDB059FA0D805BEE7BB4FF08305F108409E955A5192D37D86119F94

Function 007210BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007211FC), ref: 007210D4
CloseHandle.KERNEL32(?,?,007211FC), ref: 007210E9

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 210b9a8c4d829cd21abf815a26161aee2b17eab1144c1a44c5820fffb02181fe
Instruction ID: 8c52294ab3978b0935615b1ea9c0d6e854260d04c173ab376a69d64611c68334
Opcode Fuzzy Hash: 210b9a8c4d829cd21abf815a26161aee2b17eab1144c1a44c5820fffb02181fe
Instruction Fuzzy Hash: 31E04F32004710AEE7262B51FC05FB377AAEF04311B10C82EF4A6804B1DBA26C90DB54

Function 006CBF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#y, xrefs: 007107CE

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#y
API String ID: 3964851224-1019219899
Opcode ID: bd6543fe1305bb7cdacdbf78b0dc02bd29e5e8c13f5d15b33069087ffefa20e9
Instruction ID: 578865722da015c3359ce5287ac708ce27d180e9455f9249404134dcf934bd77
Opcode Fuzzy Hash: bd6543fe1305bb7cdacdbf78b0dc02bd29e5e8c13f5d15b33069087ffefa20e9
Instruction Fuzzy Hash: 2BA26C706083419FD714DF28C480B6AB7E2FF89314F14896DE89A9B392D775EC85CB92

Function 006F676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,006F6766,?,?,00000008,?,?,006FFEFE,00000000), ref: 006F6998

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: afa5f4f020fb0e000ac7f8dd02cad2d39cd2596be0a02d7488cf6edcc136b8b9
Instruction ID: 4d9841819c892a49b7d057be1f398f8db6809b66aac9516c3da222cf37165864
Opcode Fuzzy Hash: afa5f4f020fb0e000ac7f8dd02cad2d39cd2596be0a02d7488cf6edcc136b8b9
Instruction Fuzzy Hash: EEB15B316106099FD715CF28C48ABA57BE1FF05364F25865CF9AACF2A2C335E982CB40

Function 006DB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0071851F

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 012dd65d596b521ef6003f6d59816f94ca61f288d2f8835ada339c670b34b281
Instruction ID: 9808357bacf45f036593091213ee4cb7774601776ff82e2de3995e83a966eb7e
Opcode Fuzzy Hash: 012dd65d596b521ef6003f6d59816f94ca61f288d2f8835ada339c670b34b281
Instruction Fuzzy Hash: 05124F71D00229DBCB64CF58C881AEEB7F5FF48710F15819AE849EB355DB349A81CB91

Function 0073EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0073EABD

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 99fa2afa577c8da0829f6bea409680294d5e29842562a916378c8f5c9b798ea3
Instruction ID: 0a3130bb41e838daf4d918fe5d555f442165938416033a4c5a3deda3c7af6798
Opcode Fuzzy Hash: 99fa2afa577c8da0829f6bea409680294d5e29842562a916378c8f5c9b798ea3
Instruction Fuzzy Hash: DFE01A312002059FD710EF59D805EAAB7E9EF98760F00C41EFC49C7391DAB4A8418B94

Function 006E09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,006E03EE), ref: 006E09DA

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 0a7815e0a35a113063c278c660eeafbead67f273c6fca067ecec9fcf27dc45e8
Instruction ID: 04efd7fa95d26c5d0828ab01d2569d4ec1399c705c92a78407d708775b6b2b14
Opcode Fuzzy Hash: 0a7815e0a35a113063c278c660eeafbead67f273c6fca067ecec9fcf27dc45e8
Instruction Fuzzy Hash:

Function 006E781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 006E798B

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 2bcc3ff0da5e74c2ab193bc385cf7283bd96d9ce02070b93a6df7ee59438a616
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: B751567161F7C55ADB38856B885A7FF238B9F22340F18052AE886C7383CA15DE06D35A

Function 00732046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&y, xrefs: 00732053

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID:
String ID: 0&y
API String ID: 0-825062974
Opcode ID: ca9f9217017af7823db351442ebb9f229c84eef8775cc6c9c51be82563a0cef2
Instruction ID: ef4d12623a3f8b90115df1f8434ee52f26ff1e2cb725684b0507cdd64bb104b3
Opcode Fuzzy Hash: ca9f9217017af7823db351442ebb9f229c84eef8775cc6c9c51be82563a0cef2
Instruction Fuzzy Hash: CA21A5326216118BDB2CCE79C82367E73E5A754310F15862EE4A7C77D2DE3AA905CB84

Function 006F6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 729ed830d25505a153ac24446a90eff8b77e35f0b9e74a96713f6fc845d01461
Instruction ID: 79d11afd7240137aafa4605fea4690e8bc39110c55387ce49004b974c59995f8
Opcode Fuzzy Hash: 729ed830d25505a153ac24446a90eff8b77e35f0b9e74a96713f6fc845d01461
Instruction Fuzzy Hash: 67323332D29F054DD7639634CC22335A28AAFB73C5F15D737E81AB5AAAEF69C4834100

Function 006DCC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdc3e8ab7804dd8d59470a36cec1f95bd56a44d12c73ab7dd477f6d9829459f3
Instruction ID: 3ef4129492a3f2ab1c79305550e903ee4254a2eb96280bc26fa5691c81d54db8
Opcode Fuzzy Hash: bdc3e8ab7804dd8d59470a36cec1f95bd56a44d12c73ab7dd477f6d9829459f3
Instruction Fuzzy Hash: 28322431A8410A8BCF2ACEACC5946FD7BA2EF45310F28816BD5899B3D1D638DDC1DB51

Function 006C7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 764b765c2a1f159db3e0033065cb10c997051498f4f4cd4ff9e7b1cbef511046
Instruction ID: d150e102e1ecd079dbb8c06f319663f7f5c098ff451ec7b4625b690cb4e63ab3
Opcode Fuzzy Hash: 764b765c2a1f159db3e0033065cb10c997051498f4f4cd4ff9e7b1cbef511046
Instruction Fuzzy Hash: 44226CB0A0460ADBDF14CFA5C841AAEB7F6FF44300F24462DE816A7291EB399D55CF54

Function 006C91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 535a8612e2191bd6e232292061e5c9e9b4543c6d86be9ef845f7fe562c77b841
Instruction ID: f9db1cf9dc7a97c665ea27ad56b8815420746ffc2ad018cd2af7d36e50526845
Opcode Fuzzy Hash: 535a8612e2191bd6e232292061e5c9e9b4543c6d86be9ef845f7fe562c77b841
Instruction Fuzzy Hash: 9602A6B1E00205EBDB04DF54D881BAEB7F2FF44300F508569E8569B391EB35AE51CB95

Function 006F9EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3a2c8687c2310f036ab143d4e15e3394329927ae871124fd51e2818c3515877
Instruction ID: 6a32d6a168fc2197522d0f2f508f083e4fb1f253f0954b9bce0f60b591d8bf0c
Opcode Fuzzy Hash: b3a2c8687c2310f036ab143d4e15e3394329927ae871124fd51e2818c3515877
Instruction Fuzzy Hash: 9CB1F320D2AF404DD723963A8831336B65CAFBB6D5F51D71BFC1B74E62EB2585838144

Function 006E7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37056d4cf11e7a2263fbdf887004ebd98c820bc9b054756a238b0a7abf231871
Instruction ID: 62b42792e89d397f1817adc78d11c3ff99e8645b75290b710938d46b645d09ff
Opcode Fuzzy Hash: 37056d4cf11e7a2263fbdf887004ebd98c820bc9b054756a238b0a7abf231871
Instruction Fuzzy Hash: 9961787160A7C99ADA349E2F8D95BFE339BDF51700F20092EE842CB3C1DA119E438319

Function 006E7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d99fad21f04a0c156abbcaf50b11166da47757286053ac067719675115ec6c1a
Instruction ID: 784bd851e4661e4007b29d79a5a79a9e76b7d52bcf879c1aee7eb9d4ef301c91
Opcode Fuzzy Hash: d99fad21f04a0c156abbcaf50b11166da47757286053ac067719675115ec6c1a
Instruction Fuzzy Hash: CF617B7160A7C966DE384A2B9C95BFF238BDF42740F24095DE942DB3C1EA129D438359

Function 00742ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00742B30
DeleteObject.GDI32(00000000), ref: 00742B43
DestroyWindow.USER32 ref: 00742B52
GetDesktopWindow.USER32 ref: 00742B6D
GetWindowRect.USER32(00000000), ref: 00742B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00742CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00742CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00742CF8
GetClientRect.USER32(00000000,?), ref: 00742D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00742D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00742D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00742D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00742D80
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00742D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00742D98
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00742DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00742DA8
GlobalFree.KERNEL32(00000000), ref: 00742DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00742DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0075FC38,00000000), ref: 00742DDB
GlobalFree.KERNEL32(00000000), ref: 00742DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00742E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00742E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00742E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0074303F

Strings

AutoIt v3, xrefs: 00742CF2
static, xrefs: 00742D3A, 00742E91
, xrefs: 00742FC5
DISPLAY, xrefs: 00742EA2

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: be83fc854747b4a331899b237ddc8d30e55a74c8c67d097d6e9ca4bfad44b008
Instruction ID: 680b8504e533a19c892c2d205c465f55cf3112eb19b0fc1991e792d35d1aac25
Opcode Fuzzy Hash: be83fc854747b4a331899b237ddc8d30e55a74c8c67d097d6e9ca4bfad44b008
Instruction Fuzzy Hash: AE026A71900209AFDB15DF64CC89FAE7BBAEB48711F408158F915AB2A1DB78ED01CF64

Function 007570D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0075712F
GetSysColorBrush.USER32(0000000F), ref: 00757160
GetSysColor.USER32(0000000F), ref: 0075716C
SetBkColor.GDI32(?,000000FF), ref: 00757186
SelectObject.GDI32(?,?), ref: 00757195
InflateRect.USER32(?,000000FF,000000FF), ref: 007571C0
GetSysColor.USER32(00000010), ref: 007571C8
CreateSolidBrush.GDI32(00000000), ref: 007571CF
FrameRect.USER32(?,?,00000000), ref: 007571DE
DeleteObject.GDI32(00000000), ref: 007571E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00757230
FillRect.USER32(?,?,?), ref: 00757262
GetWindowLongW.USER32(?,000000F0), ref: 00757284

Part of subcall function 007573E8: GetSysColor.USER32(00000012), ref: 00757421
Part of subcall function 007573E8: SetTextColor.GDI32(?,?), ref: 00757425
Part of subcall function 007573E8: GetSysColorBrush.USER32(0000000F), ref: 0075743B
Part of subcall function 007573E8: GetSysColor.USER32(0000000F), ref: 00757446
Part of subcall function 007573E8: GetSysColor.USER32(00000011), ref: 00757463
Part of subcall function 007573E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00757471
Part of subcall function 007573E8: SelectObject.GDI32(?,00000000), ref: 00757482
Part of subcall function 007573E8: SetBkColor.GDI32(?,00000000), ref: 0075748B
Part of subcall function 007573E8: SelectObject.GDI32(?,?), ref: 00757498
Part of subcall function 007573E8: InflateRect.USER32(?,000000FF,000000FF), ref: 007574B7
Part of subcall function 007573E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007574CE
Part of subcall function 007573E8: GetWindowLongW.USER32(00000000,000000F0), ref: 007574DB

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 28b2af96273c1fc03de142cf7bb4354f7e1ee87f733d6cc7fdf75209be0e642a
Instruction ID: c24bf1286cf0ee28fd18b518fbe4023281493a021877597237369e65c3ba96e1
Opcode Fuzzy Hash: 28b2af96273c1fc03de142cf7bb4354f7e1ee87f733d6cc7fdf75209be0e642a
Instruction Fuzzy Hash: ACA1B172008305FFD7069F60DC48B9B7BA9FB88322F104A19F962961E1D7B9E944CB55

Function 00742711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0074273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0074286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 007428A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 007428B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00742900
GetClientRect.USER32(00000000,?), ref: 0074290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00742955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00742964
GetStockObject.GDI32(00000011), ref: 00742974
SelectObject.GDI32(00000000,00000000), ref: 00742978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00742988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00742991
DeleteDC.GDI32(00000000), ref: 0074299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 007429C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 007429DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00742A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00742A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00742A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00742A77
GetStockObject.GDI32(00000011), ref: 00742A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00742A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00742A97

Strings

AutoIt v3, xrefs: 007428F8
msctls_progress32, xrefs: 00742A13
static, xrefs: 0074294F, 00742A71
DISPLAY, xrefs: 0074295A

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 8c20652afbc73aed4ea57e73af12ee00a9789785368051ee393ac03dd21e70f3
Instruction ID: d53d789e3220643691526e451e3b39807fddadf3a2178baadfba0fa99e925e0e
Opcode Fuzzy Hash: 8c20652afbc73aed4ea57e73af12ee00a9789785368051ee393ac03dd21e70f3
Instruction Fuzzy Hash: 17B16DB1A00209AFEB14DF68CC4AFAE7BB9EB08711F408119F914E7291D7B8ED51CB54

Function 00734ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00734AED
GetDriveTypeW.KERNEL32(?,0075CB68,?,\\.\,0075CC08), ref: 00734BCA
SetErrorMode.KERNEL32(00000000,0075CB68,?,\\.\,0075CC08), ref: 00734D36

Strings

1394, xrefs: 00734C9F
FileBackedVirtual, xrefs: 00734CEC
Fixed, xrefs: 00734C09
PhysicalDrive, xrefs: 00734B76
Unknown, xrefs: 00734BED, 00734C83
Virtual, xrefs: 00734CE5
SAS, xrefs: 00734CC9
SATA, xrefs: 00734CD0
ATAPI, xrefs: 00734C91
SCSI, xrefs: 00734C8A
Network, xrefs: 00734C02
RAMDisk, xrefs: 00734BF4
ATA, xrefs: 00734C98
SSD, xrefs: 00734C4A
MMC, xrefs: 00734CDE
CDROM, xrefs: 00734BFB
Removable, xrefs: 00734C10, 00734C15
SSA, xrefs: 00734CA6
USB, xrefs: 00734CB4
Fibre, xrefs: 00734CAD
\\.\, xrefs: 00734B3F
iSCSI, xrefs: 00734CC2
RAID, xrefs: 00734CBB

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 935069d0b15c63b483e895f70ab4d96fe73250bc80fbfa77adeea8ca647b2d0d
Instruction ID: 0c70264eda2142dd4cf19cf22599feef0c08ea1b333a8052edbc762e5c1bd52e
Opcode Fuzzy Hash: 935069d0b15c63b483e895f70ab4d96fe73250bc80fbfa77adeea8ca647b2d0d
Instruction Fuzzy Hash: 1161B070746205ABEB08EF24CA95EB8B7B1EB04300F249419F806AB653DB7DFD41DB65

Function 007573E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00757421
SetTextColor.GDI32(?,?), ref: 00757425
GetSysColorBrush.USER32(0000000F), ref: 0075743B
GetSysColor.USER32(0000000F), ref: 00757446
CreateSolidBrush.GDI32(?), ref: 0075744B
GetSysColor.USER32(00000011), ref: 00757463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00757471
SelectObject.GDI32(?,00000000), ref: 00757482
SetBkColor.GDI32(?,00000000), ref: 0075748B
SelectObject.GDI32(?,?), ref: 00757498
InflateRect.USER32(?,000000FF,000000FF), ref: 007574B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007574CE
GetWindowLongW.USER32(00000000,000000F0), ref: 007574DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0075752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00757554
InflateRect.USER32(?,000000FD,000000FD), ref: 00757572
DrawFocusRect.USER32(?,?), ref: 0075757D
GetSysColor.USER32(00000011), ref: 0075758E
SetTextColor.GDI32(?,00000000), ref: 00757596
DrawTextW.USER32(?,007570F5,000000FF,?,00000000), ref: 007575A8
SelectObject.GDI32(?,?), ref: 007575BF
DeleteObject.GDI32(?), ref: 007575CA
SelectObject.GDI32(?,?), ref: 007575D0
DeleteObject.GDI32(?), ref: 007575D5
SetTextColor.GDI32(?,?), ref: 007575DB
SetBkColor.GDI32(?,?), ref: 007575E5

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 6ec2f31646b64baa0e28d644c74b1c217fe647c17d40789e66b8af3c91c33eb2
Instruction ID: 0391dfb387080c3338cfd531ecdabce93ad80c75768fb9ac642938ab0b228c91
Opcode Fuzzy Hash: 6ec2f31646b64baa0e28d644c74b1c217fe647c17d40789e66b8af3c91c33eb2
Instruction Fuzzy Hash: 2E616E72900318AFDF059FA4DC49FEE7FB9EB08322F118115F915AB2A1D7B99940CB94

Function 00750FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00751128
GetDesktopWindow.USER32 ref: 0075113D
GetWindowRect.USER32(00000000), ref: 00751144
GetWindowLongW.USER32(?,000000F0), ref: 00751199
DestroyWindow.USER32(?), ref: 007511B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 007511ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0075120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0075121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00751232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00751245
IsWindowVisible.USER32(00000000), ref: 007512A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 007512BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 007512D0
GetWindowRect.USER32(00000000,?), ref: 007512E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0075130E
GetMonitorInfoW.USER32(00000000,?), ref: 00751328
CopyRect.USER32(?,?), ref: 0075133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 007513AA

Strings

tooltips_class32, xrefs: 007511E6
0, xrefs: 007510D3
(, xrefs: 0075131B

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 38387c0bbc94eb53318b7989bf03a0fc8e13ca804c90b63f972571e2db348d88
Instruction ID: 5239de9343e7be4fefe6e2be3933deacb9312fab8d02509c874e5bad0a572568
Opcode Fuzzy Hash: 38387c0bbc94eb53318b7989bf03a0fc8e13ca804c90b63f972571e2db348d88
Instruction Fuzzy Hash: 6CB1AC71604340AFD740DF64C884FAABBE5FF84342F40891CF9999B2A1DBB5E848CB95

Function 00750241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 007502E5
_wcslen.LIBCMT ref: 0075031F
_wcslen.LIBCMT ref: 00750389
_wcslen.LIBCMT ref: 007503F1
_wcslen.LIBCMT ref: 00750475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 007504C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00750504

Part of subcall function 006DF9F2: _wcslen.LIBCMT ref: 006DF9FD

Part of subcall function 0072223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00722258
Part of subcall function 0072223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0072228A

Strings

ISSELECTED, xrefs: 007504DD
FINDITEM, xrefs: 00750627
DESELECT, xrefs: 0075059C
GETSELECTEDCOUNT, xrefs: 00750470, 0075048B
SELECTINVERT, xrefs: 0075057E
SELECT, xrefs: 00750548
GETITEMCOUNT, xrefs: 00750316, 00750337
GETSELECTED, xrefs: 007505E1
VIEWCHANGE, xrefs: 00750675
GETSUBITEMCOUNT, xrefs: 00750384, 0075039F
SELECTCLEAR, xrefs: 0075052D
GETTEXT, xrefs: 007503EC, 00750407
SELECTALL, xrefs: 00750515

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: e05eeb19e97b140dce8c650b88e6e779ddf9f6646eb589a38ec212b4e9acd020
Instruction ID: 5b342cb06538498d348020ffce1b40ad346fa7cbb62767bc2d912399166dc520
Opcode Fuzzy Hash: e05eeb19e97b140dce8c650b88e6e779ddf9f6646eb589a38ec212b4e9acd020
Instruction Fuzzy Hash: 55E1BD312082418FC754EF24C4519BAB3E6FF88315F14496DF8969B3A2DB78ED4ACB91

Function 006D8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 006D8968
GetSystemMetrics.USER32(00000007), ref: 006D8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 006D899B
GetSystemMetrics.USER32(00000008), ref: 006D89A3
GetSystemMetrics.USER32(00000004), ref: 006D89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 006D89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 006D89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 006D8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 006D8A3C
GetClientRect.USER32(00000000,000000FF), ref: 006D8A5A
GetStockObject.GDI32(00000011), ref: 006D8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 006D8A81

Part of subcall function 006D912D: GetCursorPos.USER32(?), ref: 006D9141
Part of subcall function 006D912D: ScreenToClient.USER32(00000000,?), ref: 006D915E
Part of subcall function 006D912D: GetAsyncKeyState.USER32(00000001), ref: 006D9183
Part of subcall function 006D912D: GetAsyncKeyState.USER32(00000002), ref: 006D919D

SetTimer.USER32(00000000,00000000,00000028,006D90FC), ref: 006D8AA8

Strings

AutoIt v3 GUI, xrefs: 006D8A20

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 58f87c71af0f52b447a1c96f6e33cecfe0260a0a856172ff3aa69c24c10463c2
Instruction ID: e5c15db04dadc9a3c473e54c09473fc23ba2648fc1801f6a4e3aa8acc8ff9bfd
Opcode Fuzzy Hash: 58f87c71af0f52b447a1c96f6e33cecfe0260a0a856172ff3aa69c24c10463c2
Instruction Fuzzy Hash: C6B18075A0030A9FDB14DFA8CC49BEE3BB5FB48315F11811AFA15AB2D0DB78A851CB54

Function 00720D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007210F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00721114
Part of subcall function 007210F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00720B9B,?,?,?), ref: 00721120
Part of subcall function 007210F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00720B9B,?,?,?), ref: 0072112F
Part of subcall function 007210F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00720B9B,?,?,?), ref: 00721136
Part of subcall function 007210F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0072114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00720DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00720E29
GetLengthSid.ADVAPI32(?), ref: 00720E40
GetAce.ADVAPI32(?,00000000,?), ref: 00720E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00720E96
GetLengthSid.ADVAPI32(?), ref: 00720EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00720EB5
HeapAlloc.KERNEL32(00000000), ref: 00720EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00720EDD
CopySid.ADVAPI32(00000000), ref: 00720EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00720F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00720F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00720F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00720F6E
HeapFree.KERNEL32(00000000), ref: 00720F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00720F7E
HeapFree.KERNEL32(00000000), ref: 00720F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00720F8E
HeapFree.KERNEL32(00000000), ref: 00720F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00720FA1
HeapFree.KERNEL32(00000000), ref: 00720FA8

Part of subcall function 00721193: GetProcessHeap.KERNEL32(00000008,00720BB1,?,00000000,?,00720BB1,?), ref: 007211A1
Part of subcall function 00721193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00720BB1,?), ref: 007211A8
Part of subcall function 00721193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00720BB1,?), ref: 007211B7

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: bb2858ced5fc044366d9df3ceb4492625f119dcdb6fb7f78753743ddb05dc7f3
Instruction ID: de7e2d4404e0c618eeaf04ed54fdbbf665f672043709be6cbe5c71c12f106b53
Opcode Fuzzy Hash: bb2858ced5fc044366d9df3ceb4492625f119dcdb6fb7f78753743ddb05dc7f3
Instruction Fuzzy Hash: 60715F7290031AAFDF219FA4ED45BEEBBB8FF04311F048115F919A6191D7799A05CBB0

Function 0074C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0074C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0075CC08,00000000,?,00000000,?,?), ref: 0074C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0074C5A4
_wcslen.LIBCMT ref: 0074C5F4
_wcslen.LIBCMT ref: 0074C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0074C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0074C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0074C84D
RegCloseKey.ADVAPI32(?), ref: 0074C881
RegCloseKey.ADVAPI32(00000000), ref: 0074C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0074C960

Strings

REG_BINARY, xrefs: 0074C913
REG_EXPAND_SZ, xrefs: 0074C5CD
REG_DWORD, xrefs: 0074C804
REG_MULTI_SZ, xrefs: 0074C6F5
REG_SZ, xrefs: 0074C644
REG_QWORD, xrefs: 0074C8C3

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: a69da932201ee6c5e8b96aea66e2c8c5fb531cdab2e1e699a220fcf4ef8efb52
Instruction ID: 54c856e5d32fe4c32bc3d84395a1deb0ca486befccbc9ab81de2b6676b911f94
Opcode Fuzzy Hash: a69da932201ee6c5e8b96aea66e2c8c5fb531cdab2e1e699a220fcf4ef8efb52
Instruction Fuzzy Hash: 0F1259356042019FD755DF24C881F2AB7E6EF88724F14889DF84A9B3A2DB35ED41CB89

Function 0075091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 007509C6
_wcslen.LIBCMT ref: 00750A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00750A54
_wcslen.LIBCMT ref: 00750A8A
_wcslen.LIBCMT ref: 00750B06
_wcslen.LIBCMT ref: 00750B81

Part of subcall function 006DF9F2: _wcslen.LIBCMT ref: 006DF9FD

Part of subcall function 00722BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00722BFA

Strings

SELECT, xrefs: 00750D11
GETTOTALCOUNT, xrefs: 007509F2, 00750A17
GETITEMCOUNT, xrefs: 00750C1E
GETSELECTED, xrefs: 00750C4E
UNCHECK, xrefs: 00750D3E
ISCHECKED, xrefs: 00750CE1
EXPAND, xrefs: 00750BF8
COLLAPSE, xrefs: 00750B01, 00750B1C
CHECK, xrefs: 00750A85, 00750AA0
EXISTS, xrefs: 00750B7C, 00750B97
GETTEXT, xrefs: 00750C97

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: d1204db20f1b6ff894cd52cb851d27e65f900c5da8fa67ba121613da0b86894e
Instruction ID: 4ce4c31710e4ce36e3898233aa75fd2d80aaf0e0656354fdf0737cb7118bce50
Opcode Fuzzy Hash: d1204db20f1b6ff894cd52cb851d27e65f900c5da8fa67ba121613da0b86894e
Instruction Fuzzy Hash: 91E1BC716083019FC714EF24C4909AAB7E2FF88315B14895DF8969B362DB78ED4ACBC1

Function 0074C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0074B6AE,?,?), ref: 0074C9B5
_wcslen.LIBCMT ref: 0074C9F1
_wcslen.LIBCMT ref: 0074CA68
_wcslen.LIBCMT ref: 0074CA9E
_wcslen.LIBCMT ref: 0074CAF9
_wcslen.LIBCMT ref: 0074CB2F
_wcslen.LIBCMT ref: 0074CB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 0074CA62, 0074CA67
HKCR, xrefs: 0074CB29, 0074CB2E
HKEY_CURRENT_USER, xrefs: 0074CBBD
HKEY_CURRENT_CONFIG, xrefs: 0074CB79, 0074CB7E
HKEY_CLASSES_ROOT, xrefs: 0074CAF3, 0074CAF8
HKCU, xrefs: 0074CBCE
HKU, xrefs: 0074CBF0
HKLM, xrefs: 0074CA98, 0074CA9D
HKCC, xrefs: 0074CBAC
HKEY_USERS, xrefs: 0074CBDF

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 31d627906e380d1d374375903b60a90e97eb511ca5cc95437983cd71b90b2770
Instruction ID: 6bbcc87db4adb7d5b06e5af3989f4944de215dadf4bf86125d6c4f33d84759d7
Opcode Fuzzy Hash: 31d627906e380d1d374375903b60a90e97eb511ca5cc95437983cd71b90b2770
Instruction Fuzzy Hash: A371283270216A8BCB92DE7CCC415BE3392EF60754B254529FC66A7284EB3DCD44C3A4

Function 0075833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0075835A
_wcslen.LIBCMT ref: 0075836E
_wcslen.LIBCMT ref: 00758391
_wcslen.LIBCMT ref: 007583B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 007583F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00755BF2), ref: 0075844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00758487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 007584CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00758501
FreeLibrary.KERNEL32(?), ref: 0075850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0075851D
DestroyIcon.USER32(?,?,?,?,?,00755BF2), ref: 0075852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00758549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00758555

Strings

.icl, xrefs: 00758368
.dll, xrefs: 007583AB
.exe, xrefs: 00758388

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: bfde5d2ccec8cb1d21200bb2234a3e6b09fd571c57ac064c98ed00cbb8f8c89c
Instruction ID: fb62cbd9cc1bb00dcbb8bd912bbc36c671cfdff0a1980e6d26fce59ff84c77a9
Opcode Fuzzy Hash: bfde5d2ccec8cb1d21200bb2234a3e6b09fd571c57ac064c98ed00cbb8f8c89c
Instruction Fuzzy Hash: 8F61CD71900305BFEB549F64CC81BFE77A8AB04722F108509FC15E60D1EFB8A994CBA4

Function 006C7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

", xrefs: 00705153
#include, xrefs: 006C7847
#include-once, xrefs: 006C782F
#cs, xrefs: 006C7873, 006C78C5
Cannot parse #include, xrefs: 00705279
#comments-start, xrefs: 006C785F, 006C78B1
#ce, xrefs: 006C78ED
', xrefs: 00705169
Unterminated group of comments, xrefs: 0070528C
#requireadmin, xrefs: 006C77FF
#notrayicon, xrefs: 006C77E7
Bad directive syntax error, xrefs: 0070519A
#comments-end, xrefs: 006C78D9
#OnAutoItStartRegister, xrefs: 006C7817
#pragma compile, xrefs: 006C77D3

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: e0b5e29781c6c2c389541abe72213dcba3f7a5c4ff0bc64675c17138479750f5
Instruction ID: 042238ec74e03a3ded276b16179526dc615211e24ef9e250f53c7dc5ae062b00
Opcode Fuzzy Hash: e0b5e29781c6c2c389541abe72213dcba3f7a5c4ff0bc64675c17138479750f5
Instruction Fuzzy Hash: F581E7B1645209BBDB20AF60CC42FBF37AAEF15300F04402DF905AB292EB74D915CBA5

Function 00733E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00733EF8
_wcslen.LIBCMT ref: 00733F03
_wcslen.LIBCMT ref: 00733F5A
_wcslen.LIBCMT ref: 00733F98
GetDriveTypeW.KERNEL32(?), ref: 00733FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0073401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00734059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00734087

Strings

set cd door , xrefs: 00734028
close cd wait, xrefs: 00734072
open , xrefs: 00733FE5
open, xrefs: 00733F54, 00733F59
closed, xrefs: 00733F08, 00733F2D, 00733F46, 00733F7E, 00733F97
wait, xrefs: 00734044
close, xrefs: 00733EFE, 00733F18
type cdaudio alias cd wait, xrefs: 00734001

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: be0a667704750dc6602cabeeb5e3456908dc2464e568e2a95aba9691a10a2526
Instruction ID: 33a9ba4a3158a26156c7197903751dd84b3c37405aa5ed066ffd2860557d1484
Opcode Fuzzy Hash: be0a667704750dc6602cabeeb5e3456908dc2464e568e2a95aba9691a10a2526
Instruction Fuzzy Hash: B77112726043029FD324EF24C88097AB7F5EF94758F40492DF89697252EB38EE45CB91

Function 00725A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00725A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00725A40
SetWindowTextW.USER32(?,?), ref: 00725A57
GetDlgItem.USER32(?,000003EA), ref: 00725A6C
SetWindowTextW.USER32(00000000,?), ref: 00725A72
GetDlgItem.USER32(?,000003E9), ref: 00725A82
SetWindowTextW.USER32(00000000,?), ref: 00725A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00725AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00725AC3
GetWindowRect.USER32(?,?), ref: 00725ACC
_wcslen.LIBCMT ref: 00725B33
SetWindowTextW.USER32(?,?), ref: 00725B6F
GetDesktopWindow.USER32 ref: 00725B75
GetWindowRect.USER32(00000000), ref: 00725B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00725BD3
GetClientRect.USER32(?,?), ref: 00725BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00725C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00725C2F

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: fafe747b58cffacb3ac11e7cfd9649a76ee7fe9712a215ed3de340ee7c7684ac
Instruction ID: 7cb81ebbb1d97ec8fd808369d060f38542f344142bc93b2c611ff79be5720e4e
Opcode Fuzzy Hash: fafe747b58cffacb3ac11e7cfd9649a76ee7fe9712a215ed3de340ee7c7684ac
Instruction Fuzzy Hash: BD71BF71900B19EFDB21DFA8DE85BAEBBF5FF08705F104518E142A25A0D779E940CB10

Function 0073FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0073FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0073FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0073FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0073FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0073FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0073FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0073FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0073FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0073FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0073FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0073FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0073FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0073FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0073FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0073FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0073FECC
GetCursorInfo.USER32(?), ref: 0073FEDC
GetLastError.KERNEL32 ref: 0073FF1E

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 19610a10a32db3aab1e23056ff932c3e509814c3db77c2247f23ace861f62d6e
Instruction ID: b8efcb9528e45aa63df219d23399e149963c66d674dbecf753fcd6c3c2e46966
Opcode Fuzzy Hash: 19610a10a32db3aab1e23056ff932c3e509814c3db77c2247f23ace861f62d6e
Instruction Fuzzy Hash: 444133B0D0431A6ADB109FBA8C85D5EBFE8FF04754B50452AE51DE7281DB78D901CE91

Function 007230F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0072318D
_wcslen.LIBCMT ref: 007231F8

Strings

[x, xrefs: 0072339A
CLASSNN, xrefs: 007231F3, 00723204
REGEXPCLASS, xrefs: 00723255, 00723266
INSTANCE, xrefs: 00723453
NAME, xrefs: 00723335, 00723346
TEXT, xrefs: 0072347C
CLASS, xrefs: 00723188, 007231A5

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[x
API String ID: 176396367-3202395760
Opcode ID: 19e57557a57ff0a7c793e7a34e8311aa29056d673ef92d8664714d7525907ddf
Instruction ID: d2bacf32337c5858b789ff2ad4c19c099ac2ee5177f516a898e50cac0c986eea
Opcode Fuzzy Hash: 19e57557a57ff0a7c793e7a34e8311aa29056d673ef92d8664714d7525907ddf
Instruction Fuzzy Hash: 8DE1E432A00626ABCB18EFB4D451BFDBBB1BF54710F54812AE456B7240DB3CAF858790

Function 006E00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 006E00C6

Part of subcall function 006E00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0079070C,00000FA0,087D3AFA,?,?,?,?,007023B3,000000FF), ref: 006E011C
Part of subcall function 006E00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,007023B3,000000FF), ref: 006E0127
Part of subcall function 006E00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,007023B3,000000FF), ref: 006E0138
Part of subcall function 006E00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 006E014E
Part of subcall function 006E00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 006E015C
Part of subcall function 006E00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 006E016A
Part of subcall function 006E00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 006E0195
Part of subcall function 006E00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 006E01A0

___scrt_fastfail.LIBCMT ref: 006E00E7

Part of subcall function 006E00A3: __onexit.LIBCMT ref: 006E00A9

Strings

InitializeConditionVariable, xrefs: 006E0148
WakeAllConditionVariable, xrefs: 006E0162
kernel32.dll, xrefs: 006E0133
api-ms-win-core-synch-l1-2-0.dll, xrefs: 006E0122
SleepConditionVariableCS, xrefs: 006E0154

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: ae9afeecfa0be087adde619e5b8a614fe455470bfe34d2b2f2de53c2a1ed48d1
Instruction ID: 2275e82068ca7b1ef2556a9a7c5f70934f84210f3c440e094ec019aaec80f8e6
Opcode Fuzzy Hash: ae9afeecfa0be087adde619e5b8a614fe455470bfe34d2b2f2de53c2a1ed48d1
Instruction Fuzzy Hash: 7A21F9B2A467546FFB115BF5AC05BEA33A5DB04B62F10413AF801A6391DFFC9C408AD8

Function 007344C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0075CC08), ref: 00734527
_wcslen.LIBCMT ref: 0073453B
_wcslen.LIBCMT ref: 00734599
_wcslen.LIBCMT ref: 007345F4
_wcslen.LIBCMT ref: 0073463F
_wcslen.LIBCMT ref: 007346A7

Part of subcall function 006DF9F2: _wcslen.LIBCMT ref: 006DF9FD

GetDriveTypeW.KERNEL32(?,00786BF0,00000061), ref: 00734743

Strings

fixed, xrefs: 00734635, 0073463A
all, xrefs: 00734531, 00734536
unknown, xrefs: 00734708
network, xrefs: 0073469D, 007346A2
ramdisk, xrefs: 007346F1
cdrom, xrefs: 0073458F, 00734594
removable, xrefs: 007345EA, 007345EF

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 3030566bddeb006527a62e8579fccae1ba855daa09765a0a04d6422b57407250
Instruction ID: 2a844125841cfb3fe642f9b312c15eb9853267af42c06a62e9965fccf34037e9
Opcode Fuzzy Hash: 3030566bddeb006527a62e8579fccae1ba855daa09765a0a04d6422b57407250
Instruction Fuzzy Hash: D5B121716083029FD718DF28C891A7AB7E5FFA5724F50491DF496C7292D738E844CBA2

Function 0075911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 006D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006D9BB2

DragQueryPoint.SHELL32(?,?), ref: 00759147

Part of subcall function 00757674: ClientToScreen.USER32(?,?), ref: 0075769A
Part of subcall function 00757674: GetWindowRect.USER32(?,?), ref: 00757710
Part of subcall function 00757674: PtInRect.USER32(?,?,00758B89), ref: 00757720

SendMessageW.USER32(?,000000B0,?,?), ref: 007591B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 007591BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 007591DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00759225
SendMessageW.USER32(?,000000B0,?,?), ref: 0075923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00759255
SendMessageW.USER32(?,000000B1,?,?), ref: 00759277
DragFinish.SHELL32(?), ref: 0075927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00759371

Strings

@GUI_DRAGID, xrefs: 007592E9
@GUI_DRAGFILE, xrefs: 00759320
@GUI_DROPID, xrefs: 0075929E
p#y, xrefs: 007592BB

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#y
API String ID: 221274066-1502668229
Opcode ID: 5ee12f146f4969dd6eff54646d5a17f04f678b5d3f5864cb3315e8f4bbca70c8
Instruction ID: 13528bc073288c66a430544e23e0ac03678e91dc348c0723c29a80ed9a6ef367
Opcode Fuzzy Hash: 5ee12f146f4969dd6eff54646d5a17f04f678b5d3f5864cb3315e8f4bbca70c8
Instruction Fuzzy Hash: 12619E71108301AFC701EF60DC89EAFBBE9EF89350F40492EF595931A1DB749A09CB66

Function 006C326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00791990), ref: 00702F8D
GetMenuItemCount.USER32(00791990), ref: 0070303D
GetCursorPos.USER32(?), ref: 00703081
SetForegroundWindow.USER32(00000000), ref: 0070308A
TrackPopupMenuEx.USER32(00791990,00000000,?,00000000,00000000,00000000), ref: 0070309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 007030A9

Strings

0, xrefs: 006C327D

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 8b29d63a1212e3d6dd2f62f1dd184c112f89ed531c65c90414bf9ebd48c4534f
Instruction ID: 8d0ab92c3b5d85263619180938c6a7cf3addd944d42573c5af99f06e535ec314
Opcode Fuzzy Hash: 8b29d63a1212e3d6dd2f62f1dd184c112f89ed531c65c90414bf9ebd48c4534f
Instruction Fuzzy Hash: 30710771640316FEEB219F64DC8DFAABFA9FF00364F204206F5156A2E1C7B9A951C750

Function 00756CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00756DEB

Part of subcall function 006C6B57: _wcslen.LIBCMT ref: 006C6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00756E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00756E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00756E94
DestroyWindow.USER32(?), ref: 00756EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,006C0000,00000000), ref: 00756EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00756EFD
GetDesktopWindow.USER32 ref: 00756F16
GetWindowRect.USER32(00000000), ref: 00756F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00756F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00756F4D

Part of subcall function 006D9944: GetWindowLongW.USER32(?,000000EB), ref: 006D9952

Strings

tooltips_class32, xrefs: 00756E58, 00756EDD
0, xrefs: 00756D98

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 26d188e269bf5b5d1cae9d57c8d12b291b904c552e1d701a248494ee9c8cab6a
Instruction ID: 2b69dede6f7fecc1e299d2da8a881fc1a73d6488c7f32183ab2ee61b120358ca
Opcode Fuzzy Hash: 26d188e269bf5b5d1cae9d57c8d12b291b904c552e1d701a248494ee9c8cab6a
Instruction Fuzzy Hash: BD716C70504341AFDB21CF18D844FAABBE9FB89305F84455DF989872A0C7B8E90ACB15

Function 0073C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0073C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0073C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0073C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0073C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0073C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0073C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0073C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0073C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0073C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0073C5F0
InternetCloseHandle.WININET(00000000), ref: 0073C5FB

Strings

, xrefs: 0073C575

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 16a4b124cbe1572b2e59274efdff40004a1fc16663aeb0d765a4ecd2aacbe45d
Instruction ID: 8f994d235b6bcd76c70eb515098befe9e0681db122f009e773746799368c74b3
Opcode Fuzzy Hash: 16a4b124cbe1572b2e59274efdff40004a1fc16663aeb0d765a4ecd2aacbe45d
Instruction Fuzzy Hash: CE516BB1500308BFEB229F60CD88AAB7BBCFF08745F108419F945A6612DB78E954DB60

Function 0075856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00758592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007585A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007585AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007585BA
GlobalLock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007585C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007585D7
GlobalUnlock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007585E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007585E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007585F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0075FC38,?), ref: 00758611
GlobalFree.KERNEL32(00000000), ref: 00758621
GetObjectW.GDI32(?,00000018,?), ref: 00758641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00758671
DeleteObject.GDI32(?), ref: 00758699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 007586AF

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 12c6c767b8cbda942dbfb452a43570dc2aec8ccf8250fe8b4492632e9362607f
Instruction ID: 34378130754c227fdbc0c1b21ec667973763f51e08a82269e1413a3ba66376ac
Opcode Fuzzy Hash: 12c6c767b8cbda942dbfb452a43570dc2aec8ccf8250fe8b4492632e9362607f
Instruction Fuzzy Hash: 0F41FA75600308AFDB119FA5DC48EAA7BB8FF89712F108058F905E7260DBB89945CB65

Function 007314BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00731502
VariantCopy.OLEAUT32(?,?), ref: 0073150B
VariantClear.OLEAUT32(?), ref: 00731517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 007315FB
VarR8FromDec.OLEAUT32(?,?), ref: 00731657
VariantInit.OLEAUT32(?), ref: 00731708
SysFreeString.OLEAUT32(?), ref: 0073178C
VariantClear.OLEAUT32(?), ref: 007317D8
VariantClear.OLEAUT32(?), ref: 007317E7
VariantInit.OLEAUT32(00000000), ref: 00731823

Strings

Default, xrefs: 007316AF
%4d%02d%02d%02d%02d%02d, xrefs: 00731625

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 57131c8495e976545de3a6667402622dcc02815f36ed6019b9814aab013a4910
Instruction ID: 23cce7cbd678631f46b67b7e6cfede0d5bf12bacaffaf1a7ab158f2669091e30
Opcode Fuzzy Hash: 57131c8495e976545de3a6667402622dcc02815f36ed6019b9814aab013a4910
Instruction Fuzzy Hash: AED11371A00205EBEB10DF65D885BBDB7B6FF44700F94845AF406AB282DB39EC51DB61

Function 0074B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 006C9CB3: _wcslen.LIBCMT ref: 006C9CBD

Part of subcall function 0074C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0074B6AE,?,?), ref: 0074C9B5
Part of subcall function 0074C998: _wcslen.LIBCMT ref: 0074C9F1
Part of subcall function 0074C998: _wcslen.LIBCMT ref: 0074CA68
Part of subcall function 0074C998: _wcslen.LIBCMT ref: 0074CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0074B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0074B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0074B80A
RegCloseKey.ADVAPI32(?), ref: 0074B87E
RegCloseKey.ADVAPI32(?), ref: 0074B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0074B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0074B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0074B922
FreeLibrary.KERNEL32(00000000), ref: 0074B983
RegCloseKey.ADVAPI32(00000000), ref: 0074B994

Strings

RegDeleteKeyExW, xrefs: 0074B8FE
advapi32.dll, xrefs: 0074B8ED

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: dc6e385729b976f4b59a4b6d3b458b17d4bd3094ac13571d917060cd1d544190
Instruction ID: aa5304d255cc71c7283c3043a14983645ec786b8277fb1c52a9dc64c5d9e7ac6
Opcode Fuzzy Hash: dc6e385729b976f4b59a4b6d3b458b17d4bd3094ac13571d917060cd1d544190
Instruction Fuzzy Hash: 3CC16C30208241EFD715DF24C495F2ABBE5EF84318F14845CE49A8B2A2CB79EC46CB95

Function 0074255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 007425D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 007425E8
CreateCompatibleDC.GDI32(?), ref: 007425F4
SelectObject.GDI32(00000000,?), ref: 00742601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0074266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 007426AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 007426D0
SelectObject.GDI32(?,?), ref: 007426D8
DeleteObject.GDI32(?), ref: 007426E1
DeleteDC.GDI32(?), ref: 007426E8
ReleaseDC.USER32(00000000,?), ref: 007426F3

Strings

(, xrefs: 0074268D

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 851913c78f256e10252befafbae57c59897c37920cd1f83c178ea89ded1333ab
Instruction ID: d7291145a8abe018f75564c9d930ef3e731cc5c49f33e695b0c5cf6192ff7cd7
Opcode Fuzzy Hash: 851913c78f256e10252befafbae57c59897c37920cd1f83c178ea89ded1333ab
Instruction Fuzzy Hash: 8E6112B5D00309EFCF05CFA8C884AAEBBB6FF48310F208529E956A7251E774A951CF54

Function 006FDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 006FDAA1

Part of subcall function 006FD63C: _free.LIBCMT ref: 006FD659
Part of subcall function 006FD63C: _free.LIBCMT ref: 006FD66B
Part of subcall function 006FD63C: _free.LIBCMT ref: 006FD67D
Part of subcall function 006FD63C: _free.LIBCMT ref: 006FD68F
Part of subcall function 006FD63C: _free.LIBCMT ref: 006FD6A1
Part of subcall function 006FD63C: _free.LIBCMT ref: 006FD6B3
Part of subcall function 006FD63C: _free.LIBCMT ref: 006FD6C5
Part of subcall function 006FD63C: _free.LIBCMT ref: 006FD6D7
Part of subcall function 006FD63C: _free.LIBCMT ref: 006FD6E9
Part of subcall function 006FD63C: _free.LIBCMT ref: 006FD6FB
Part of subcall function 006FD63C: _free.LIBCMT ref: 006FD70D
Part of subcall function 006FD63C: _free.LIBCMT ref: 006FD71F
Part of subcall function 006FD63C: _free.LIBCMT ref: 006FD731

_free.LIBCMT ref: 006FDA96

Part of subcall function 006F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,006FD7D1,00000000,00000000,00000000,00000000,?,006FD7F8,00000000,00000007,00000000,?,006FDBF5,00000000), ref: 006F29DE
Part of subcall function 006F29C8: GetLastError.KERNEL32(00000000,?,006FD7D1,00000000,00000000,00000000,00000000,?,006FD7F8,00000000,00000007,00000000,?,006FDBF5,00000000,00000000), ref: 006F29F0

_free.LIBCMT ref: 006FDAB8
_free.LIBCMT ref: 006FDACD
_free.LIBCMT ref: 006FDAD8
_free.LIBCMT ref: 006FDAFA
_free.LIBCMT ref: 006FDB0D
_free.LIBCMT ref: 006FDB1B
_free.LIBCMT ref: 006FDB26
_free.LIBCMT ref: 006FDB5E
_free.LIBCMT ref: 006FDB65
_free.LIBCMT ref: 006FDB82
_free.LIBCMT ref: 006FDB9A

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 3fcd9a158f062e6507eb63ffbadf145c4e22d4b9bfc3aefd8491558108cc7376
Instruction ID: 16c68b6ac9150a35a286c0eddac8d2caadc5a30fec744fb43b6a57c9144168ac
Opcode Fuzzy Hash: 3fcd9a158f062e6507eb63ffbadf145c4e22d4b9bfc3aefd8491558108cc7376
Instruction Fuzzy Hash: 1A315A7164420E9FEB62AE39E845BBA77EBFF00711F11452DE648D7291DA71FC408B28

Function 0072365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0072369C
_wcslen.LIBCMT ref: 007236A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00723797
GetClassNameW.USER32(?,?,00000400), ref: 0072380C
GetDlgCtrlID.USER32(?), ref: 0072385D
GetWindowRect.USER32(?,?), ref: 00723882
GetParent.USER32(?), ref: 007238A0
ScreenToClient.USER32(00000000), ref: 007238A7
GetClassNameW.USER32(?,?,00000100), ref: 00723921
GetWindowTextW.USER32(?,?,00000400), ref: 0072395D

Strings

%s%u, xrefs: 00723734

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 98512ef907bb26bb23056e0f8131795e1243ac7cb048fc6d17a30fe12314f34a
Instruction ID: 486d0e528e3f5bab03c2a41cd53c417608339b68a3c0f1e3a960acaab0c83346
Opcode Fuzzy Hash: 98512ef907bb26bb23056e0f8131795e1243ac7cb048fc6d17a30fe12314f34a
Instruction Fuzzy Hash: D491D071200726AFD719DF24D885BEAB7E9FF44314F008629F999C6190DB3CEA45CBA1

Function 00724954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00724994
GetWindowTextW.USER32(?,?,00000400), ref: 007249DA
_wcslen.LIBCMT ref: 007249EB
CharUpperBuffW.USER32(?,00000000), ref: 007249F7
_wcsstr.LIBVCRUNTIME ref: 00724A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00724A64
GetWindowTextW.USER32(?,?,00000400), ref: 00724A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00724AE6
GetClassNameW.USER32(?,?,00000400), ref: 00724B20
GetWindowRect.USER32(?,?), ref: 00724B8B

Strings

ThumbnailClass, xrefs: 00724A6F, 00724AF1

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: d7278c65ce50b77729f3e4bc6a1a56b5ad9798464ffa67b9547d345fb7f57b7e
Instruction ID: 2bbfed9e57659e9f3d6b368738ce40ab5a714328252488097d2590fb7cf7ae74
Opcode Fuzzy Hash: d7278c65ce50b77729f3e4bc6a1a56b5ad9798464ffa67b9547d345fb7f57b7e
Instruction Fuzzy Hash: 4E91ED720043169FDB05CF14E985FAA77E9FF84314F04846AFD859A096DB38EE45CBA1

Function 00758D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006D9BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00758D5A
GetFocus.USER32 ref: 00758D6A
GetDlgCtrlID.USER32(00000000), ref: 00758D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00758E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00758ECF
GetMenuItemCount.USER32(?), ref: 00758EEC
GetMenuItemID.USER32(?,00000000), ref: 00758EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00758F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00758F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00758FA1

Strings

0, xrefs: 00758E9F

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: dc73528d4324998e92ff61c4be9a3e12bf29ab9bae0ca052631499262ea5c7fd
Instruction ID: 7b55144b89376c9507e6baf6d96dac535960c9ea8f40df961637e6a6c128f0eb
Opcode Fuzzy Hash: dc73528d4324998e92ff61c4be9a3e12bf29ab9bae0ca052631499262ea5c7fd
Instruction Fuzzy Hash: 9981CD71504301AFDB50CF24C885AEB7BEAFB88315F14091DFD95A7291DBB8D908CBA2

Function 0072BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00791990,000000FF,00000000,00000030), ref: 0072BFAC
SetMenuItemInfoW.USER32(00791990,00000004,00000000,00000030), ref: 0072BFE1
Sleep.KERNEL32(000001F4), ref: 0072BFF3
GetMenuItemCount.USER32(?), ref: 0072C039
GetMenuItemID.USER32(?,00000000), ref: 0072C056
GetMenuItemID.USER32(?,-00000001), ref: 0072C082
GetMenuItemID.USER32(?,?), ref: 0072C0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0072C10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0072C124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0072C145

Strings

0, xrefs: 0072BF3D

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: fcfaa364772fc7630fb7fd46011fc892c0b4d3b82a049d65e86ecba6b19ca04e
Instruction ID: 1d7f6baef2b3600ea05d845fc6b4161d09b031288e037fbd729cec4475b04bd2
Opcode Fuzzy Hash: fcfaa364772fc7630fb7fd46011fc892c0b4d3b82a049d65e86ecba6b19ca04e
Instruction Fuzzy Hash: E361C4B090036AEFDF22CF64ED89AEE7BB8EF15344F104055E911A3291D779AD25CB60

Function 0072DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0072DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0072DC46
_wcslen.LIBCMT ref: 0072DC50
_wcsstr.LIBVCRUNTIME ref: 0072DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0072DCBC

Strings

DefaultLangCodepage, xrefs: 0072DD1F
04090000, xrefs: 0072DCF2
StringFileInfo\, xrefs: 0072DC8F
\VarFileInfo\Translation, xrefs: 0072DCB4
%u.%u.%u.%u, xrefs: 0072DD9A

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 79ac38bb829afd8b03db244466ea930a4ab6b76fc6bb58004f4ea511689e763c
Instruction ID: 68c79427a297265c225a53e585fabffa6e53a9ccf3acdd0c5b7ac5c8d09e1ed2
Opcode Fuzzy Hash: 79ac38bb829afd8b03db244466ea930a4ab6b76fc6bb58004f4ea511689e763c
Instruction Fuzzy Hash: 76410272A403117EDB51A7759C07EFF37ADEF45710F10006EF901A6182EA799E0087B8

Function 0074CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0074CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0074CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0074CD48

Part of subcall function 0074CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0074CCAA
Part of subcall function 0074CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0074CCBD
Part of subcall function 0074CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0074CCCF
Part of subcall function 0074CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0074CD05
Part of subcall function 0074CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0074CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0074CCF3

Strings

RegDeleteKeyExW, xrefs: 0074CCC9
advapi32.dll, xrefs: 0074CCB8

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 014c5bd1b6593eba317ebb78a1638a394d23f17ab26c0e1d0067360df82ab781
Instruction ID: ebf3b468d6d69670c8a31bb307f18ea7e5257a45764f43401dee0fc35b354b6f
Opcode Fuzzy Hash: 014c5bd1b6593eba317ebb78a1638a394d23f17ab26c0e1d0067360df82ab781
Instruction Fuzzy Hash: 0A31A1B1E42228BFD7228B50DC88EFFBB7CEF01750F004065B906E2150DB788A45DAB4

Function 00733D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00733D40
_wcslen.LIBCMT ref: 00733D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00733D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00733DBE
RemoveDirectoryW.KERNEL32(?), ref: 00733DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00733E55
CloseHandle.KERNEL32(00000000), ref: 00733E60
CloseHandle.KERNEL32(00000000), ref: 00733E6B

Strings

:, xrefs: 00733D82
\, xrefs: 00733D77
\??\%s, xrefs: 00733D5B

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 513da619ce53a7d2ea82316826812da43b3dfea62137643d805f4130366d60ea
Instruction ID: 0e5baa9c33e6824a46f49b30e795c46a943331c6651dcef77a6fef6c22fd01b3
Opcode Fuzzy Hash: 513da619ce53a7d2ea82316826812da43b3dfea62137643d805f4130366d60ea
Instruction Fuzzy Hash: 3F319472A10349ABDB219BA0DC49FEF37BDEF88701F1041B5F609D6151EB7897848B68

Function 0072E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0072E6B4

Part of subcall function 006DE551: timeGetTime.WINMM(?,?,0072E6D4), ref: 006DE555

Sleep.KERNEL32(0000000A), ref: 0072E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0072E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0072E727
SetActiveWindow.USER32 ref: 0072E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0072E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0072E773
Sleep.KERNEL32(000000FA), ref: 0072E77E
IsWindow.USER32 ref: 0072E78A
EndDialog.USER32(00000000), ref: 0072E79B

Strings

BUTTON, xrefs: 0072E719

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 008008995d7e6a5600f22ccad0f07cf4c77ecce57f14382ddb525ece23eb28ea
Instruction ID: 0dc1c55bed84eda81b8ed3e02e58af9f7254546a3069e19728ad57d8e443aaaf
Opcode Fuzzy Hash: 008008995d7e6a5600f22ccad0f07cf4c77ecce57f14382ddb525ece23eb28ea
Instruction Fuzzy Hash: ED2184B0204315BFEB11AF60FC89B653B69F75474AB108426F50681AA2DBBD9C128A2C

Function 0072E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 006C9CB3: _wcslen.LIBCMT ref: 006C9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0072EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0072EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0072EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0072EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0072EAA7

Strings

play PlayMe, xrefs: 0072EAA2
open , xrefs: 0072EA0C
play PlayMe wait, xrefs: 0072EA91
close PlayMe, xrefs: 0072EA6E, 0072EA9B
status PlayMe mode, xrefs: 0072EA58
alias PlayMe, xrefs: 0072EA36

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: acd08b9716edf8d1781a342d8948a9dcdcce40350ee1f9d0a4debff48b9ecccf
Instruction ID: 7e3777757a924ccff02127ff6fe39106bcdeaca716ca31a15ed717117899ace1
Opcode Fuzzy Hash: acd08b9716edf8d1781a342d8948a9dcdcce40350ee1f9d0a4debff48b9ecccf
Instruction Fuzzy Hash: C6117CB1A9027979D720F7A1EC4AEFF6B7CEBD1B00F40442DB811A21D1EEB41A05C6B0

Function 00725CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00725CE2
GetWindowRect.USER32(00000000,?), ref: 00725CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00725D59
GetDlgItem.USER32(?,00000002), ref: 00725D69
GetWindowRect.USER32(00000000,?), ref: 00725D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00725DCF
GetDlgItem.USER32(?,000003E9), ref: 00725DDD
GetWindowRect.USER32(00000000,?), ref: 00725DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00725E31
GetDlgItem.USER32(?,000003EA), ref: 00725E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00725E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00725E67

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 69c6232a2b960a4a84cb8309baedbe4a4741417ffd945245631fba88f4b3ac33
Instruction ID: 43933bacad649784f25f0efe71c3770a199a8f5823548c9215aa22b07e7b7f49
Opcode Fuzzy Hash: 69c6232a2b960a4a84cb8309baedbe4a4741417ffd945245631fba88f4b3ac33
Instruction Fuzzy Hash: 9051FD71B00715AFDB19CF68DD89AAEBBB5FB48301F148229F915E6290D7749E04CB50

Function 006D8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 006D8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,006D8BE8,?,00000000,?,?,?,?,006D8BBA,00000000,?), ref: 006D8FC5

DestroyWindow.USER32(?), ref: 006D8C81
KillTimer.USER32(00000000,?,?,?,?,006D8BBA,00000000,?), ref: 006D8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00716973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,006D8BBA,00000000,?), ref: 007169A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,006D8BBA,00000000,?), ref: 007169B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,006D8BBA,00000000), ref: 007169D4
DeleteObject.GDI32(00000000), ref: 007169E6

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 04051858b9bfd5ba9c9d8a56ba126ada1394cea015cc52a8500bda42bef0e936
Instruction ID: b0a53b9b3473d98eba6e7f96850492c3791562baa6266f0838b0a613684f002c
Opcode Fuzzy Hash: 04051858b9bfd5ba9c9d8a56ba126ada1394cea015cc52a8500bda42bef0e936
Instruction Fuzzy Hash: CF617D30911701DFDB269F18D948BA977B2FF40322F54851EE0429B6A0CB79B992DF98

Function 006D9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 006D9944: GetWindowLongW.USER32(?,000000EB), ref: 006D9952

GetSysColor.USER32(0000000F), ref: 006D9862

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: fc87a11e2d5f29920b81c36d47703d9b784ff1c3b04983252114587bb2a83675
Instruction ID: be9751663b66e0055426c56e5bf3ea936aac3139dc2e4a2c5c424fedf538e918
Opcode Fuzzy Hash: fc87a11e2d5f29920b81c36d47703d9b784ff1c3b04983252114587bb2a83675
Instruction Fuzzy Hash: 0541A4319047449FDB215F389C84BF93B66EB06732F148A16F9A28B3E1D7759D42EB20

Function 006F8D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.n, xrefs: 006F903A, 006F8FD0, 006F8FF2

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID:
String ID: .n
API String ID: 0-61608593
Opcode ID: 092ff45ee60c3d081a9c326ed6d95c7b39a81709edb3337105309a61d7e07e47
Instruction ID: f757d893ce50f8aeb1c5d7200d0d27c97af6cea5273b97ef7154332da30c38b9
Opcode Fuzzy Hash: 092ff45ee60c3d081a9c326ed6d95c7b39a81709edb3337105309a61d7e07e47
Instruction Fuzzy Hash: 0DC1D075A0434DAFCB119FA9D841BFDBBB2AF09310F04409DE614A7392CB359A42CB65

Function 007296E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0070F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00729717
LoadStringW.USER32(00000000,?,0070F7F8,00000001), ref: 00729720

Part of subcall function 006C9CB3: _wcslen.LIBCMT ref: 006C9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0070F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00729742
LoadStringW.USER32(00000000,?,0070F7F8,00000001), ref: 00729745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00729866

Strings

^ ERROR, xrefs: 007297FB
Line %d:, xrefs: 007297A0
Line %d (File "%s"):, xrefs: 0072978F
Error: , xrefs: 0072981D
%s (%d) : ==> %s: %s %s, xrefs: 0072984A

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 7b022ba81fa16ce2d20451bccf2e530740a0bf0bf71ff263ee1f40b7f8383d6c
Instruction ID: e9306d300c988150ce9dd3409848ce46e94dddcdae3a9800169bfb9b53fb74d4
Opcode Fuzzy Hash: 7b022ba81fa16ce2d20451bccf2e530740a0bf0bf71ff263ee1f40b7f8383d6c
Instruction Fuzzy Hash: 4C414B72900269AADB44FBE0DD86EFE7379EF14300F14452DB60572192EA396F48CB69

Function 007206DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 006C6B57: _wcslen.LIBCMT ref: 006C6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 007207A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 007207BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 007207DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00720804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0072082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00720837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0072083C

Strings

\CLSID, xrefs: 00720724
SOFTWARE\Classes\, xrefs: 0072070E
\IPC$, xrefs: 00720784

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: aba01545b8450d95b2c85bfd9ebe5254109adca25eb1ecdc6886d079cabaff92
Instruction ID: ef58265d5d42570d9f42255fca6a98ee15d68d34e1330ecc7e27b5fc30d43e19
Opcode Fuzzy Hash: aba01545b8450d95b2c85bfd9ebe5254109adca25eb1ecdc6886d079cabaff92
Instruction Fuzzy Hash: 4641F772C10229ABDF15EBA4DC95DFEB779FF04350B044129E905A32A1EB74AE04CBA4

Function 00743C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00743C5C
CoInitialize.OLE32(00000000), ref: 00743C8A
CoUninitialize.OLE32 ref: 00743C94
_wcslen.LIBCMT ref: 00743D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00743DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00743ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00743F0E
CoGetObject.OLE32(?,00000000,0075FB98,?), ref: 00743F2D
SetErrorMode.KERNEL32(00000000), ref: 00743F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00743FC4
VariantClear.OLEAUT32(?), ref: 00743FD8

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 8ef8f6f2cec0b45bedcf3ad4902ddbff86698332158af2427e0a22462c40c866
Instruction ID: 83536db70832d57ff1b07d144a490bb6ba8babe78adfbf17bcb36ee2ac2c34b4
Opcode Fuzzy Hash: 8ef8f6f2cec0b45bedcf3ad4902ddbff86698332158af2427e0a22462c40c866
Instruction Fuzzy Hash: 91C156716083019FD700DF68C884A6BBBE9FF89744F10491DF98A9B251DB75EE05CBA2

Function 00737A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00737AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00737B8F
SHGetDesktopFolder.SHELL32(?), ref: 00737BA3
CoCreateInstance.OLE32(0075FD08,00000000,00000001,00786E6C,?), ref: 00737BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00737C74
CoTaskMemFree.OLE32(?,?), ref: 00737CCC
SHBrowseForFolderW.SHELL32(?), ref: 00737D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00737D7A
CoTaskMemFree.OLE32(00000000), ref: 00737D81
CoTaskMemFree.OLE32(00000000), ref: 00737DD6
CoUninitialize.OLE32 ref: 00737DDC

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 9b6833548caba346482bbc9f7e7e0b1406489d40fca5e54a4854d81387cdcb4c
Instruction ID: 96aa9bbd7747b80e436361ce91fa0fe5d7be4f7b72898f034e4a2a83269c9720
Opcode Fuzzy Hash: 9b6833548caba346482bbc9f7e7e0b1406489d40fca5e54a4854d81387cdcb4c
Instruction Fuzzy Hash: E6C11975A04209AFDB14DFA4C884DAEBBF9FF48304F148499E815DB262D734ED41CB94

Function 0075541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00755504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00755515
CharNextW.USER32(00000158), ref: 00755544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00755585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0075559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007555AC

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 2bb98bae0aac1a2283f189366928db7bc2fa806d51316a0129c8844b698037cc
Instruction ID: e892bd7743ee71715fe1ceb014d4766f782f9e595b70e4518750d35a4190789e
Opcode Fuzzy Hash: 2bb98bae0aac1a2283f189366928db7bc2fa806d51316a0129c8844b698037cc
Instruction Fuzzy Hash: 26618D30900649EFDF118F94CC94EFE7BB9EB09722F108145F925A6290D7BC9A89DB60

Function 0071FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0071FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0071FB08
VariantInit.OLEAUT32(?), ref: 0071FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0071FB3A
VariantCopy.OLEAUT32(?,?), ref: 0071FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0071FBA1
VariantClear.OLEAUT32(?), ref: 0071FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0071FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0071FBCC
VariantClear.OLEAUT32(?), ref: 0071FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0071FBE9

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 2e6f92517d5cc4bf2ad4b89b5814eb5f3462fdd7a7792a3fd692bfa1339a07f9
Instruction ID: 446f6b8e065c8d4e3b3e76574afc46240d4eab8de3a9132483b982148daa630b
Opcode Fuzzy Hash: 2e6f92517d5cc4bf2ad4b89b5814eb5f3462fdd7a7792a3fd692bfa1339a07f9
Instruction Fuzzy Hash: BE418174A00319DFCB11DF68C858EEDBBB9FF48355F00C029E905A72A1C778A946CBA4

Function 00729C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00729CA1
GetAsyncKeyState.USER32(000000A0), ref: 00729D22
GetKeyState.USER32(000000A0), ref: 00729D3D
GetAsyncKeyState.USER32(000000A1), ref: 00729D57
GetKeyState.USER32(000000A1), ref: 00729D6C
GetAsyncKeyState.USER32(00000011), ref: 00729D84
GetKeyState.USER32(00000011), ref: 00729D96
GetAsyncKeyState.USER32(00000012), ref: 00729DAE
GetKeyState.USER32(00000012), ref: 00729DC0
GetAsyncKeyState.USER32(0000005B), ref: 00729DD8
GetKeyState.USER32(0000005B), ref: 00729DEA

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: fbc96732cac40ac88f08fd185ff94877fe26cd7f45f3b2849f55c1eeb1ace729
Instruction ID: 5fb720665d681e64bb5671e7ab0f54f8692eae33ad865787005ffa4522d4aaa6
Opcode Fuzzy Hash: fbc96732cac40ac88f08fd185ff94877fe26cd7f45f3b2849f55c1eeb1ace729
Instruction Fuzzy Hash: 2141B534A047D96DFF719670A8043F5BEA0AF11344F0C805ADBC6566C2EBED99C8D7A2

Function 0074055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 007405BC
inet_addr.WSOCK32(?), ref: 0074061C
gethostbyname.WSOCK32(?), ref: 00740628
IcmpCreateFile.IPHLPAPI ref: 00740636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 007406C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 007406E5
IcmpCloseHandle.IPHLPAPI(?), ref: 007407B9
WSACleanup.WSOCK32 ref: 007407BF

Strings

Ping, xrefs: 00740676

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 85fa6429cf6d7f25c18ad8e65d841397c061da20ea5ef199fa755e59a3bc04ed
Instruction ID: 1a60117fe9ca12f804a6bf8950f2c0b439468f9ce27b4a0bdac3a7713e9a78c8
Opcode Fuzzy Hash: 85fa6429cf6d7f25c18ad8e65d841397c061da20ea5ef199fa755e59a3bc04ed
Instruction Fuzzy Hash: C4918B355043019FD721DF15C488F1ABBE1EF44318F1585A9E56A8B6A2C778EC41CFD2

Function 00748CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00748CF3

Part of subcall function 00728E54: _wcslen.LIBCMT ref: 00728E77

_wcslen.LIBCMT ref: 00748D4E
_wcslen.LIBCMT ref: 00748D9C
_wcslen.LIBCMT ref: 00748DDC
_wcslen.LIBCMT ref: 00748E6E

Strings

none, xrefs: 00748E65, 00748E6A
cdecl, xrefs: 00748D48, 00748D4D
stdcall, xrefs: 00748DD6, 00748DDB
winapi, xrefs: 00748D96, 00748D9B

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: b90716ad4bd0919ac18ec267a63ab2bb4ca12cde3eb55bfd416d6d34e2cc23b0
Instruction ID: 3eb357c3057a467bd4c3da8cb1135ee0eab81edb3d394271de27394a5e7e9bb4
Opcode Fuzzy Hash: b90716ad4bd0919ac18ec267a63ab2bb4ca12cde3eb55bfd416d6d34e2cc23b0
Instruction Fuzzy Hash: B451A131A0112A9BCB54EF68C9409BEB7A6BF64324B20422DE426E7285DF39DD40CBD1

Function 0074372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00743774
CoUninitialize.OLE32 ref: 0074377F
CoCreateInstance.OLE32(?,00000000,00000017,0075FB78,?), ref: 007437D9
IIDFromString.OLE32(?,?), ref: 0074384C
VariantInit.OLEAUT32(?), ref: 007438E4
VariantClear.OLEAUT32(?), ref: 00743936

Strings

NULL Pointer assignment, xrefs: 0074381E
Failed to create object, xrefs: 007437E4, 0074389A
Invalid parameter, xrefs: 00743865

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: b26381e210487806d0af8b3a676a8516be0766d9cc5aa63fb0a0be84167bbb7a
Instruction ID: 46d90028007b63adaa79192bea235376d22f6bf54830a7b6d83bbafc6455f226
Opcode Fuzzy Hash: b26381e210487806d0af8b3a676a8516be0766d9cc5aa63fb0a0be84167bbb7a
Instruction Fuzzy Hash: D561A1B0608301AFD311DF54C889F6ABBE8EF49715F10490DF5999B291C778EE48CBA6

Function 00758B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006D9BB2

Part of subcall function 006D912D: GetCursorPos.USER32(?), ref: 006D9141
Part of subcall function 006D912D: ScreenToClient.USER32(00000000,?), ref: 006D915E
Part of subcall function 006D912D: GetAsyncKeyState.USER32(00000001), ref: 006D9183
Part of subcall function 006D912D: GetAsyncKeyState.USER32(00000002), ref: 006D919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00758B6B
ImageList_EndDrag.COMCTL32 ref: 00758B71
ReleaseCapture.USER32 ref: 00758B77
SetWindowTextW.USER32(?,00000000), ref: 00758C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00758C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00758CFF

Strings

@GUI_DRAGFILE, xrefs: 00758C9A
p#y, xrefs: 00758C71
@GUI_DROPID, xrefs: 00758C51

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#y
API String ID: 1924731296-1432282549
Opcode ID: 0069f56435f956f18f357e6ceea049c6923069084969e190ecb6771261f1f1be
Instruction ID: e3ca6deccf4a63347acffd8e6938a043096778cf1cc7f716c16c842352e6274b
Opcode Fuzzy Hash: 0069f56435f956f18f357e6ceea049c6923069084969e190ecb6771261f1f1be
Instruction Fuzzy Hash: D051BF70104300AFD744EF10DC5AFAA77E5FB84715F40062EF956672E1DBB8A918CB66

Function 00733388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 007333CF

Part of subcall function 006C9CB3: _wcslen.LIBCMT ref: 006C9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 007333F0

Strings

^ ERROR , xrefs: 0073349E
"%s" (%d) : ==> %s:%s%s, xrefs: 00733504
Line %d (File "%s"):, xrefs: 00733443, 0073345C
Error: , xrefs: 007334D1
"%s" (%d) : ==> %s:, xrefs: 00733522
Incorrect parameters to object property !, xrefs: 007334AB

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: eb1f8c86819eb6e2f06e47191cbb0764717e9b45a16800950af6411936cfb9b4
Instruction ID: 3390cc24e5b400b738b6be34867647af4a1b698a55c5d3a27f51a4dc6e28e6fa
Opcode Fuzzy Hash: eb1f8c86819eb6e2f06e47191cbb0764717e9b45a16800950af6411936cfb9b4
Instruction Fuzzy Hash: 6351B071900259BADF15EBA0DD46EFEB779EF04340F20816AF50972152EB392F68CB64

Function 0072B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0072B5FC
_wcslen.LIBCMT ref: 0072B608
_wcslen.LIBCMT ref: 0072B64D
_wcslen.LIBCMT ref: 0072B68C
_wcslen.LIBCMT ref: 0072B6C7

Strings

APPEND, xrefs: 0072B6C1, 0072B6C6
REMOVE, xrefs: 0072B602, 0072B607
KEYS, xrefs: 0072B647, 0072B64C
EXISTS, xrefs: 0072B686, 0072B68B

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: bc5de892617ee792862aedbdcd9b7c97ecd2d773535a532d99f9f1f5b63818b0
Instruction ID: 5f01516eb33eec0340160e30bb1c4c6eacf14e70312758ad0161cf8843787b69
Opcode Fuzzy Hash: bc5de892617ee792862aedbdcd9b7c97ecd2d773535a532d99f9f1f5b63818b0
Instruction Fuzzy Hash: 4041B532A011379BCB206F7D99905BE77A5FFA0B54B24422AE462DB284E739CD81C790

Function 00735393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007353A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00735416
GetLastError.KERNEL32 ref: 00735420
SetErrorMode.KERNEL32(00000000,READY), ref: 007354A7

Strings

INVALID, xrefs: 00735459
READY, xrefs: 00735460, 00735468
NOTREADY, xrefs: 0073544B
UNKNOWN, xrefs: 00735444
READONLY, xrefs: 00735452

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: e6c900bde03394abd6cbcfc96e50f5c5a7b1d610d39f007d34f2df47013bc936
Instruction ID: 964c405cf77af588a54d6ae3ea0282ccab7089d056863723faf1a32b26405c51
Opcode Fuzzy Hash: e6c900bde03394abd6cbcfc96e50f5c5a7b1d610d39f007d34f2df47013bc936
Instruction Fuzzy Hash: B231B275A006489FEB18DF68C484FAA7BB4FF04305F148069E805CB293DB79DD82CBA0

Function 00753C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00753C79
SetMenu.USER32(?,00000000), ref: 00753C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00753D10
IsMenu.USER32(?), ref: 00753D24
CreatePopupMenu.USER32 ref: 00753D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00753D5B
DrawMenuBar.USER32 ref: 00753D63

Strings

0, xrefs: 00753C54
F, xrefs: 00753D4E

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 90d7f2cea22a1306ea29eb179dba5e908b74513775063bfe4fe76c1cd806e879
Instruction ID: 87c8fd7662afc95f1ecac37209663a757eaca63011bcc12973ff895566079218
Opcode Fuzzy Hash: 90d7f2cea22a1306ea29eb179dba5e908b74513775063bfe4fe76c1cd806e879
Instruction Fuzzy Hash: B1417975A01309AFDB14CFA4D844BEA7BB5FF49392F144029ED0697360D7B8AA14CF94

Function 00721EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006C9CB3: _wcslen.LIBCMT ref: 006C9CBD

Part of subcall function 00723CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00723CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00721F64
GetDlgCtrlID.USER32 ref: 00721F6F
GetParent.USER32 ref: 00721F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00721F8E
GetDlgCtrlID.USER32(?), ref: 00721F97
GetParent.USER32(?), ref: 00721FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00721FAE

Strings

ComboBox, xrefs: 00721EEC
ListBox, xrefs: 00721F21

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 5665541e2f17b9724aa4ee95adfea95ff54cc483ca99343b63e869499178ec64
Instruction ID: 67299f7260ffd48b4eb091db15ae9d6e1c1fbedaf941339b0230becb442879eb
Opcode Fuzzy Hash: 5665541e2f17b9724aa4ee95adfea95ff54cc483ca99343b63e869499178ec64
Instruction Fuzzy Hash: F721B070900224BFCF05AFA0DC99EFEBBB9EF19310B004599B96167291CB7C5A14DB74

Function 00753A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00753A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00753AA0
GetWindowLongW.USER32(?,000000F0), ref: 00753AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00753AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00753B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00753BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00753BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00753BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00753BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00753C13

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 3e05efea440c980ddc24919578e6b69dd052bc7c41cc0acd91c2db125eff1aae
Instruction ID: ca0530b5c5df5aa48fc9d53444ad271e5f8cf0f5e3df86a490d6336e748ba5c1
Opcode Fuzzy Hash: 3e05efea440c980ddc24919578e6b69dd052bc7c41cc0acd91c2db125eff1aae
Instruction Fuzzy Hash: F7618E75900248AFDB11DF68CC81EEE77F8EB09710F104199FA15E72A1C7B8AE45DB60

Function 006F2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 006F2C94

Part of subcall function 006F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,006FD7D1,00000000,00000000,00000000,00000000,?,006FD7F8,00000000,00000007,00000000,?,006FDBF5,00000000), ref: 006F29DE
Part of subcall function 006F29C8: GetLastError.KERNEL32(00000000,?,006FD7D1,00000000,00000000,00000000,00000000,?,006FD7F8,00000000,00000007,00000000,?,006FDBF5,00000000,00000000), ref: 006F29F0

_free.LIBCMT ref: 006F2CA0
_free.LIBCMT ref: 006F2CAB
_free.LIBCMT ref: 006F2CB6
_free.LIBCMT ref: 006F2CC1
_free.LIBCMT ref: 006F2CCC
_free.LIBCMT ref: 006F2CD7
_free.LIBCMT ref: 006F2CE2
_free.LIBCMT ref: 006F2CED
_free.LIBCMT ref: 006F2CFB

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2c5bf4f25e9b270fd45b2f47df2b56d86ea7cbbdb3ca524e591bac25772812ec
Instruction ID: 7789424ce5f1bfa7d7bbd3bb3e7ade1e3c9e100896547b90f936194057342c30
Opcode Fuzzy Hash: 2c5bf4f25e9b270fd45b2f47df2b56d86ea7cbbdb3ca524e591bac25772812ec
Instruction Fuzzy Hash: 1111D77614010EAFCB42EF55D852CED3BA6FF05750F4144A8FA485F222D671EE509F94

Function 006C1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 006C1459
OleUninitialize.OLE32(?,00000000), ref: 006C14F8
UnregisterHotKey.USER32(?), ref: 006C16DD
DestroyWindow.USER32(?), ref: 007024B9
FreeLibrary.KERNEL32(?), ref: 0070251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0070254B

Strings

close all, xrefs: 006C1454

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 3b685a3c4dd286b8654d9ffc9b2824b249eda6629d576fc0363513eeb8ead8c6
Instruction ID: 6533ea6255ce288719fbe82a5fc1bdd0f6ff198430af8462ef0a1056ec099108
Opcode Fuzzy Hash: 3b685a3c4dd286b8654d9ffc9b2824b249eda6629d576fc0363513eeb8ead8c6
Instruction Fuzzy Hash: 55D11731601212CFDB19EF15C899F69F7A6FF06700F1442ADE44A6B292DB35AD22CF58

Function 00737DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00737FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00737FC1
GetFileAttributesW.KERNEL32(?), ref: 00737FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00738005
SetCurrentDirectoryW.KERNEL32(?), ref: 00738017
SetCurrentDirectoryW.KERNEL32(?), ref: 00738060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 007380B0

Strings

*.*, xrefs: 00738066

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: cf4dc5056a90ca70fefd9fcb9c8cecca59ab3b645f08f2abaf20b3aaf3788b3e
Instruction ID: 3cebe5f3a1598229e991603ba1358ac1716347da5ae1abae0b6a3fb7696e95f4
Opcode Fuzzy Hash: cf4dc5056a90ca70fefd9fcb9c8cecca59ab3b645f08f2abaf20b3aaf3788b3e
Instruction Fuzzy Hash: 3381B0B25483459BEB38EF14C484AAAB3E9BF88310F54485EF885C7252EB38DD45CB52

Function 006C5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 006C5C7A

Part of subcall function 006C5D0A: GetClientRect.USER32(?,?), ref: 006C5D30
Part of subcall function 006C5D0A: GetWindowRect.USER32(?,?), ref: 006C5D71
Part of subcall function 006C5D0A: ScreenToClient.USER32(?,?), ref: 006C5D99

GetDC.USER32 ref: 007046F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00704708
SelectObject.GDI32(00000000,00000000), ref: 00704716
SelectObject.GDI32(00000000,00000000), ref: 0070472B
ReleaseDC.USER32(?,00000000), ref: 00704733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 007047C4

Strings

U, xrefs: 00704693

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: a01770fa08d0cd1b9aee1dfdb5d7492ef1c5d36dfd45359a8e4615d72566ada7
Instruction ID: e812c8de81ba72a3a7268be0456b4b1c67642efe494db421db3cd614ffac0d0a
Opcode Fuzzy Hash: a01770fa08d0cd1b9aee1dfdb5d7492ef1c5d36dfd45359a8e4615d72566ada7
Instruction Fuzzy Hash: 5171BD70400205DFCF218F64CD84AFA3BF2FF4A361F14426AEE565A2A6D3399881DF50

Function 0073359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 007335E4

Part of subcall function 006C9CB3: _wcslen.LIBCMT ref: 006C9CBD

LoadStringW.USER32(00792390,?,00000FFF,?), ref: 0073360A

Strings

^ ERROR, xrefs: 007336C9
"%s" (%d) : ==> %s:%s%s, xrefs: 00733724
Line %d (File "%s"):, xrefs: 0073366B
Error: , xrefs: 007336EF
"%s" (%d) : ==> %s:, xrefs: 00733742

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: e9d338bb8933289585f1162bb1f3e2d8e7f131806263f87b8bd4b06682a60c0e
Instruction ID: 8887b7ab1fa6cee545fb5b38d7befdceece9c16bde3c9383aa522ec8d082e3a8
Opcode Fuzzy Hash: e9d338bb8933289585f1162bb1f3e2d8e7f131806263f87b8bd4b06682a60c0e
Instruction Fuzzy Hash: 92517EB180025ABADF15EBA0DC46EFDBB39EF04300F144129F105721A2DB391B99DBA8

Function 0073C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0073C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0073C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0073C2CA
GetLastError.KERNEL32 ref: 0073C322
SetEvent.KERNEL32(?), ref: 0073C336
InternetCloseHandle.WININET(00000000), ref: 0073C341

Strings

, xrefs: 0073C2BB

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 6e65d67b258a90454a07c0351e2e5a2702a6bd874ec997c39be3cebb65e1206d
Instruction ID: feaaeb0665ebc490fcbbcacedf6642695a5a74d0207453b2bab59f4c96e8ea59
Opcode Fuzzy Hash: 6e65d67b258a90454a07c0351e2e5a2702a6bd874ec997c39be3cebb65e1206d
Instruction Fuzzy Hash: 58317FB1600308AFE7229F64CC88AAB7BFCEB49744F14851DF446E7202DB79DD059B66

Function 0072989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00703AAF,?,?,Bad directive syntax error,0075CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 007298BC
LoadStringW.USER32(00000000,?,00703AAF,?), ref: 007298C3

Part of subcall function 006C9CB3: _wcslen.LIBCMT ref: 006C9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00729987

Strings

., xrefs: 0072996D
Error: , xrefs: 00729955
Line %d:, xrefs: 00729912
Line %d (File "%s"):, xrefs: 0072992D
%s (%d) : ==> %s.: %s %s, xrefs: 007298F1

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: bb23cc570e3e72345f9fad959cc63bdf08c07130e8ed7a5558b2440677d26718
Instruction ID: 2e7d4c854125f19ed8220f6b2d93f39d4a9bc9164b0c40d1cea1336e35b992b0
Opcode Fuzzy Hash: bb23cc570e3e72345f9fad959cc63bdf08c07130e8ed7a5558b2440677d26718
Instruction Fuzzy Hash: F2216F7194026ABBCF15AF90DC0AFED7776FF18300F04441EF519660A2DA75A658CB64

Function 0072209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 007220AB
GetClassNameW.USER32(00000000,?,00000100), ref: 007220C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0072214D

Strings

details, xrefs: 007220FB
SHELLDLL_DefView, xrefs: 007220CC
list, xrefs: 0072212F
largeicons, xrefs: 007220E1
smallicons, xrefs: 00722115

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 08437b16b7f1acfd037f21f2b392cb3ff0c67acc75a018303f70e8916d9f9092
Instruction ID: fab0c917c1a0945d2d047159bb62efa1751de3f9ae90a4140a8048ecec895fbf
Opcode Fuzzy Hash: 08437b16b7f1acfd037f21f2b392cb3ff0c67acc75a018303f70e8916d9f9092
Instruction Fuzzy Hash: 73110ABA6C471AB9F6013625EC06DE63B9CDF14324B20012AF704A50D2FEADDC23561C

Function 006FCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 006FCEB7
_free.LIBCMT ref: 006FCF22
_free.LIBCMT ref: 006FCF48
_free.LIBCMT ref: 006FCF71
_free.LIBCMT ref: 006FCFA9
_free.LIBCMT ref: 006FCFDA
_free.LIBCMT ref: 006FD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 006FD09C
_free.LIBCMT ref: 006FD0B5

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: c8caacbb31799e829e4b5ea5800aa55b1541acae9a7c68ff59caf87f21469d19
Instruction ID: 0af8feb64038baa1f83371c2a3b1127f9ccc853b9389884b6da354eaad290571
Opcode Fuzzy Hash: c8caacbb31799e829e4b5ea5800aa55b1541acae9a7c68ff59caf87f21469d19
Instruction Fuzzy Hash: 74614A71A0530DAFDB21AFB49951ABABBA7EF05320F04416EFB4197381DB359D018794

Function 007550D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00755186
ShowWindow.USER32(?,00000000), ref: 007551C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 007551CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 007551D1

Part of subcall function 00756FBA: DeleteObject.GDI32(00000000), ref: 00756FE6

GetWindowLongW.USER32(?,000000F0), ref: 0075520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0075521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0075524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00755287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00755296

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 6fe891f3b39e9b6cc4a6dda17014a9d8cc8e26cf9acb08cce4c85c68b707cff3
Instruction ID: 2e61a5a86841ed91c54f3edb101e080502cb52aae6ad794a882ae1474c1e27cc
Opcode Fuzzy Hash: 6fe891f3b39e9b6cc4a6dda17014a9d8cc8e26cf9acb08cce4c85c68b707cff3
Instruction Fuzzy Hash: E1519270A50A08FEEF209F28CC59BD93BA5FB05322F148116FD15966E0C7FDA998DB41

Function 006D8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00716890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 007168A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 007168B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 007168D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 007168F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,006D8874,00000000,00000000,00000000,000000FF,00000000), ref: 00716901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0071691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,006D8874,00000000,00000000,00000000,000000FF,00000000), ref: 0071692D

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: bfa0e3811de4d425cb7b70eacdd5c7c68ed5ae7df95db42c0555e07b0a452a0c
Instruction ID: 68fe9961e79fd33feb8d0ecd833cca6ec1bdc4627c7a90e8732cc55bc0e87cb9
Opcode Fuzzy Hash: bfa0e3811de4d425cb7b70eacdd5c7c68ed5ae7df95db42c0555e07b0a452a0c
Instruction Fuzzy Hash: D4519B70A00309EFDB20CF28CC95FAA7BB6EB58761F10451AF912972E0DB74E991DB50

Function 0073C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0073C182
GetLastError.KERNEL32 ref: 0073C195
SetEvent.KERNEL32(?), ref: 0073C1A9

Part of subcall function 0073C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0073C272
Part of subcall function 0073C253: GetLastError.KERNEL32 ref: 0073C322
Part of subcall function 0073C253: SetEvent.KERNEL32(?), ref: 0073C336
Part of subcall function 0073C253: InternetCloseHandle.WININET(00000000), ref: 0073C341

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 1d3a63416c9f522ae9e9ce5219b79340b028e34b5fa1ebce691c5e8cfa79c481
Instruction ID: f0ad82853d1aa1d692c4facc6648e72709ffa14116d5b524ee0624e5f5dae4a5
Opcode Fuzzy Hash: 1d3a63416c9f522ae9e9ce5219b79340b028e34b5fa1ebce691c5e8cfa79c481
Instruction Fuzzy Hash: 17318F71200705EFEB229FA5DC44AA7BBF8FF18301F04841DF956A6612D779E814EB60

Function 007225A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00723A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00723A57
Part of subcall function 00723A3D: GetCurrentThreadId.KERNEL32 ref: 00723A5E
Part of subcall function 00723A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007225B3), ref: 00723A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 007225BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 007225DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 007225DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 007225E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00722601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00722605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0072260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00722623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00722627

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: be2d28ac28da0cf5b8f2b3c4aa9e0884101590fa4515bdf3317a9b53a5a8a6a0
Instruction ID: 62b0a01cc68eb39f2a59dff3fdde9ebae202a7e383e6c3d462774f411afd61ba
Opcode Fuzzy Hash: be2d28ac28da0cf5b8f2b3c4aa9e0884101590fa4515bdf3317a9b53a5a8a6a0
Instruction Fuzzy Hash: 27012430380724BBFB1067689C8EF993F99DB4EB12F104012F318AE0D1C9FA68408A6D

Function 00721803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00721449,?,?,00000000), ref: 0072180C
HeapAlloc.KERNEL32(00000000,?,00721449,?,?,00000000), ref: 00721813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00721449,?,?,00000000), ref: 00721828
GetCurrentProcess.KERNEL32(?,00000000,?,00721449,?,?,00000000), ref: 00721830
DuplicateHandle.KERNEL32(00000000,?,00721449,?,?,00000000), ref: 00721833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00721449,?,?,00000000), ref: 00721843
GetCurrentProcess.KERNEL32(00721449,00000000,?,00721449,?,?,00000000), ref: 0072184B
DuplicateHandle.KERNEL32(00000000,?,00721449,?,?,00000000), ref: 0072184E
CreateThread.KERNEL32(00000000,00000000,00721874,00000000,00000000,00000000), ref: 00721868

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 83157cf0c9c31bca12d7d05d107128c5e06fb940bfed7cca8318d444e66bd68d
Instruction ID: 0bf57b4d7c13501531edc6a45e905651fe77f4f1f16680d34b06684e1caa046a
Opcode Fuzzy Hash: 83157cf0c9c31bca12d7d05d107128c5e06fb940bfed7cca8318d444e66bd68d
Instruction Fuzzy Hash: 2601BFB5640748BFE711AB75DC4EF9B3BACEB89B11F418411FA05DB191CAB49C40CB24

Function 006F3E80 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 006F3F0B
__alldvrm.LIBCMT ref: 006F410C
__alldvrm.LIBCMT ref: 006F412E

Strings

}}n, xrefs: 006F3E8A
}}n, xrefs: 006F40CD
}}n, xrefs: 006F3E96, 006F3EF1, 006F3F0A, 006F4090

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: }}n$}}n$}}n
API String ID: 1036877536-3958929660
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 91f22f552450684773c8a417768cfa652dbc28358744d69216cd8b6c4b76cb48
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 01A14971E0539A9FD721CF18C8917BFBBE6EF61350F14426DE6859B781CA388981C750

Function 0074A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0072D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0072D501
Part of subcall function 0072D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0072D50F
Part of subcall function 0072D4DC: CloseHandle.KERNEL32(00000000), ref: 0072D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0074A16D
GetLastError.KERNEL32 ref: 0074A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0074A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0074A268
GetLastError.KERNEL32(00000000), ref: 0074A273
CloseHandle.KERNEL32(00000000), ref: 0074A2C4

Strings

SeDebugPrivilege, xrefs: 0074A18F

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 40f74cbd0df4e5e3cf754e4cad278120f9b467c23a145f2746864dfab76283ac
Instruction ID: af37c49bfcc32cfd90950c35355fbcdf36432879926e896615a5ae5a893693de
Opcode Fuzzy Hash: 40f74cbd0df4e5e3cf754e4cad278120f9b467c23a145f2746864dfab76283ac
Instruction Fuzzy Hash: D4619F71244242AFD720DF14C494F2ABBE1BF94318F14849CE46A4B7A3C7BAED45CB96

Function 00753886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00753925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0075393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00753954
_wcslen.LIBCMT ref: 00753999
SendMessageW.USER32(?,00001057,00000000,?), ref: 007539C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 007539F4

Strings

SysListView32, xrefs: 007538F7

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 599b294fd7328ae0d2937e25647c6aae065a0c20bcefc6a7031c7baa29f73c46
Instruction ID: 4c6a742fa23a7db037c4805ef03568e563a07b5bfdd26f8a98a8fcc6f9f7ee19
Opcode Fuzzy Hash: 599b294fd7328ae0d2937e25647c6aae065a0c20bcefc6a7031c7baa29f73c46
Instruction Fuzzy Hash: DA41D671A00309ABEF219F64CC49FEA77A9EF08355F10052AF954E7191D7B9AE84CB90

Function 0072BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0072BCFD
IsMenu.USER32(00000000), ref: 0072BD1D
CreatePopupMenu.USER32 ref: 0072BD53
GetMenuItemCount.USER32(00E35A80), ref: 0072BDA4
InsertMenuItemW.USER32(00E35A80,?,00000001,00000030), ref: 0072BDCC

Strings

2, xrefs: 0072BD37
0, xrefs: 0072BCA8

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: c747dc826a090fbc23030c720f7cb9cead3f2ee0baea92b043912818be882c15
Instruction ID: c822c04125bf1d093211414b2d6ad1da3d35788ac29125c60c6ead9ac69d3fe2
Opcode Fuzzy Hash: c747dc826a090fbc23030c720f7cb9cead3f2ee0baea92b043912818be882c15
Instruction Fuzzy Hash: CB51AD70B00325DBDB11CFA8E888BEEBBF4BF45314F248159E45197291E778A941CBA1

Function 006E2D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 006E2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 006E2D53
_ValidateLocalCookies.LIBCMT ref: 006E2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 006E2E0C
_ValidateLocalCookies.LIBCMT ref: 006E2E61

Strings

&Hn, xrefs: 006E2DFE, 006E2E07, 006E2E18
csm, xrefs: 006E2DF6

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &Hn$csm
API String ID: 1170836740-3078436630
Opcode ID: 091e888b43480b6387c69b0fe4ff52666116931342c622e45559c5fab369d64a
Instruction ID: 8131a79500f06136c79bd80a2a8f629f30cb4468f93ff6994fe300b046ed53eb
Opcode Fuzzy Hash: 091e888b43480b6387c69b0fe4ff52666116931342c622e45559c5fab369d64a
Instruction Fuzzy Hash: ED41E334A0235A9BCF10DF6ACC55ADEBBABBF44314F148155E9146B392D771AA01CBD0

Function 0072C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0072C913

Strings

warning, xrefs: 0072C8FC
blank, xrefs: 0072C895
question, xrefs: 0072C8CC
stop, xrefs: 0072C8E4
info, xrefs: 0072C8B4

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: ecd3959cbbba7da562f1c260411e6851e65779b0600f14c47144874c608721a1
Instruction ID: 4b9bd6e73aab1a9ff9d9f91b6f9e4d1b33a4dc8a51a29c48f96f310a0682ee17
Opcode Fuzzy Hash: ecd3959cbbba7da562f1c260411e6851e65779b0600f14c47144874c608721a1
Instruction Fuzzy Hash: 96113D31689356BEE7026B55BC83DAE279CDF35324B10403EF500A7182EBBC6E4053AC

Function 0072DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0072DE42
gethostname.WSOCK32(?,00000100), ref: 0072DE5C
gethostbyname.WSOCK32(?), ref: 0072DE69
inet_ntoa.WSOCK32(?), ref: 0072DEAB
_strcat.LIBCMT ref: 0072DEB9
WSACleanup.WSOCK32 ref: 0072DEDE

Strings

0.0.0.0, xrefs: 0072DE87

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 005fada1846b1e3613a7bc190aac2125df8793f9264ed2c49edf172faa40a953
Instruction ID: 79bd8474228694b67c974b9b596ca17b1287cf2e2a63068e9e93ede2c7ec7a11
Opcode Fuzzy Hash: 005fada1846b1e3613a7bc190aac2125df8793f9264ed2c49edf172faa40a953
Instruction Fuzzy Hash: B0112971D04324AFDB71BB70EC0AEEE77ADDF14711F010169F445A6092EFB99E818A64

Function 0072ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0072ED2A
_wcslen.LIBCMT ref: 0072ED3B
_wcslen.LIBCMT ref: 0072ED79
_wcslen.LIBCMT ref: 0072EDAF
_wcslen.LIBCMT ref: 0072EDDF
_wcslen.LIBCMT ref: 0072EDEF
_wcslen.LIBCMT ref: 0072EE2B
_wcslen.LIBCMT ref: 0072EE5A

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 6aa8a617c232fba5979adf3136b1f7a3ca3ac2cf269de9e238d6a8a87fcd771b
Instruction ID: 38902725df2fc47c7e4c20fbeca0f315be10a1655b8e4e159dd08dbff45410e3
Opcode Fuzzy Hash: 6aa8a617c232fba5979adf3136b1f7a3ca3ac2cf269de9e238d6a8a87fcd771b
Instruction Fuzzy Hash: C041B365C1126879CB51EBB5C88A9CFB3A9AF05300F00846AF614F3122FB34D345C3EA

Function 006DF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0071682C,00000004,00000000,00000000), ref: 006DF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0071682C,00000004,00000000,00000000), ref: 0071F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0071682C,00000004,00000000,00000000), ref: 0071F454

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 8ebe6df85c69e7c89a9fe51f22ee23ef6a5114a72ccc95f96946a5ae22ca0ad0
Instruction ID: ffd497af741cd04bc39255f366b1352c031c3109ee829dc9e5bf8e1571ab3548
Opcode Fuzzy Hash: 8ebe6df85c69e7c89a9fe51f22ee23ef6a5114a72ccc95f96946a5ae22ca0ad0
Instruction Fuzzy Hash: 7D412B30D047C0BEC7398B2D88A87EA7B93AB46310F14843EF4475A7A0C67AA8C1C791

Function 00752D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00752D1B
GetDC.USER32(00000000), ref: 00752D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00752D2E
ReleaseDC.USER32(00000000,00000000), ref: 00752D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00752D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00752D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00755A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00752DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00752DE1

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 63d44969f6f8c789e573598ff97b1ae59a3ab57f137305c0b002968211588f8e
Instruction ID: 482a7cd44880d9706db2c56a2507f9c388a95917558eed0561aeb663651bd072
Opcode Fuzzy Hash: 63d44969f6f8c789e573598ff97b1ae59a3ab57f137305c0b002968211588f8e
Instruction Fuzzy Hash: E0317F72201314BFEB154F50CC8AFEB3BA9EF0A716F048055FE089A291C6B99C51CBA4

Function 00725622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00725637
_memcmp.LIBVCRUNTIME ref: 00725659
_memcmp.LIBVCRUNTIME ref: 00725671
_memcmp.LIBVCRUNTIME ref: 00725684
_memcmp.LIBVCRUNTIME ref: 0072569E
_memcmp.LIBVCRUNTIME ref: 007256B1
_memcmp.LIBVCRUNTIME ref: 007256C9
_memcmp.LIBVCRUNTIME ref: 007256E4

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 772d251140c33dc06bc97aa92ec754a0c3b1e47826005ea7c258280fe9fcf79e
Instruction ID: dadd3f5dba13decd07c672294a161bd4601c52be89adceb555ce58156ac965b0
Opcode Fuzzy Hash: 772d251140c33dc06bc97aa92ec754a0c3b1e47826005ea7c258280fe9fcf79e
Instruction Fuzzy Hash: C4214CB1641A6477D21495216D92FFB335DAF11781F440038FD045E641FB7CED1482B8

Function 00744FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0074502E, 00745383
Not an Object type, xrefs: 00745007

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: ace4ea8aaaf90f4d3ed6902c9b1f97dd685f7c2112cbd7577c201d6153a6df74
Instruction ID: 24f956d473c5fa523373b64cf5110b0ec4d4035726d38ef7a791165543ddb1a9
Opcode Fuzzy Hash: ace4ea8aaaf90f4d3ed6902c9b1f97dd685f7c2112cbd7577c201d6153a6df74
Instruction Fuzzy Hash: 61D1B475A0070AAFDF10CFA8C885FAEB7B5BF48344F148069E915AB292E774DD45CB90

Function 00701522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,007017FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 007015CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,007017FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00701651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,007017FB,?,007017FB,00000000,00000000,?,00000000,?,?,?,?), ref: 007016E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,007017FB,00000000,00000000,?,00000000,?,?,?,?), ref: 007016FB

Part of subcall function 006F3820: RtlAllocateHeap.NTDLL(00000000,?,00791444,?,006DFDF5,?,?,006CA976,00000010,00791440,006C13FC,?,006C13C6,?,006C1129), ref: 006F3852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,007017FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00701777
__freea.LIBCMT ref: 007017A2
__freea.LIBCMT ref: 007017AE

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 390d65bdc74d1de6063897df45cf5ecb3d48c4073782f3f4f7fdeede0221fd61
Instruction ID: 19f1c01331e5bc98b2a595c19f437967f3cef9d610379e5b9b5ece62988f8407
Opcode Fuzzy Hash: 390d65bdc74d1de6063897df45cf5ecb3d48c4073782f3f4f7fdeede0221fd61
Instruction Fuzzy Hash: B7919172E00216DEDB218EB4CC85AEE7BF5AF49750F984769E901EB1C1DB29DD40CB60

Function 00744523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00744648
VariantInit.OLEAUT32(?), ref: 00744749
VariantClear.OLEAUT32(?), ref: 00744753
VariantClear.OLEAUT32(?), ref: 007447B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0074472C
Null Object assignment in FOR..IN loop, xrefs: 007445D8, 00744706, 007447BE

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 592704bd016975b7dc94e8f23365b1af9de82d087a5b9231d1641f1230b7777b
Instruction ID: b32ca80575b9a20592fa000b780851bc576cff1e63cef22ec8b3d050ad67fa8a
Opcode Fuzzy Hash: 592704bd016975b7dc94e8f23365b1af9de82d087a5b9231d1641f1230b7777b
Instruction Fuzzy Hash: D0919F71A00219AFDF25CFA4CC88FAEBBB8EF46714F108559F515AB280D7789941DFA0

Function 00731187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0073125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00731284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 007312A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 007312D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0073135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 007313C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00731430

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 31e392c5896a2a6d6559ebbeafdda4f762c5076412405393ed3dad70b6e65e94
Instruction ID: d0752a1997060aa3c4d28d349ee993e032dcfe67b18cfa6ca1e0608cc4965726
Opcode Fuzzy Hash: 31e392c5896a2a6d6559ebbeafdda4f762c5076412405393ed3dad70b6e65e94
Instruction Fuzzy Hash: BA91D272A003199FEB01DF94C894BFEB7B5FF44325F508029E911EB292D778A941CB94

Function 006D948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: d8eaf60e2588c5c71d5383fcbe8c613c40776f6b60d4553b2ec8241939a27d86
Instruction ID: 2473177928009141ca74c465af80621592ad5c2aebe4ce85f441e69f13fb2ec5
Opcode Fuzzy Hash: d8eaf60e2588c5c71d5383fcbe8c613c40776f6b60d4553b2ec8241939a27d86
Instruction Fuzzy Hash: 33911771D00219AFCB15CFA9CC84AEEBBB9FF49320F14855AE515B7291D378A942CB60

Function 00743947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0074396B
CharUpperBuffW.USER32(?,?), ref: 00743A7A
_wcslen.LIBCMT ref: 00743A8A
VariantClear.OLEAUT32(?), ref: 00743C1F

Part of subcall function 00730CDF: VariantInit.OLEAUT32(00000000), ref: 00730D1F
Part of subcall function 00730CDF: VariantCopy.OLEAUT32(?,?), ref: 00730D28
Part of subcall function 00730CDF: VariantClear.OLEAUT32(?), ref: 00730D34

Strings

AUTOIT.ERROR, xrefs: 00743A80, 00743A85
Incorrect Parameter format, xrefs: 007439A6, 00743BA1

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: ba331bea37178ce33b377fbbb365d6396c65ccb128039edf7fb6a4ffef74c749
Instruction ID: edee5d80f149e87f8295a2398a5b0f32a27e32931e00f6f154579c7f4ab4f560
Opcode Fuzzy Hash: ba331bea37178ce33b377fbbb365d6396c65ccb128039edf7fb6a4ffef74c749
Instruction Fuzzy Hash: E99168746083059FCB04EF24C485A6AB7E5FF88314F14892EF89A9B351DB34EE05CB96

Function 00744BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0072000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0071FF41,80070057,?,?,?,0072035E), ref: 0072002B
Part of subcall function 0072000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0071FF41,80070057,?,?), ref: 00720046
Part of subcall function 0072000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0071FF41,80070057,?,?), ref: 00720054
Part of subcall function 0072000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0071FF41,80070057,?), ref: 00720064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00744C51
_wcslen.LIBCMT ref: 00744D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00744DCF
CoTaskMemFree.OLE32(?), ref: 00744DDA

Strings

NULL Pointer assignment, xrefs: 00744E23, 00744E52

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 28c08349afab51795f353290ca66ea25798787d03911e557d294a16afe51548b
Instruction ID: 92c2f44b6cd89789fa708024e6ff01c6aae2a536bafe82f446930ce5f1742316
Opcode Fuzzy Hash: 28c08349afab51795f353290ca66ea25798787d03911e557d294a16afe51548b
Instruction Fuzzy Hash: D8912471D0022DAFDF14DFA4C891EEEB7B9FF08314F10856AE915A7241EB749A449FA0

Function 006CBBE0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 006CBEB3

Strings

H, xrefs: 006CBBE6
D%y, xrefs: 006CBDED, 006CBD91, 006CBD1B
D%yD%y, xrefs: 006CBCA5
D%y, xrefs: 006CBE9A
D%y, xrefs: 006CBCA2

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%y$D%y$D%y$D%yD%y$H
API String ID: 1385522511-2120541454
Opcode ID: b7e28e6ea158cc0c5c0e693f3a3b19f629f18b633c4f5b8562f15e7c661a0fea
Instruction ID: f3d15b1d102cbe291e5106e8ed2ec36960467dc3f2d2f32edb2fca9eedcec1d6
Opcode Fuzzy Hash: b7e28e6ea158cc0c5c0e693f3a3b19f629f18b633c4f5b8562f15e7c661a0fea
Instruction Fuzzy Hash: 24912A75A0020ADFCB14CF59C092ABAB7F2FF58314F24916ED946AB351D771AD82CB90

Function 007520FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00752183
GetMenuItemCount.USER32(00000000), ref: 007521B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 007521DD
_wcslen.LIBCMT ref: 00752213
GetMenuItemID.USER32(?,?), ref: 0075224D
GetSubMenu.USER32(?,?), ref: 0075225B

Part of subcall function 00723A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00723A57
Part of subcall function 00723A3D: GetCurrentThreadId.KERNEL32 ref: 00723A5E
Part of subcall function 00723A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007225B3), ref: 00723A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 007522E3

Part of subcall function 0072E97B: Sleep.KERNELBASE ref: 0072E9F3

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: ae3979d7da606353913da76370acd07037de11771a228b501615721173ecc977
Instruction ID: 02255b37d8d0e74415be721444195a06229cbc60bf5ca9e95e82b4e9659c7be8
Opcode Fuzzy Hash: ae3979d7da606353913da76370acd07037de11771a228b501615721173ecc977
Instruction Fuzzy Hash: C9719035A00205AFCB10DF64C845AEEB7F2FF49321F158459E816EB352DB78EE428B90

Function 00757E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00E358A0), ref: 00757F37
IsWindowEnabled.USER32(00E358A0), ref: 00757F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0075801E
SendMessageW.USER32(00E358A0,000000B0,?,?), ref: 00758051
IsDlgButtonChecked.USER32(?,?), ref: 00758089
GetWindowLongW.USER32(00E358A0,000000EC), ref: 007580AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 007580C3

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 897d9235e7b7ba665656f4c29d0f8e4a2dadafafcddac63f032be6235d607504
Instruction ID: 9e0b51cdb6577edcd99a38439efe97c8ff03b9c77cba9947b94db393c1febb36
Opcode Fuzzy Hash: 897d9235e7b7ba665656f4c29d0f8e4a2dadafafcddac63f032be6235d607504
Instruction Fuzzy Hash: 8471C134608204AFEF25DF54DC84FEA7BB5EF09302F144459ED45972A1CBB9AD4ACB11

Function 0072AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0072AEF9
GetKeyboardState.USER32(?), ref: 0072AF0E
SetKeyboardState.USER32(?), ref: 0072AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0072AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0072AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0072AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0072B020

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: b7f3592154fb2e6cccb01335ae7bae2edd687551ed7222e2ba91fcfce000b489
Instruction ID: c50f9a3f450634a2a68576a33c2c8e91910ec70ce2dd9a9c92b65131c8630067
Opcode Fuzzy Hash: b7f3592154fb2e6cccb01335ae7bae2edd687551ed7222e2ba91fcfce000b489
Instruction Fuzzy Hash: 3551C1A0A047E57EFB3742349949BBABFE96B06304F088489E1E9558C2D3DCEDC4D751

Function 0072ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0072AD19
GetKeyboardState.USER32(?), ref: 0072AD2E
SetKeyboardState.USER32(?), ref: 0072AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0072ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0072ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0072AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0072AE38

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 164fb574de5b98b7438238a6150b541707d63629d066e0e882f96d7b7f84e30d
Instruction ID: 3f05cd69ce2e1931ab0c80399d3589f4af7040bb4e45c4f0ecb815f7987f57cb
Opcode Fuzzy Hash: 164fb574de5b98b7438238a6150b541707d63629d066e0e882f96d7b7f84e30d
Instruction Fuzzy Hash: 1251E6A1A047E57EFB3383349C56B7ABED8AB45300F088488E1D5568C3D29CED85D752

Function 006F542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00703CD6,?,?,?,?,?,?,?,?,006F5BA3,?,?,00703CD6,?,?), ref: 006F5470
__fassign.LIBCMT ref: 006F54EB
__fassign.LIBCMT ref: 006F5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00703CD6,00000005,00000000,00000000), ref: 006F552C
WriteFile.KERNEL32(?,00703CD6,00000000,006F5BA3,00000000,?,?,?,?,?,?,?,?,?,006F5BA3,?), ref: 006F554B
WriteFile.KERNEL32(?,?,00000001,006F5BA3,00000000,?,?,?,?,?,?,?,?,?,006F5BA3,?), ref: 006F5584

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 399bbfa583a46bfe97a10ddd62abb8fafe7567efa0f4294d90afe0aac1bed47e
Instruction ID: 068e2f9a7ae3a2cfaae9f9e3e69225ab542c37bcb6221e5e251160a8cb51fdba
Opcode Fuzzy Hash: 399bbfa583a46bfe97a10ddd62abb8fafe7567efa0f4294d90afe0aac1bed47e
Instruction Fuzzy Hash: B151C0B1A0074D9FDB11CFA8D845AEEBBFAEF08300F14415AE656E7291E7709E41CB64

Function 007410B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0074304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0074307A
Part of subcall function 0074304E: _wcslen.LIBCMT ref: 0074309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00741112
WSAGetLastError.WSOCK32 ref: 00741121
WSAGetLastError.WSOCK32 ref: 007411C9
closesocket.WSOCK32(00000000), ref: 007411F9

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 4c20bc5932f70206878cc7a65b10512b97f4c6fcfe6f865e53395d100b27db92
Instruction ID: bb34e2ce3af49cab44a4d893192c44295467319a7ecc92d789d87e8a6d491eca
Opcode Fuzzy Hash: 4c20bc5932f70206878cc7a65b10512b97f4c6fcfe6f865e53395d100b27db92
Instruction Fuzzy Hash: 56410531600208AFDB10EF24C884BA9BBEAEF45324F54805DFD199B291D778ED81CBE5

Function 0072CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0072DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0072CF22,?), ref: 0072DDFD

Part of subcall function 0072DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0072CF22,?), ref: 0072DE16

lstrcmpiW.KERNEL32(?,?), ref: 0072CF45
MoveFileW.KERNEL32(?,?), ref: 0072CF7F
_wcslen.LIBCMT ref: 0072D005
_wcslen.LIBCMT ref: 0072D01B
SHFileOperationW.SHELL32(?), ref: 0072D061

Strings

\*.*, xrefs: 0072CFF3

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 654cca5c340507bc0217350a0edf4ca44d3b9ec44207643d92f24b8bf21f40b4
Instruction ID: 4a9eb231884fed9301bf8cd7c468b931f518e157b5456f74183405a2d788160e
Opcode Fuzzy Hash: 654cca5c340507bc0217350a0edf4ca44d3b9ec44207643d92f24b8bf21f40b4
Instruction Fuzzy Hash: 024158729452289FDF13EBA4DA85EDD77B9AF18340F1000EAE545EB141EA38AB44CB54

Function 00752DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00752E1C
GetWindowLongW.USER32(?,000000F0), ref: 00752E4F
GetWindowLongW.USER32(?,000000F0), ref: 00752E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00752EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00752EE0
GetWindowLongW.USER32(?,000000F0), ref: 00752EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00752F0B

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: af2b82f9201aa77abab94f0d29a11082762ebb3c6ce51adcdd3c40e4e60e183b
Instruction ID: e3b1a92f38d72711da357527199c18c77aa80136364c33deb343cb6432256e66
Opcode Fuzzy Hash: af2b82f9201aa77abab94f0d29a11082762ebb3c6ce51adcdd3c40e4e60e183b
Instruction Fuzzy Hash: 1C311A306042819FDB22CF58DC89FA537E0EB4A722F1541A5F9008F2B2C7B9B856DB44

Function 00727726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00727769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0072778F
SysAllocString.OLEAUT32(00000000), ref: 00727792
SysAllocString.OLEAUT32(?), ref: 007277B0
SysFreeString.OLEAUT32(?), ref: 007277B9
StringFromGUID2.OLE32(?,?,00000028), ref: 007277DE
SysAllocString.OLEAUT32(?), ref: 007277EC

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 77e0abb09f3c3e5154c07f2800d94998d53a488b8ad80604564d7d8b5c7fb272
Instruction ID: b9d31085fbe3437f9d0493445a13fe29199b7aff6725f8c99c1ce77862d498a6
Opcode Fuzzy Hash: 77e0abb09f3c3e5154c07f2800d94998d53a488b8ad80604564d7d8b5c7fb272
Instruction Fuzzy Hash: DE21B076604329AFDB14DFA8DD88DFB77ACEB093647008025FA05DB250D6B8DC41C764

Function 007277FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00727842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00727868
SysAllocString.OLEAUT32(00000000), ref: 0072786B
SysAllocString.OLEAUT32 ref: 0072788C
SysFreeString.OLEAUT32 ref: 00727895
StringFromGUID2.OLE32(?,?,00000028), ref: 007278AF
SysAllocString.OLEAUT32(?), ref: 007278BD

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: b65de34520caad0cbe47c3ccd79198aac2ceedadf479475b8255f7952486cc2b
Instruction ID: 69ac55ebd74fc59bf9ffe1381f4b61f23ff66c76f00129230af809026e4018fa
Opcode Fuzzy Hash: b65de34520caad0cbe47c3ccd79198aac2ceedadf479475b8255f7952486cc2b
Instruction Fuzzy Hash: FF21A471604324BFDB149FA9DC88DAA77ECEB083607108125F915CB2A1D678DC41CB68

Function 007304D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 007304F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0073052E

Strings

nul, xrefs: 00730567

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 6ee12d927b334c7f5f20858a06e535fb69c291f061751252186cf29aee6b542c
Instruction ID: d933aac48a004e1b5afafcc9c534b81f4b44bed9a31c4ef3d338315a0bcc913c
Opcode Fuzzy Hash: 6ee12d927b334c7f5f20858a06e535fb69c291f061751252186cf29aee6b542c
Instruction Fuzzy Hash: 12216D75500305AFEB209F29DC58F9A77A4BF45724F204A19F8A1D62E1D7B49960CFA0

Function 007305A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 007305C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00730601

Strings

nul, xrefs: 00730639

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 4fd812f675a4eb89ee06f9dd7b7788c278128054e29bcd0202a1ef17e8d7fccd
Instruction ID: 1227f61d3e9433471bbd459e7c65782e632d794505f65f85149a47c50d8bdc1e
Opcode Fuzzy Hash: 4fd812f675a4eb89ee06f9dd7b7788c278128054e29bcd0202a1ef17e8d7fccd
Instruction Fuzzy Hash: 3F21B275500305DFEB209F69CC19A9A77F8BF85B20F204A19F8A1E72E5D7B49860CB94

Function 007540AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006C600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 006C604C
Part of subcall function 006C600E: GetStockObject.GDI32(00000011), ref: 006C6060
Part of subcall function 006C600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 006C606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00754112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0075411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0075412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00754139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00754145

Strings

Msctls_Progress32, xrefs: 007540E3

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 35f97539ec11ff43838e14ab95287793b3066a3fb574d2ecc05ae21ffbebfd30
Instruction ID: e880e4ac357a0750ae9c7db79ab1bac6c5a99f193fea5625817f68a30a1a958c
Opcode Fuzzy Hash: 35f97539ec11ff43838e14ab95287793b3066a3fb574d2ecc05ae21ffbebfd30
Instruction Fuzzy Hash: 4F11B2B214021DBEEF119F64CC85EE77F9DEF08798F104111BA18A2090C6B6DC62DBA4

Function 006FD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 006FD7A3: _free.LIBCMT ref: 006FD7CC

_free.LIBCMT ref: 006FD82D

Part of subcall function 006F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,006FD7D1,00000000,00000000,00000000,00000000,?,006FD7F8,00000000,00000007,00000000,?,006FDBF5,00000000), ref: 006F29DE
Part of subcall function 006F29C8: GetLastError.KERNEL32(00000000,?,006FD7D1,00000000,00000000,00000000,00000000,?,006FD7F8,00000000,00000007,00000000,?,006FDBF5,00000000,00000000), ref: 006F29F0

_free.LIBCMT ref: 006FD838
_free.LIBCMT ref: 006FD843
_free.LIBCMT ref: 006FD897
_free.LIBCMT ref: 006FD8A2
_free.LIBCMT ref: 006FD8AD
_free.LIBCMT ref: 006FD8B8

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 747e1961cfd0b67d47ed020b073260e3d7e34d524eb31d6e75a3d3914ffdceb1
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: AC115171580B0DAAD5A1BFB1CC47FEB7BDF6F00700F40082DB399AA0A2DA65F5054A54

Function 0072DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0072DA74
LoadStringW.USER32(00000000), ref: 0072DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0072DA91
LoadStringW.USER32(00000000), ref: 0072DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0072DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0072DAB9

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 794d638726fa2d39e8caa4b1842f11c0a8eb9e3605000eaf27698c7e5106ad0e
Instruction ID: 7e92732373fe926209597015193899a1e6f1fe7c0f1162e0a898dead63995e66
Opcode Fuzzy Hash: 794d638726fa2d39e8caa4b1842f11c0a8eb9e3605000eaf27698c7e5106ad0e
Instruction Fuzzy Hash: 2B0136F65003187FE711EBA49D89FEB776CE708706F4084A5B746E2041EAB89E848F74

Function 0073096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00E33F30,00E33F30), ref: 0073097B
EnterCriticalSection.KERNEL32(00E33F10,00000000), ref: 0073098D
TerminateThread.KERNEL32(?,000001F6), ref: 0073099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 007309A9
CloseHandle.KERNEL32(?), ref: 007309B8
InterlockedExchange.KERNEL32(00E33F30,000001F6), ref: 007309C8
LeaveCriticalSection.KERNEL32(00E33F10), ref: 007309CF

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 15299fb7b3c4cb36ceaaf1791fc3ad8fe2ec23667343f6ac538c9e862e1a6a13
Instruction ID: 7fa513aee151264fe26313b3131e8a0511f4b6d4302cb3966c209b6e1908b526
Opcode Fuzzy Hash: 15299fb7b3c4cb36ceaaf1791fc3ad8fe2ec23667343f6ac538c9e862e1a6a13
Instruction Fuzzy Hash: 36F01D32442B02AFE7425B94EE8DBDA7A25FF01702F405015F102508A1CBB8A465CF94

Function 006F22A0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 006F22BE

Part of subcall function 006F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,006FD7D1,00000000,00000000,00000000,00000000,?,006FD7F8,00000000,00000007,00000000,?,006FDBF5,00000000), ref: 006F29DE
Part of subcall function 006F29C8: GetLastError.KERNEL32(00000000,?,006FD7D1,00000000,00000000,00000000,00000000,?,006FD7F8,00000000,00000007,00000000,?,006FDBF5,00000000,00000000), ref: 006F29F0

_free.LIBCMT ref: 006F22D0
_free.LIBCMT ref: 006F22E3
_free.LIBCMT ref: 006F22F4
_free.LIBCMT ref: 006F2305

Strings

X, xrefs: 006F22A0, 006F22AF, 006F22C4

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: X
API String ID: 776569668-1677210272
Opcode ID: fc05aaa82f2d511a7b2c7b21a4c759d41c82614a5b72dcbfca6cf87aef51050e
Instruction ID: 69c3ce707cc33627a7b697f4865704931e0601e3b49d7ab0bc6e3eb68713f8b2
Opcode Fuzzy Hash: fc05aaa82f2d511a7b2c7b21a4c759d41c82614a5b72dcbfca6cf87aef51050e
Instruction Fuzzy Hash: 09F03A719D01278B8653BF55BC128683B66BB18B60740850BF514D73B1C77C0A22AFEC

Function 00741C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00741DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00741DE1
WSAGetLastError.WSOCK32 ref: 00741DF2
htons.WSOCK32(?,?,?,?,?), ref: 00741EDB
inet_ntoa.WSOCK32(?), ref: 00741E8C

Part of subcall function 007239E8: _strlen.LIBCMT ref: 007239F2

Part of subcall function 00743224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0073EC0C), ref: 00743240

_strlen.LIBCMT ref: 00741F35

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: c666cd6ef86cd3394b6932abe1d82d8669c7cfe5ea8d3fedb7b00d296e4be1f7
Instruction ID: 1ef69c84bed2fde0964f1ea5b83c5352b5f452731341c1759685a9660f4a0810
Opcode Fuzzy Hash: c666cd6ef86cd3394b6932abe1d82d8669c7cfe5ea8d3fedb7b00d296e4be1f7
Instruction Fuzzy Hash: 9FB1CF31604340AFD324EF24C885F2A7BE6EF84318F94894CF4565B2A2DB75ED86CB95

Function 006C5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 006C5D30
GetWindowRect.USER32(?,?), ref: 006C5D71
ScreenToClient.USER32(?,?), ref: 006C5D99
GetClientRect.USER32(?,?), ref: 006C5ED7
GetWindowRect.USER32(?,?), ref: 006C5EF8

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 5f588f383c188bb22cec7c16b614614abefa76f41b845aac0ae965ad31e118f9
Instruction ID: 103d9c74933b92a07c2a36ca23a0453461fea99753b3aa6f0b874e5626b56dac
Opcode Fuzzy Hash: 5f588f383c188bb22cec7c16b614614abefa76f41b845aac0ae965ad31e118f9
Instruction Fuzzy Hash: 04B16C74A0074ADBDB14CFA8C840BFAB7F1FF58310F14851AE9AAD7290D734AA91DB54

Function 006F01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 006F00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006F00D6
__allrem.LIBCMT ref: 006F00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006F010B
__allrem.LIBCMT ref: 006F0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006F0140

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 0f0c0729a0c6d6715afd1fb9e555269d7ac5a804f451f2297d449cc09ffc1478
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: A281E672601B0A9BE7209F69CC41BBA73EAAF41724F24463EF651D6782EB70D9008B54

Function 006F61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,006E82D9,006E82D9,?,?,?,006F644F,00000001,00000001,8BE85006), ref: 006F6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,006F644F,00000001,00000001,8BE85006,?,?,?), ref: 006F62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 006F63D8
__freea.LIBCMT ref: 006F63E5

Part of subcall function 006F3820: RtlAllocateHeap.NTDLL(00000000,?,00791444,?,006DFDF5,?,?,006CA976,00000010,00791440,006C13FC,?,006C13C6,?,006C1129), ref: 006F3852

__freea.LIBCMT ref: 006F63EE
__freea.LIBCMT ref: 006F6413

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: d040b51394cd1088930b8b538835e54a2ab42c0abd869348097d587f19c3b89f
Instruction ID: 74d83be1ab9c0dda26885b2dab1c0465cbd8295914e91ec88224ae08d88d9408
Opcode Fuzzy Hash: d040b51394cd1088930b8b538835e54a2ab42c0abd869348097d587f19c3b89f
Instruction Fuzzy Hash: A851DE73A0021AABEB268F64CC81EFF77ABEB55750F154229FA05D6240EB34DD45C6A0

Function 0074BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 006C9CB3: _wcslen.LIBCMT ref: 006C9CBD

Part of subcall function 0074C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0074B6AE,?,?), ref: 0074C9B5
Part of subcall function 0074C998: _wcslen.LIBCMT ref: 0074C9F1
Part of subcall function 0074C998: _wcslen.LIBCMT ref: 0074CA68
Part of subcall function 0074C998: _wcslen.LIBCMT ref: 0074CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0074BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0074BD25
RegCloseKey.ADVAPI32(00000000), ref: 0074BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0074BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0074BDF3
RegCloseKey.ADVAPI32(?), ref: 0074BDFF

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: a9cc8737511d857bcb335d365c08d83f696d75b0ca0c644f7aacecdb9aaf9ce1
Instruction ID: 2ad4d3d493455e900f8bdfba7dd1477dddfcf22279ae69317312dc25a2751de2
Opcode Fuzzy Hash: a9cc8737511d857bcb335d365c08d83f696d75b0ca0c644f7aacecdb9aaf9ce1
Instruction Fuzzy Hash: BE819C30608241EFD754DF24C885E6ABBE5FF84308F14899DF4598B2A2DB36ED45CB92

Function 0071F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0071F7B9
SysAllocString.OLEAUT32(00000001), ref: 0071F860
VariantCopy.OLEAUT32(0071FA64,00000000), ref: 0071F889
VariantClear.OLEAUT32(0071FA64), ref: 0071F8AD
VariantCopy.OLEAUT32(0071FA64,00000000), ref: 0071F8B1
VariantClear.OLEAUT32(?), ref: 0071F8BB

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 6174de42e4733b9a2a16faa15ab719a467646af2d7986a3a5acb96c27234cc0f
Instruction ID: 74e1151b51a5505a3b16917ef3a108669e028a776c859e82c61777b3ef25748b
Opcode Fuzzy Hash: 6174de42e4733b9a2a16faa15ab719a467646af2d7986a3a5acb96c27234cc0f
Instruction Fuzzy Hash: 8E51B531501310FADF10AB69D895BB9B3A5EF45710F24946BE806DF2D1DB789C80CBAA

Function 0073910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 006C7620: _wcslen.LIBCMT ref: 006C7625

Part of subcall function 006C6B57: _wcslen.LIBCMT ref: 006C6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 007394E5
_wcslen.LIBCMT ref: 00739506
_wcslen.LIBCMT ref: 0073952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00739585

Strings

X, xrefs: 00739412

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 5415d9681568d54b23006802e658122462004872d9c937a4ba3041f2c78ed5db
Instruction ID: a7e2d09b266a1c368ec5592c6153cf55fed50c62eccbcca32f8f688de178b3ca
Opcode Fuzzy Hash: 5415d9681568d54b23006802e658122462004872d9c937a4ba3041f2c78ed5db
Instruction Fuzzy Hash: D5E1AB716083409FD764EF24C881F6AB7E1FF84314F04896DE9899B2A2DB75ED04CB96

Function 006D920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 006D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006D9BB2

BeginPaint.USER32(?,?,?), ref: 006D9241
GetWindowRect.USER32(?,?), ref: 006D92A5
ScreenToClient.USER32(?,?), ref: 006D92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 006D92D3
EndPaint.USER32(?,?,?,?,?), ref: 006D9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 007171EA

Part of subcall function 006D9339: BeginPath.GDI32(00000000), ref: 006D9357

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: a2cadbf2f306054eb26c1d44f01e2fefe7c30fdc16cf715ba1812261bf392356
Instruction ID: cd5a9f1bb5e3278c759ed064f1b948c9167c43c5103135be800bc553f31ff8f2
Opcode Fuzzy Hash: a2cadbf2f306054eb26c1d44f01e2fefe7c30fdc16cf715ba1812261bf392356
Instruction Fuzzy Hash: 26410E30504301AFD711DF24CC84FBA3BB9EB89331F00422AF994872E1C778A946DB61

Function 007307EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0073080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00730847
EnterCriticalSection.KERNEL32(?), ref: 00730863
LeaveCriticalSection.KERNEL32(?), ref: 007308DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 007308F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00730921

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 758b5c349cfe04a4c159d998c8e2dea918bd0cff68cb09ac9bb0fa29bcaf3cee
Instruction ID: 1abf96a1594f22f3b2af40c44b9b51b18873474694069a99416c4e501474909d
Opcode Fuzzy Hash: 758b5c349cfe04a4c159d998c8e2dea918bd0cff68cb09ac9bb0fa29bcaf3cee
Instruction Fuzzy Hash: B1419C71900305EFEF059F54DC85AAA77B9FF04310F1080A9ED049A297DB74EE60DBA8

Function 007581DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0071F3AB,00000000,?,?,00000000,?,0071682C,00000004,00000000,00000000), ref: 0075824C
EnableWindow.USER32(?,00000000), ref: 00758272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 007582D1
ShowWindow.USER32(?,00000004), ref: 007582E5
EnableWindow.USER32(?,00000001), ref: 0075830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0075832F

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 933beea219422e69201db9c2800f9f65afb8c193ac24cf8a19486bda56dc67ca
Instruction ID: f1944e1e4e5f1ba765fb6233a179180dd293a9a858c4b73feaf05bd6c58f85b2
Opcode Fuzzy Hash: 933beea219422e69201db9c2800f9f65afb8c193ac24cf8a19486bda56dc67ca
Instruction Fuzzy Hash: 3F41D830601740EFDF52CF14C899BE87BE0FB09716F1841A5E9089B272C7B9685ACF45

Function 00724C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00724C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00724CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00724CEA
_wcslen.LIBCMT ref: 00724D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00724D10
_wcsstr.LIBVCRUNTIME ref: 00724D1A

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: cdecafaf587b1009cad2fe104c7be0b7fb29c900be42cd4407086383564c0185
Instruction ID: 5abe949328a27334af40516badbf4c1886a4020d4db21da0cc62102f03dd8467
Opcode Fuzzy Hash: cdecafaf587b1009cad2fe104c7be0b7fb29c900be42cd4407086383564c0185
Instruction Fuzzy Hash: 7F212932604310BBEB165B39FC09E7B7B9DDF45750F10807EF905CA192DAA9CD4086A0

Function 0073581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 006C3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006C3A97,?,?,006C2E7F,?,?,?,00000000), ref: 006C3AC2

_wcslen.LIBCMT ref: 0073587B
CoInitialize.OLE32(00000000), ref: 00735995
CoCreateInstance.OLE32(0075FCF8,00000000,00000001,0075FB68,?), ref: 007359AE
CoUninitialize.OLE32 ref: 007359CC

Strings

.lnk, xrefs: 00735876, 007358C1, 00735985

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 2839b9256c79da1326e20b7273aed1ae72ea4c2cf5aa78f0232a32cfc4119aa5
Instruction ID: f002c2d9692027ca804c428a605ee78010b41dfc58c0b1ae3388b7031b25c274
Opcode Fuzzy Hash: 2839b9256c79da1326e20b7273aed1ae72ea4c2cf5aa78f0232a32cfc4119aa5
Instruction Fuzzy Hash: 1CD153B16087019FD714DF24C484A2ABBE6EF89720F14885DF8899B362DB35ED45CB92

Function 0072175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00720FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00720FCA
Part of subcall function 00720FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00720FD6
Part of subcall function 00720FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00720FE5
Part of subcall function 00720FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00720FEC
Part of subcall function 00720FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00721002

GetLengthSid.ADVAPI32(?,00000000,00721335), ref: 007217AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 007217BA
HeapAlloc.KERNEL32(00000000), ref: 007217C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 007217DA
GetProcessHeap.KERNEL32(00000000,00000000,00721335), ref: 007217EE
HeapFree.KERNEL32(00000000), ref: 007217F5

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: ec8b2f80375522580cbbb5c70e08988ff4d64aee590b8f234c4878c5761aa339
Instruction ID: d0ecc864b1833f2040d9b547d24912f9766ec2fa6c2fcc993b4eebb4c4efa631
Opcode Fuzzy Hash: ec8b2f80375522580cbbb5c70e08988ff4d64aee590b8f234c4878c5761aa339
Instruction Fuzzy Hash: 3111DC71500714EFDB118FA4EC49BAE7BA8FB91316F508018F44197211C779A900CBA0

Function 007214CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 007214FF
OpenProcessToken.ADVAPI32(00000000), ref: 00721506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00721515
CloseHandle.KERNEL32(00000004), ref: 00721520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0072154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00721563

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: a16d523b7795808eb5281e9847fbedca7a3912fe91f4c6159bcc316c0157d8e3
Instruction ID: 7fa7cca0489f63c37af24c73f08099a85eb5b16195147beeaa56c7e94d60bc5c
Opcode Fuzzy Hash: a16d523b7795808eb5281e9847fbedca7a3912fe91f4c6159bcc316c0157d8e3
Instruction Fuzzy Hash: BC11597250038DAFDF128F98ED49BDE7BA9FF48705F048054FA05A2060C3B98E60DB60

Function 006E3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,006E3379,006E2FE5), ref: 006E3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 006E339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 006E33B7
SetLastError.KERNEL32(00000000,?,006E3379,006E2FE5), ref: 006E3409

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: c491f29c8eb7b8b8bd9d9067a6c2faa071b393bd962db5cb3625a541efcdda33
Instruction ID: d4f96513b5fb7bf85f69e4e9bffdf185ea00b7a1ec5dfd0f1bfff19871cc5ccb
Opcode Fuzzy Hash: c491f29c8eb7b8b8bd9d9067a6c2faa071b393bd962db5cb3625a541efcdda33
Instruction Fuzzy Hash: 9501F53220B3B1AEA72727777C8DAA62B96EB153B5730422DF410873F0EF614D01566C

Function 006F2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,006F5686,00703CD6,?,00000000,?,006F5B6A,?,?,?,?,?,006EE6D1,?,00788A48), ref: 006F2D78
_free.LIBCMT ref: 006F2DAB
_free.LIBCMT ref: 006F2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,006EE6D1,?,00788A48,00000010,006C4F4A,?,?,00000000,00703CD6), ref: 006F2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,006EE6D1,?,00788A48,00000010,006C4F4A,?,?,00000000,00703CD6), ref: 006F2DEC
_abort.LIBCMT ref: 006F2DF2

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: e345ab2345989c792faaf6b0cf3dee993951f309115efdebb2e7a797a4e2cd67
Instruction ID: bd183a1792753fca7c6454d4d10cab44e0df7f2c8390376a9ad8f9dfa99d08c7
Opcode Fuzzy Hash: e345ab2345989c792faaf6b0cf3dee993951f309115efdebb2e7a797a4e2cd67
Instruction Fuzzy Hash: D6F0F931545B0F2BC25327347C3AABA2557AFC2BA1B20401CFB24922D2DE6889014969

Function 00758A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 006D9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 006D9693
Part of subcall function 006D9639: SelectObject.GDI32(?,00000000), ref: 006D96A2
Part of subcall function 006D9639: BeginPath.GDI32(?), ref: 006D96B9
Part of subcall function 006D9639: SelectObject.GDI32(?,00000000), ref: 006D96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00758A4E
LineTo.GDI32(?,00000003,00000000), ref: 00758A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00758A70
LineTo.GDI32(?,00000000,00000003), ref: 00758A80
EndPath.GDI32(?), ref: 00758A90
StrokePath.GDI32(?), ref: 00758AA0

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 3cb378d58e2e1b25665e34f63e21ba5556bde3a10bd9a3919d93723e488dc9d6
Instruction ID: 52e737acebb7f081ebe6143b5a32b76b39daf40c033bc5ea6562a51253ad9ab8
Opcode Fuzzy Hash: 3cb378d58e2e1b25665e34f63e21ba5556bde3a10bd9a3919d93723e488dc9d6
Instruction Fuzzy Hash: 6F110C7600024DFFDB129F90DC88FEA7F6DEB04361F04C016BA19991A1C7B59D55DBA4

Function 007251FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00725218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00725229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00725230
ReleaseDC.USER32(00000000,00000000), ref: 00725238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0072524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00725261

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 8b1d84624ca2da6a07814262749d5d919c8a7500611cd98640a160b5c761bda0
Instruction ID: 2a42cac2fa58eac94a3952b058299ca926f545bd30ceb6058e1b93f94149c820
Opcode Fuzzy Hash: 8b1d84624ca2da6a07814262749d5d919c8a7500611cd98640a160b5c761bda0
Instruction Fuzzy Hash: ED0144B5A00718BFEB115BA59C49B9EBFB8FB44752F048065FA04A7281D6749900CB64

Function 006C1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 006C1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 006C1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 006C1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 006C1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 006C1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 006C1C22

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: d55cbadfcd610a4eb1d6d813fab4a282ef4a9947360548802f332f05f8931c06
Instruction ID: 94bd0ebf5ba9346a8572828e5a6a6af26a4a4c52332f7b995053e9926e9384c2
Opcode Fuzzy Hash: d55cbadfcd610a4eb1d6d813fab4a282ef4a9947360548802f332f05f8931c06
Instruction Fuzzy Hash: 510167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00415BA15C4BA42C7F5A864CBE5

Function 0072EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0072EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0072EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0072EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0072EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0072EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0072EB75

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 68d035c891347e6f949fd0f8ee736a62f98544981aac633d019393276812a65b
Instruction ID: 494261608544726a6f6e3148c87e1cead83840e745c2bf9bf1bc5d5f0a528b6e
Opcode Fuzzy Hash: 68d035c891347e6f949fd0f8ee736a62f98544981aac633d019393276812a65b
Instruction Fuzzy Hash: B5F01DB2140758BFE62257529C0EFEB3A7CEBCAB12F008158F601D109196E85A0186B9

Function 00717439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00717452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00717469
GetWindowDC.USER32(?), ref: 00717475
GetPixel.GDI32(00000000,?,?), ref: 00717484
ReleaseDC.USER32(?,00000000), ref: 00717496
GetSysColor.USER32(00000005), ref: 007174B0

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 33d89ab891da8e05392baa2b2318d50237a064c6c10246c9b9a1603ea2b52f4b
Instruction ID: 037c3b07e8bc0dc1a9dbbffcdce311174e4db18b7c2ed46a8c7e27919c12b029
Opcode Fuzzy Hash: 33d89ab891da8e05392baa2b2318d50237a064c6c10246c9b9a1603ea2b52f4b
Instruction Fuzzy Hash: 18018B31800305EFEB125FA4DC08BEA7BB5FB04312F608060FD16A31A0CB791E51EB54

Function 00721874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0072187F
UnloadUserProfile.USERENV(?,?), ref: 0072188B
CloseHandle.KERNEL32(?), ref: 00721894
CloseHandle.KERNEL32(?), ref: 0072189C
GetProcessHeap.KERNEL32(00000000,?), ref: 007218A5
HeapFree.KERNEL32(00000000), ref: 007218AC

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 87efe14c45da36ccb5e9c380c7906bebb2d1d2054eeffb5238bea975ce058dc0
Instruction ID: 7277141524963e4b8dcaf2a5cd019e37d797fd3305c968578f9299f55af66975
Opcode Fuzzy Hash: 87efe14c45da36ccb5e9c380c7906bebb2d1d2054eeffb5238bea975ce058dc0
Instruction Fuzzy Hash: 45E0C976004749BFDA025BA1ED0CA85BB69FB49722710C620F22581470CBB65460DB54

Function 00747B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 006E0242: EnterCriticalSection.KERNEL32(0079070C,00791884,?,?,006D198B,00792518,?,?,?,006C12F9,00000000), ref: 006E024D
Part of subcall function 006E0242: LeaveCriticalSection.KERNEL32(0079070C,?,006D198B,00792518,?,?,?,006C12F9,00000000), ref: 006E028A

Part of subcall function 006C9CB3: _wcslen.LIBCMT ref: 006C9CBD

Part of subcall function 006E00A3: __onexit.LIBCMT ref: 006E00A9

__Init_thread_footer.LIBCMT ref: 00747BFB

Part of subcall function 006E01F8: EnterCriticalSection.KERNEL32(0079070C,?,?,006D8747,00792514), ref: 006E0202
Part of subcall function 006E01F8: LeaveCriticalSection.KERNEL32(0079070C,?,006D8747,00792514), ref: 006E0235

Strings

G, xrefs: 00747C7F
5, xrefs: 00747C78
Variable must be of type 'Object'., xrefs: 00747C3A
+Tq, xrefs: 00747E2E

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +Tq$5$G$Variable must be of type 'Object'.
API String ID: 535116098-3279618855
Opcode ID: 9142e9b22e6c8fff93a682ad31011c1c99bfaca3fc82cba9b5e58d1db1fd7f83
Instruction ID: 596f55ad914f7d51317af4b15914476f44e14e049545bcb3c09d0309e0c3f8b3
Opcode Fuzzy Hash: 9142e9b22e6c8fff93a682ad31011c1c99bfaca3fc82cba9b5e58d1db1fd7f83
Instruction Fuzzy Hash: 6F916A70A04209EFCB18EF94D895DBDB7B6EF45304F10805DF806AB292DB79AE45CB61

Function 0072C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006C7620: _wcslen.LIBCMT ref: 006C7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0072C6EE
_wcslen.LIBCMT ref: 0072C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0072C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0072C7CA

Strings

0, xrefs: 0072C6AF

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 8e2004d94308f7797bdf03ce85d5593885f48e9b72ef3f9d24531e4e599d4a56
Instruction ID: 7830e37f2102a1d415be5f16e17fc820dacd4470fa7c1b3904a3981444505aef
Opcode Fuzzy Hash: 8e2004d94308f7797bdf03ce85d5593885f48e9b72ef3f9d24531e4e599d4a56
Instruction Fuzzy Hash: C3511F716043219BD7529F28E885B6F77E8EF69310F040A2DF996E32A0DB78DD04CB56

Function 0074AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0074AEA3

Part of subcall function 006C7620: _wcslen.LIBCMT ref: 006C7625

GetProcessId.KERNEL32(00000000), ref: 0074AF38
CloseHandle.KERNEL32(00000000), ref: 0074AF67

Strings

@, xrefs: 0074AE72
<, xrefs: 0074AE6B

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 9540a1b59d450766888e0f94521e4c7c83d671b47a33111a99b1a52482e10cb9
Instruction ID: d8f44f527d3ff10ac86b17bbac297fed631f608cdff8a92c772ce039b1760803
Opcode Fuzzy Hash: 9540a1b59d450766888e0f94521e4c7c83d671b47a33111a99b1a52482e10cb9
Instruction Fuzzy Hash: 5A713570A00619EFCB14DF54C485AAEBBF1EF08314F04849DE826AB362CB78ED45CB95

Function 0072719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00727206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0072723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0072724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 007272CF

Strings

DllGetClassObject, xrefs: 00727242

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: cd2efee7e1360a46b94027fd002a9e25d3433aff01b7d1726af658ccb51df85c
Instruction ID: aca6bbaa9e1b0776973d6f7993c11cc040a680adc31d039dbd8205091def18f5
Opcode Fuzzy Hash: cd2efee7e1360a46b94027fd002a9e25d3433aff01b7d1726af658ccb51df85c
Instruction Fuzzy Hash: 83414AB2A04214EFDB19CF54D984A9A7BF9FF48310B1580ADFD059F20AD7B8D944DBA0

Function 00753D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00753E35
IsMenu.USER32(?), ref: 00753E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00753E92
DrawMenuBar.USER32 ref: 00753EA5

Strings

0, xrefs: 00753D89

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 3e208f43d40aaa9fb93d1262fe7797755c55c354ed42e8b11289deb3b6bb6c10
Instruction ID: c602b04d158b8343022c29a538ff25be73a4fcd2ff6d8107ce8d3a5594891db6
Opcode Fuzzy Hash: 3e208f43d40aaa9fb93d1262fe7797755c55c354ed42e8b11289deb3b6bb6c10
Instruction Fuzzy Hash: 36418C74A00209AFDB10DF90D885EEAB7F5FF44391F048019EC1597260D7B8AE59CF60

Function 00721DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006C9CB3: _wcslen.LIBCMT ref: 006C9CBD

Part of subcall function 00723CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00723CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00721E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00721E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00721EA9

Part of subcall function 006C6B57: _wcslen.LIBCMT ref: 006C6B6A

Strings

ComboBox, xrefs: 00721DF0
ListBox, xrefs: 00721E25

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: ce6081e08822782458cf402b321f91cab4d2a0bbae500909e14c9f4ca0cee5ce
Instruction ID: 1704f1a0a2a1bebb465c90fac1dac9bf3505a00b246a6ec56655866928a7371a
Opcode Fuzzy Hash: ce6081e08822782458cf402b321f91cab4d2a0bbae500909e14c9f4ca0cee5ce
Instruction Fuzzy Hash: 7F2123B1E00204BEDB14AB60EC49DFFBBB9EF51350B54452DF825A31E0DB7C4A098624

Function 00752F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00752F8D
LoadLibraryW.KERNEL32(?), ref: 00752F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00752FA9
DestroyWindow.USER32(?), ref: 00752FB1

Strings

SysAnimate32, xrefs: 00752F68

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 7ee6d9e1693cd78c46623c12e313f8179651c2cc79fd84c528efd55861eccaf4
Instruction ID: d43ed692f61aedbcd264b38e5bdc19b7c7ec7ef96d65ba9dc02bc97644697df5
Opcode Fuzzy Hash: 7ee6d9e1693cd78c46623c12e313f8179651c2cc79fd84c528efd55861eccaf4
Instruction Fuzzy Hash: 4521BB71204205ABEB114F64EC80FFB37B9EB5A326F104618FD10A60E1C2B9DC569B60

Function 006E4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,006E4D1E,006F28E9,?,006E4CBE,006F28E9,007888B8,0000000C,006E4E15,006F28E9,00000002), ref: 006E4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 006E4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,006E4D1E,006F28E9,?,006E4CBE,006F28E9,007888B8,0000000C,006E4E15,006F28E9,00000002,00000000), ref: 006E4DC3

Strings

mscoree.dll, xrefs: 006E4D86
CorExitProcess, xrefs: 006E4D98

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 4f257442ee911a7920dcb6af8e9b1bfe8e3e921adf08e1febadb93aa7b89d8bc
Instruction ID: 5c7ef2e008c64a07323ee97b777bec1daa727490c03550f47dc520882850e451
Opcode Fuzzy Hash: 4f257442ee911a7920dcb6af8e9b1bfe8e3e921adf08e1febadb93aa7b89d8bc
Instruction Fuzzy Hash: 40F03174541308AFDB115FA5DC49BDEBBA5EF44752F0440A4A805A6250DF745940CB95

Function 0071D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0071D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0071D3BF
FreeLibrary.KERNEL32(00000000), ref: 0071D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 0071D3B9
X64, xrefs: 0071D2A8

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 7c957499d5b506394f4842436b96c7feb7c29e5bd927bbe99d9751d3f5fbc637
Instruction ID: bba9fb9df96fdc911c836323e61b3e60802f9cf1d160286182e889eb96dc5cd1
Opcode Fuzzy Hash: 7c957499d5b506394f4842436b96c7feb7c29e5bd927bbe99d9751d3f5fbc637
Instruction Fuzzy Hash: 25F0A0B5905B25DBD73627188C98AE97725AF11B02B64815AE822E1184DBBCCDC08E96

Function 006C4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,006C4EDD,?,H,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006C4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 006C4EAE
FreeLibrary.KERNEL32(00000000,?,?,006C4EDD,?,H,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006C4EC0

Strings

kernel32.dll, xrefs: 006C4E94
Wow64DisableWow64FsRedirection, xrefs: 006C4EA8

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: ef77ba442c0d8bc0bcd7f5ed1f42417784e251a49ee35ab3a0861783511b6423
Instruction ID: 7aae984219145427718e7e9ef0d4f294cfc65ffce2440c32b733f1513379c917
Opcode Fuzzy Hash: ef77ba442c0d8bc0bcd7f5ed1f42417784e251a49ee35ab3a0861783511b6423
Instruction Fuzzy Hash: F1E08675A01B225F922367256C28FEB6A55EF85F637064119FC00E2200DFA8CD0181A4

Function 006C4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00703CDE,?,H,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006C4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 006C4E74
FreeLibrary.KERNEL32(00000000,?,?,00703CDE,?,H,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006C4E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 006C4E6E
kernel32.dll, xrefs: 006C4E5B

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 0cda887f05ed404a92f50cda86f73b546fe338329a7d8f26e68de39a9500745b
Instruction ID: c874f7d3538bc95378adc180d56bc5ac9d27c8960ae14a8ecdbc7fa6bb95fb6d
Opcode Fuzzy Hash: 0cda887f05ed404a92f50cda86f73b546fe338329a7d8f26e68de39a9500745b
Instruction Fuzzy Hash: 90D0C271502B215B46231B287C28FDB2A1AEF89F12306411ABC00A2210CFA8CD01C1D4

Function 00732947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00732C05
DeleteFileW.KERNEL32(?), ref: 00732C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00732C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00732CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00732CC0

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 9968021e69abf35801babe09fc8f72870cb5c56d0f7560317293ea37e33f3e73
Instruction ID: db1cc21148f6738480aaf65700a055cae92879eadf6d33f454ec7a3df638092a
Opcode Fuzzy Hash: 9968021e69abf35801babe09fc8f72870cb5c56d0f7560317293ea37e33f3e73
Instruction Fuzzy Hash: 80B16271D01219ABDF11DFA4CC89EDEB77DEF08310F1040AAF609E6152EB349A458F65

Function 0074A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0074A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0074A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0074A468
CloseHandle.KERNEL32(?), ref: 0074A63D

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: d61b85d7b1290a15b30a5936ca0d087d20db135ff0667c2b848f34ee6db80577
Instruction ID: 45f34cc1dcc453436ba0be603fc90d70e41e3b5c6579bbc11f6b0ee47af61c92
Opcode Fuzzy Hash: d61b85d7b1290a15b30a5936ca0d087d20db135ff0667c2b848f34ee6db80577
Instruction Fuzzy Hash: 09A1A071644300AFE760DF28C886F2AB7E6EF84714F14885DF55A9B392D7B4EC418B86

Function 006FBB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00763700), ref: 006FBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0079121C,000000FF,00000000,0000003F,00000000,?,?), ref: 006FBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00791270,000000FF,?,0000003F,00000000,?), ref: 006FBC36
_free.LIBCMT ref: 006FBB7F

Part of subcall function 006F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,006FD7D1,00000000,00000000,00000000,00000000,?,006FD7F8,00000000,00000007,00000000,?,006FDBF5,00000000), ref: 006F29DE
Part of subcall function 006F29C8: GetLastError.KERNEL32(00000000,?,006FD7D1,00000000,00000000,00000000,00000000,?,006FD7F8,00000000,00000007,00000000,?,006FDBF5,00000000,00000000), ref: 006F29F0

_free.LIBCMT ref: 006FBD4B

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 5e9c3cc6cbdb90b2c9897072a04c1f3f610689d1e01250acbb76bf69766d0977
Instruction ID: fe94367a50971427911569dd01c75f4b123e31410564734624945e23ce0cf56f
Opcode Fuzzy Hash: 5e9c3cc6cbdb90b2c9897072a04c1f3f610689d1e01250acbb76bf69766d0977
Instruction Fuzzy Hash: 1751F87190020EEFCB10EF69DC819BEB7BAFF41350B50526EE614D7291EB749E418B98

Function 0072E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0072DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0072CF22,?), ref: 0072DDFD

Part of subcall function 0072DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0072CF22,?), ref: 0072DE16

Part of subcall function 0072E199: GetFileAttributesW.KERNEL32(?,0072CF95), ref: 0072E19A

lstrcmpiW.KERNEL32(?,?), ref: 0072E473
MoveFileW.KERNEL32(?,?), ref: 0072E4AC
_wcslen.LIBCMT ref: 0072E5EB
_wcslen.LIBCMT ref: 0072E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0072E650

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: b5d424af26ec354806e8106a44815b62103494de617c5c686227adc287034c0d
Instruction ID: 37f25cb1ff0851d73af8df557531d437822e84b64f4a2be89bbb8a73d03d2560
Opcode Fuzzy Hash: b5d424af26ec354806e8106a44815b62103494de617c5c686227adc287034c0d
Instruction Fuzzy Hash: 795186B24083959BC764EBA0DC85DDF73EDAF84340F00492EF589D3151EF78A688876A

Function 0074B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 006C9CB3: _wcslen.LIBCMT ref: 006C9CBD

Part of subcall function 0074C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0074B6AE,?,?), ref: 0074C9B5
Part of subcall function 0074C998: _wcslen.LIBCMT ref: 0074C9F1
Part of subcall function 0074C998: _wcslen.LIBCMT ref: 0074CA68
Part of subcall function 0074C998: _wcslen.LIBCMT ref: 0074CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0074BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0074BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0074BB63
RegCloseKey.ADVAPI32(?,?), ref: 0074BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0074BBB3

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 5f8d15ea5a2a5b4a1ddc624857ef030735b27dd2203747ffeb493b5a6d4f2bb4
Instruction ID: 10d9abc5e3cc260e4ecd84e7e8e3b02b5c41ff513885c453703f3c29964ff55a
Opcode Fuzzy Hash: 5f8d15ea5a2a5b4a1ddc624857ef030735b27dd2203747ffeb493b5a6d4f2bb4
Instruction Fuzzy Hash: 77619C71208241AFD714DF24C895F2ABBE5FF84308F54899CF4998B2A2DB35ED45CB92

Function 00728BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00728BCD
VariantClear.OLEAUT32 ref: 00728C3E
VariantClear.OLEAUT32 ref: 00728C9D
VariantClear.OLEAUT32(?), ref: 00728D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00728D3B

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 43ed8df709a8b88d4f2a02c5300430b4998afd3e8e10012f502d8fed5622ce79
Instruction ID: 8f8e34e3a1fdfe3e1313db04c93975f6b9a13d1a8d269058f765983e8933c00f
Opcode Fuzzy Hash: 43ed8df709a8b88d4f2a02c5300430b4998afd3e8e10012f502d8fed5622ce79
Instruction Fuzzy Hash: 8C5179B1A01219EFDB10CF68D884AAABBF8FF8D310B158559E915DB350E735E911CBA0

Function 00738AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00738BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00738BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00738C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00738C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00738C5F

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 2072798548719bf87eae1e3add02ecaaed0f51edfc229d5eaf3d8ca819c07f9b
Instruction ID: 36677a58314168925c1dc7ec177570d7f120b78a3cbdee310154c6d9c59fe70a
Opcode Fuzzy Hash: 2072798548719bf87eae1e3add02ecaaed0f51edfc229d5eaf3d8ca819c07f9b
Instruction Fuzzy Hash: 57515935A00215AFDB41DF64C880E69BBF2FF48314F08809CE809AB362CB35ED51CBA5

Function 00748EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00748F40
GetProcAddress.KERNEL32(00000000,?), ref: 00748FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00748FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00749032
FreeLibrary.KERNEL32(00000000), ref: 00749052

Part of subcall function 006DF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00731043,?,7644E610), ref: 006DF6E6
Part of subcall function 006DF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0071FA64,00000000,00000000,?,?,00731043,?,7644E610,?,0071FA64), ref: 006DF70D

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 0d17e6ae10f75c0f7d1748436e63220a6269d0a9e6beba0258f686e8ab823b21
Instruction ID: 9c271ab03782c1ca75adf18d250f6c0be7a3924a2093a7dbad96fa00300d138d
Opcode Fuzzy Hash: 0d17e6ae10f75c0f7d1748436e63220a6269d0a9e6beba0258f686e8ab823b21
Instruction Fuzzy Hash: 00513935600209DFCB55DF68C484DADBBB2FF49314F088099E906AB362DB35ED85CB95

Function 00756B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00756C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00756C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00756C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0073AB79,00000000,00000000), ref: 00756C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00756CC7

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: cdcc517dfd9319949b1a8958edde347d448e7bceff6b75e2231ffa0229531d74
Instruction ID: 9f1b7531ca2dcf9cb48758b9ac16face1ea9f113a7fd94260388896785ab90ae
Opcode Fuzzy Hash: cdcc517dfd9319949b1a8958edde347d448e7bceff6b75e2231ffa0229531d74
Instruction Fuzzy Hash: 87410435A00204AFD725CF28CC58FE97BA5EB09361F954268FC95A72E0C7B9FD45CA60

Function 006F2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 006F20C3
_free.LIBCMT ref: 006F20E3

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: e79b17427180a1b3fcddb6b5ade80d4a60f734f4302219c867e46994b4a917b5
Instruction ID: 8de39c68abc3b5deaff5951e3784c2dc09a36fe2788101f005d60c4d4ccf4968
Opcode Fuzzy Hash: e79b17427180a1b3fcddb6b5ade80d4a60f734f4302219c867e46994b4a917b5
Instruction Fuzzy Hash: AD41E432A00209AFCB20DF78C890AADB7A6EF89314F154569E715EB391DA31AD01CB84

Function 006D912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 006D9141
ScreenToClient.USER32(00000000,?), ref: 006D915E
GetAsyncKeyState.USER32(00000001), ref: 006D9183
GetAsyncKeyState.USER32(00000002), ref: 006D919D

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 51fe91e8ff093df7c842827e4ef5988e7acb602fd811dcef7a15528b348cfe23
Instruction ID: 368583f65d32494adf6db737f212f8588596957279ed4cbf196ba77a8bd347fa
Opcode Fuzzy Hash: 51fe91e8ff093df7c842827e4ef5988e7acb602fd811dcef7a15528b348cfe23
Instruction Fuzzy Hash: C241703190860AFBDF099F68CC48BEEB775FB45320F20821AE425A33D0D7786994DB61

Function 00733874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 007338CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00733922
TranslateMessage.USER32(?), ref: 0073394B
DispatchMessageW.USER32(?), ref: 00733955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00733966

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 111698587feebe1b88cb7c31cc4196b689645a2bde4d2f2d2debc0d2b25e3f11
Instruction ID: f4f497f18922e9c0c4a93006046ddec5875f2b33e0b0b5e6c971012845c25ba0
Opcode Fuzzy Hash: 111698587feebe1b88cb7c31cc4196b689645a2bde4d2f2d2debc0d2b25e3f11
Instruction Fuzzy Hash: 1131F970904346DEFB35CB349849FB637A4EB05308F54456EE4A6C20A2E3FCB686CB25

Function 0073CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 0073CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0073CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0073C21E,00000000), ref: 0073CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0073C21E,00000000), ref: 0073CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0073C21E,00000000), ref: 0073CFF2

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: bd8d3352377682dbcbfb3746d30eccbc34212942036508c4d3be17fae9454764
Instruction ID: 66469690e15929e41bfaa3aabae4c044831c36d2969cf85303cc941b178db4bf
Opcode Fuzzy Hash: bd8d3352377682dbcbfb3746d30eccbc34212942036508c4d3be17fae9454764
Instruction Fuzzy Hash: 19314F72500706AFEB21DFA5C884AABBBF9EF14355F10842EF506E2142D778AE41DB60

Function 00721901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00721915
PostMessageW.USER32(00000001,00000201,00000001), ref: 007219C1
Sleep.KERNEL32(00000000,?,?,?), ref: 007219C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 007219DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 007219E2

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: fc467bd5f6dda2dedc55f78169d52fc174591c9eca4bbb2b2f20175c1ef7786e
Instruction ID: 100765c7e94f562b9597268158f758da688fefaaafe1b1ef9d6ccf3568fbee0b
Opcode Fuzzy Hash: fc467bd5f6dda2dedc55f78169d52fc174591c9eca4bbb2b2f20175c1ef7786e
Instruction Fuzzy Hash: 5631AF71900269EFCB00CFA8DD99BDE7BB5FB14315F108225F961A72D1C7B4AA84CB90

Function 00755706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00755745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0075579D
_wcslen.LIBCMT ref: 007557AF
_wcslen.LIBCMT ref: 007557BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00755816

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: c9d6ac21f0f166625eee7d82a549da5d8d6f18b498e12f33384bb84d91189f50
Instruction ID: 5144c5ebb8c7b673f63155a598eeca33ceee09ceca402e81c8ecd32d2e346af4
Opcode Fuzzy Hash: c9d6ac21f0f166625eee7d82a549da5d8d6f18b498e12f33384bb84d91189f50
Instruction Fuzzy Hash: 4F21A571904658DADB218FA0CC84EED77B8FF04322F108256ED19EA180D7B89A89CF50

Function 00740930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00740951
GetForegroundWindow.USER32 ref: 00740968
GetDC.USER32(00000000), ref: 007409A4
GetPixel.GDI32(00000000,?,00000003), ref: 007409B0
ReleaseDC.USER32(00000000,00000003), ref: 007409E8

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 6eefaba8fc9267bb2b3ecedc4dfe13d54c0cc9f62a277d111952a8b06e15d4fa
Instruction ID: 00fada27bdd0626b56280f5296d19ef8fea133c453c971a6b94d71dcb0cba3c9
Opcode Fuzzy Hash: 6eefaba8fc9267bb2b3ecedc4dfe13d54c0cc9f62a277d111952a8b06e15d4fa
Instruction Fuzzy Hash: A6218135A00214AFD704EF65C889AAEBBE5EF48701F04C46CF94AD7752DB74AD04CB90

Function 006FCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 006FCDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 006FCDE9

Part of subcall function 006F3820: RtlAllocateHeap.NTDLL(00000000,?,00791444,?,006DFDF5,?,?,006CA976,00000010,00791440,006C13FC,?,006C13C6,?,006C1129), ref: 006F3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 006FCE0F
_free.LIBCMT ref: 006FCE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 006FCE31

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 5d1ce0bf6fdf1e69ad1c88a976bbf62e0273b92c1c6717fb1fbdc701892e60b0
Instruction ID: 4d204d2a0c2566a4816a3af2674f6fbdad994e6aa82d9962361bfdd33b633ef7
Opcode Fuzzy Hash: 5d1ce0bf6fdf1e69ad1c88a976bbf62e0273b92c1c6717fb1fbdc701892e60b0
Instruction Fuzzy Hash: C101D872A0171E7F6321167A6D48DFB696EDEC6BB1315412DFA05C7200DE658D0281F4

Function 006D9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 006D9693
SelectObject.GDI32(?,00000000), ref: 006D96A2
BeginPath.GDI32(?), ref: 006D96B9
SelectObject.GDI32(?,00000000), ref: 006D96E2

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: c4fc4ef115dadd43d64ef55b370536dbc54de334442e286d96b8694f87e91d8b
Instruction ID: c8db515559f1a260377b558ad42f21a26d727d3f9cf384c3f9304c1073a33f5b
Opcode Fuzzy Hash: c4fc4ef115dadd43d64ef55b370536dbc54de334442e286d96b8694f87e91d8b
Instruction Fuzzy Hash: E6218370801786EFEB129F65DC047E93B75BB00365F508217F414A63F0D379A8A2CBA8

Function 00725711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00725726
_memcmp.LIBVCRUNTIME ref: 00725744
_memcmp.LIBVCRUNTIME ref: 00725757
_memcmp.LIBVCRUNTIME ref: 0072576F
_memcmp.LIBVCRUNTIME ref: 00725787

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: a4692291681031acb6bd4263918a82d09eda9fae4242fc38fda2fa12b1a1b8ec
Instruction ID: e51d9a8610e4ff9ceaa8be8d8fccd12fa08e763fc781bb0d544e20702846ba27
Opcode Fuzzy Hash: a4692291681031acb6bd4263918a82d09eda9fae4242fc38fda2fa12b1a1b8ec
Instruction Fuzzy Hash: D00192B1682A69BA92089521AE92EFB635D9B213A5F004034FD049E341FA78ED1492B4

Function 006F2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,006EF2DE,006F3863,00791444,?,006DFDF5,?,?,006CA976,00000010,00791440,006C13FC,?,006C13C6), ref: 006F2DFD
_free.LIBCMT ref: 006F2E32
_free.LIBCMT ref: 006F2E59
SetLastError.KERNEL32(00000000,006C1129), ref: 006F2E66
SetLastError.KERNEL32(00000000,006C1129), ref: 006F2E6F

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: b21b540602cf4fe7c7af513b4b3d6774385345bf692330adce84c86cde58014b
Instruction ID: ec16805d0b3d1480fd11fa09485027f45e0a00a2f451a6cccb4411c6b7ef3e8e
Opcode Fuzzy Hash: b21b540602cf4fe7c7af513b4b3d6774385345bf692330adce84c86cde58014b
Instruction Fuzzy Hash: 1401497224470E2BC61323746C96DBB195BBBC2761730402CFB20923A2EE788C014924

Function 0072000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0071FF41,80070057,?,?,?,0072035E), ref: 0072002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0071FF41,80070057,?,?), ref: 00720046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0071FF41,80070057,?,?), ref: 00720054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0071FF41,80070057,?), ref: 00720064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0071FF41,80070057,?,?), ref: 00720070

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 443e72a5cbe0803f325255d5252e79c7df043592a892198305e9b10594075958
Instruction ID: c946a0052cd8335b8f898b97e36c24d143bafce8987c9b03caa6d77a80fea632
Opcode Fuzzy Hash: 443e72a5cbe0803f325255d5252e79c7df043592a892198305e9b10594075958
Instruction Fuzzy Hash: F4018476A00314BFEB214F64EC48BBA7AADEB44752F148114F905D6221D7B9DD4097A4

Function 007210F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00721114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00720B9B,?,?,?), ref: 00721120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00720B9B,?,?,?), ref: 0072112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00720B9B,?,?,?), ref: 00721136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0072114D

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: cb250ec7c982f4d743ca432dda4ecf48bcfad34da18f950707e8f5871c45a374
Instruction ID: d0fddb70089c9a2b2fba97d5cd45dd1baa59932a9f6305c6f31d8704ecbe400c
Opcode Fuzzy Hash: cb250ec7c982f4d743ca432dda4ecf48bcfad34da18f950707e8f5871c45a374
Instruction Fuzzy Hash: 9D016D75100319BFDB124F68EC49AAA3F6EFF89361B104414FA41D3350DA75DC10CA60

Function 00720FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00720FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00720FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00720FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00720FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00721002

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 7d44a231f8bb21b38a34b71c9982f82886102eb16eafbcf6c37321e61c265059
Instruction ID: 73feb8dccdeadb3f73a5ed744a8d54b934bd520c7e2b656311e7268ba58aeadd
Opcode Fuzzy Hash: 7d44a231f8bb21b38a34b71c9982f82886102eb16eafbcf6c37321e61c265059
Instruction Fuzzy Hash: 2EF04F75200315AFDB224FA5AC49F9A3BADFF89762F508414F949C6291CAB8DC408A60

Function 00721014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0072102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00721036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00721045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0072104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00721062

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: db718be96e3e66ff634f3b793ba6c08ed76bc6845b2d3712f074f2ec3a17f1b0
Instruction ID: 31bb915051c00853604240d89a5923f774b525fa0603400ec689012a250e5c1c
Opcode Fuzzy Hash: db718be96e3e66ff634f3b793ba6c08ed76bc6845b2d3712f074f2ec3a17f1b0
Instruction Fuzzy Hash: 02F06275200355EFDB225FA5EC49F9A3BADFF89762F504414F945C7290CAB8DC80CA60

Function 0073030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0073017D,?,007332FC,?,00000001,00702592,?), ref: 00730324
CloseHandle.KERNEL32(?,?,?,?,0073017D,?,007332FC,?,00000001,00702592,?), ref: 00730331
CloseHandle.KERNEL32(?,?,?,?,0073017D,?,007332FC,?,00000001,00702592,?), ref: 0073033E
CloseHandle.KERNEL32(?,?,?,?,0073017D,?,007332FC,?,00000001,00702592,?), ref: 0073034B
CloseHandle.KERNEL32(?,?,?,?,0073017D,?,007332FC,?,00000001,00702592,?), ref: 00730358
CloseHandle.KERNEL32(?,?,?,?,0073017D,?,007332FC,?,00000001,00702592,?), ref: 00730365

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 6a82aefdcd38da28cd3c25cea1a1fffa767f56550daba0ca934b37272b8809f2
Instruction ID: c9bf6952295b7205f165c3ba1fb85359a9c27122bd1a89e296da1d1425f6b038
Opcode Fuzzy Hash: 6a82aefdcd38da28cd3c25cea1a1fffa767f56550daba0ca934b37272b8809f2
Instruction Fuzzy Hash: 2201AA72800B159FDB30AF66D8A0812FBF9FF603153158A3FD19652932C3B5A998CF80

Function 006FD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 006FD752

Part of subcall function 006F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,006FD7D1,00000000,00000000,00000000,00000000,?,006FD7F8,00000000,00000007,00000000,?,006FDBF5,00000000), ref: 006F29DE
Part of subcall function 006F29C8: GetLastError.KERNEL32(00000000,?,006FD7D1,00000000,00000000,00000000,00000000,?,006FD7F8,00000000,00000007,00000000,?,006FDBF5,00000000,00000000), ref: 006F29F0

_free.LIBCMT ref: 006FD764
_free.LIBCMT ref: 006FD776
_free.LIBCMT ref: 006FD788
_free.LIBCMT ref: 006FD79A

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f2c5f1c74b520792bd9676d55ff1d25910dab3e1e4ebe0089e2550fe847cbffc
Instruction ID: 6afc6adf15ea17600df0a97ede329edc362f8a02f04a257c015542201e516788
Opcode Fuzzy Hash: f2c5f1c74b520792bd9676d55ff1d25910dab3e1e4ebe0089e2550fe847cbffc
Instruction Fuzzy Hash: 7AF0FF325C420EAB8662FB69F9C5C6A77DFBB447107A54809F258EB611C774FC808B78

Function 00725C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00725C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00725C6F
MessageBeep.USER32(00000000), ref: 00725C87
KillTimer.USER32(?,0000040A), ref: 00725CA3
EndDialog.USER32(?,00000001), ref: 00725CBD

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: d78295058353cf39a4f65dd16fa39f4ebecd99f4c713ed4417e6fbef26a538d8
Instruction ID: 4bc0eb1718c5adc619aaf31d4fe2f77415bce070b034f2a6e6aea066498da243
Opcode Fuzzy Hash: d78295058353cf39a4f65dd16fa39f4ebecd99f4c713ed4417e6fbef26a538d8
Instruction Fuzzy Hash: D8018B305007159FEB215B10ED4EFE577B8FB04706F005559B543614E1E7F86A848A94

Function 006D95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 006D95D4
StrokeAndFillPath.GDI32(?,?,007171F7,00000000,?,?,?), ref: 006D95F0
SelectObject.GDI32(?,00000000), ref: 006D9603
DeleteObject.GDI32 ref: 006D9616
StrokePath.GDI32(?), ref: 006D9631

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 2e282a6380e44118535e2241bfc70622db7cc4fbe54b5be10ce421485fb795b2
Instruction ID: 84ead9ffb6d56b12568318782dffdc418bb293d7920b80b3162d18bbe9123e24
Opcode Fuzzy Hash: 2e282a6380e44118535e2241bfc70622db7cc4fbe54b5be10ce421485fb795b2
Instruction Fuzzy Hash: B8F01930405B89EFDB235F65ED187A43B62AB00376F44C216F429552F0C77999A2DF28

Function 006F0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 006F10F9
__freea.LIBCMT ref: 006F1117

Part of subcall function 006F1537: _free.LIBCMT ref: 006F154F

Strings

a/p, xrefs: 006F11DE
am/pm, xrefs: 006F117A

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: a179fa9705547c50bed1ac434faa7248e54519e9176657643e6dac5f60819f9b
Instruction ID: 035c008eadeb0c88cb2d888008d6daf931616ac533dfbf5c6bbd0793d4348c02
Opcode Fuzzy Hash: a179fa9705547c50bed1ac434faa7248e54519e9176657643e6dac5f60819f9b
Instruction Fuzzy Hash: 80D1E23290020ECADB289F68C8556FAB7B3EF07380F24411AEB119F755DB759E81CB51

Function 007461D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 006E0242: EnterCriticalSection.KERNEL32(0079070C,00791884,?,?,006D198B,00792518,?,?,?,006C12F9,00000000), ref: 006E024D
Part of subcall function 006E0242: LeaveCriticalSection.KERNEL32(0079070C,?,006D198B,00792518,?,?,?,006C12F9,00000000), ref: 006E028A

Part of subcall function 006E00A3: __onexit.LIBCMT ref: 006E00A9

__Init_thread_footer.LIBCMT ref: 00746238

Part of subcall function 006E01F8: EnterCriticalSection.KERNEL32(0079070C,?,?,006D8747,00792514), ref: 006E0202
Part of subcall function 006E01F8: LeaveCriticalSection.KERNEL32(0079070C,?,006D8747,00792514), ref: 006E0235

Part of subcall function 0073359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 007335E4
Part of subcall function 0073359C: LoadStringW.USER32(00792390,?,00000FFF,?), ref: 0073360A

Strings

x#y, xrefs: 0074633A
x#y, xrefs: 0074636F
x#y, xrefs: 00746353

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#y$x#y$x#y
API String ID: 1072379062-3801053113
Opcode ID: 96a3a4e1299ce4c30a66a6aa3c46b692689019c190d3352fc3d07a0158a5de50
Instruction ID: 71901107f96f058c3febf03b4c6c94f0b6577d0eb2038ce9760f1cd8d0560786
Opcode Fuzzy Hash: 96a3a4e1299ce4c30a66a6aa3c46b692689019c190d3352fc3d07a0158a5de50
Instruction Fuzzy Hash: 0EC17D71A00105AFCB14EF98C891EBEB7BAFF49310F10806EF9159B291DB78E955CB91

Function 006F5AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JOl, xrefs: 006F5BA8, 006F5C6C

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID:
String ID: JOl
API String ID: 0-2980687805
Opcode ID: 87eac9bb11ea8aa61e08ea32f55b86f68942ea7b071d87f48bf75d52d8e216ae
Instruction ID: 03567e79173d4ec30ee9c0a232c313334a7eaf24fa144c1b6391f9ba9db0eb7d
Opcode Fuzzy Hash: 87eac9bb11ea8aa61e08ea32f55b86f68942ea7b071d87f48bf75d52d8e216ae
Instruction Fuzzy Hash: 63519D71901B0D9FCB219FA9C845AFEBBBAAF05310F14005EF707AB291D7759E028B65

Function 006F8A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 006F8B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 006F8B7A
__dosmaperr.LIBCMT ref: 006F8B81

Strings

.n, xrefs: 006F8A63

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .n
API String ID: 2434981716-61608593
Opcode ID: ff834bb9819c518061e6c1b6d3f9c673697bbb21f7fda42a6420a226f9e0b8ed
Instruction ID: 7546bd799f7e803dae17bddec36411b2d1b5a3996ef030b4df599376a88a81a1
Opcode Fuzzy Hash: ff834bb9819c518061e6c1b6d3f9c673697bbb21f7fda42a6420a226f9e0b8ed
Instruction Fuzzy Hash: 13416E7160414DAFDB259F68DC81ABD7FA7EB85304B2881EAFA4587242DE35CD038794

Function 00722716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0072B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007221D0,?,?,00000034,00000800,?,00000034), ref: 0072B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00722760

Part of subcall function 0072B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007221FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0072B3F8

Part of subcall function 0072B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0072B355
Part of subcall function 0072B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00722194,00000034,?,?,00001004,00000000,00000000), ref: 0072B365
Part of subcall function 0072B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00722194,00000034,?,?,00001004,00000000,00000000), ref: 0072B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 007227CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0072281A

Strings

@, xrefs: 00722832

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 2e074d271e62d1930fc864958028ab5d1d76164b07f853c4c10a88eb24d9e34e
Instruction ID: ed83b236ea2e4d4fe5f5ddd3d85f9cf91e7da97470d07b1caab1205afc1f116e
Opcode Fuzzy Hash: 2e074d271e62d1930fc864958028ab5d1d76164b07f853c4c10a88eb24d9e34e
Instruction Fuzzy Hash: 18411D72900228BFDB10DBA4DD85BEEBBB8EF05700F108099FA55B7181DB74AE45CB61

Function 006F172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 006F1769
_free.LIBCMT ref: 006F1834
_free.LIBCMT ref: 006F183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 006F1760, 006F1767, 006F1796, 006F17CE

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-3695852857
Opcode ID: 168cbe3bcc42837a414470668a198f9fa507a12512fa7d255280b2e40f306ffa
Instruction ID: f34ea354ed281fb6048f7da1116a8f71fcf17110f70ba0a19c37d89c47dedbe5
Opcode Fuzzy Hash: 168cbe3bcc42837a414470668a198f9fa507a12512fa7d255280b2e40f306ffa
Instruction Fuzzy Hash: 4F319171A0020DEFCB21EB999981DAEBBBEEB86390F10416AE6149B311D6704A41CB94

Function 0072C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0072C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0072C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00791990,00E35A80), ref: 0072C395

Strings

0, xrefs: 0072C2DF

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 0f9481051a0e9c91915e0cc210225b04f592d62e524a74997a52e65b45484191
Instruction ID: 8c20a3d882bd67f708ebab4f979baeab29e05ebbd8a3c09d2da96122c9029bdc
Opcode Fuzzy Hash: 0f9481051a0e9c91915e0cc210225b04f592d62e524a74997a52e65b45484191
Instruction Fuzzy Hash: A341D0312043519FD721DF24E845B6EBBE4AFA5310F108A1DF8A5972D2D778E904CB67

Function 00754416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0075CC08,00000000,?,?,?,?), ref: 007544AA
GetWindowLongW.USER32 ref: 007544C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 007544D7

Strings

SysTreeView32, xrefs: 0075447C

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: c412d8357beb378a0deb10eff2c1fb414a385e07bb439ca19d737299945ba3ac
Instruction ID: 23bcbbed1bd7029e2daf3f7db5c0db605e6476e4916191f98bd11aa0ea51e474
Opcode Fuzzy Hash: c412d8357beb378a0deb10eff2c1fb414a385e07bb439ca19d737299945ba3ac
Instruction Fuzzy Hash: 5A318D71240245AFDF218F78DC45BEA77A9EB08329F204319FD75A21D0E7B8AC959750

Function 00726E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00726EED
VariantCopyInd.OLEAUT32(?,?), ref: 00726F08
VariantClear.OLEAUT32(?), ref: 00726F12

Strings

*jr, xrefs: 00726E8B, 00726E90, 00726EF8

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *jr
API String ID: 2173805711-3951200537
Opcode ID: 0f15f1edc2cea2290d809057c4ee906a349f9a7cb877ba9f26488af9cda1a24c
Instruction ID: 445cb3fcd2e385d138fb36d145634f684d53e0da1d1fa4ecd8718c3ca6e7f5e7
Opcode Fuzzy Hash: 0f15f1edc2cea2290d809057c4ee906a349f9a7cb877ba9f26488af9cda1a24c
Instruction Fuzzy Hash: 5B318F71604265DFCF05AFA4E951EBD37B6EF85700F10049EF9029B2A1CB389912DB94

Function 006FC9BB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 006F2D74: GetLastError.KERNEL32(?,?,006F5686,00703CD6,?,00000000,?,006F5B6A,?,?,?,?,?,006EE6D1,?,00788A48), ref: 006F2D78
Part of subcall function 006F2D74: _free.LIBCMT ref: 006F2DAB
Part of subcall function 006F2D74: SetLastError.KERNEL32(00000000,?,?,?,?,006EE6D1,?,00788A48,00000010,006C4F4A,?,?,00000000,00703CD6), ref: 006F2DEC
Part of subcall function 006F2D74: _abort.LIBCMT ref: 006F2DF2

Part of subcall function 006FCADA: _abort.LIBCMT ref: 006FCB0C
Part of subcall function 006FCADA: _free.LIBCMT ref: 006FCB40

Part of subcall function 006FC74F: GetOEMCP.KERNEL32(00000000), ref: 006FC77A

_free.LIBCMT ref: 006FCA33
_free.LIBCMT ref: 006FCA69

Strings

X, xrefs: 006FCAAD
X, xrefs: 006FCAB2

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID: X$X
API String ID: 2991157371-1416141573
Opcode ID: 9cf5149b5bfdf3f17d5ea484726076caa113ab134ea408e6cc380b0169008af6
Instruction ID: ce37b6a4562ea01febd3b1ba1531296e29776be3aab744c0ec998c34156b3e9d
Opcode Fuzzy Hash: 9cf5149b5bfdf3f17d5ea484726076caa113ab134ea408e6cc380b0169008af6
Instruction Fuzzy Hash: 9031F63190020CAFDB11EBA9D641BB977F6EF40330F21019DEA049B3A2EB766D41DB54

Function 0074304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0074335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00743077,?,?), ref: 00743378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0074307A
_wcslen.LIBCMT ref: 0074309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00743106

Strings

255.255.255.255, xrefs: 00743095, 0074309A

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: fb73166704fa63a08c47eaf86486b96d6b5eb8479bc37849aa8e890ac2feb27d
Instruction ID: baaf9d2b05672e3d16eddd672745393d740af9194c27f1ac5b983a3aeb64b595
Opcode Fuzzy Hash: fb73166704fa63a08c47eaf86486b96d6b5eb8479bc37849aa8e890ac2feb27d
Instruction Fuzzy Hash: 1231E435200205DFDB10CF68C485FAA77E1EF14318F248199E9199B3A2DB7AEF41C760

Function 00753EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00753F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00753F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00753F78

Strings

SysMonthCal32, xrefs: 00753F0B

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 714f936887e2f47947eeb7c9fedfb8bc330b2a898eaa24d291e10f7fa7a5d23c
Instruction ID: 16271ca3092792e308a3679132b3374f5adfa6baf5ede86a7ab681e845c32b9f
Opcode Fuzzy Hash: 714f936887e2f47947eeb7c9fedfb8bc330b2a898eaa24d291e10f7fa7a5d23c
Instruction Fuzzy Hash: 2F21AD32600219BFDF118E50CC46FEA3B75EB48754F110218FE156B1D0D6B9A955CBA0

Function 00754653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00754705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00754713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0075471A

Strings

msctls_updown32, xrefs: 00754684

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 8f35c52254da230affdeeb615804c3f13302bf990b7d0d42ff1bebcb6c4835a3
Instruction ID: 6f5c48756326c55efd12f5660727733e245808d263d5e540778d687ee8566bb7
Opcode Fuzzy Hash: 8f35c52254da230affdeeb615804c3f13302bf990b7d0d42ff1bebcb6c4835a3
Instruction Fuzzy Hash: 1121A1B5600249AFDB11DF64DCC1DB737ADEF4A3A9B000449FA009B251CB75EC56CB64

Function 007295AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0072961D

Strings

#requireadmin, xrefs: 007295D9
#notrayicon, xrefs: 007295B7
#OnAutoItStartRegister, xrefs: 007295F3

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 1806024dc8fa857ba42a3d4e9f889d009846cf6a4f16bfeef24812fcf106efa5
Instruction ID: 7de4280aecd4fb4619189745a3ce3544807f8a410732447a8a07a49a633c8377
Opcode Fuzzy Hash: 1806024dc8fa857ba42a3d4e9f889d009846cf6a4f16bfeef24812fcf106efa5
Instruction Fuzzy Hash: 6B2157722042306AD331BB26EC02FBB73D9DF91300F18402EFA4997181EB99AD55C2E9

Function 007537B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00753840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00753850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00753876

Strings

Listbox, xrefs: 0075380F

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: f3f189b4a1b7c0383a20ca510afadb58e4809ad339ef2210edc70b2b1d4f4bd4
Instruction ID: 9a27aa9450a0031370147810b6a4eaf535b6161518013b93a87b48b7ccc08bd7
Opcode Fuzzy Hash: f3f189b4a1b7c0383a20ca510afadb58e4809ad339ef2210edc70b2b1d4f4bd4
Instruction Fuzzy Hash: B8219572610218BBEF119F54CC85FFB376EEF89791F108114F9159B1A0C6B9EC5687A0

Function 007349F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00734A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00734A5C
SetErrorMode.KERNEL32(00000000,?,?,0075CC08), ref: 00734AD0

Strings

%lu, xrefs: 00734A6F

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: a9f980cd2d768a00f805c9527b6dcd91a5e23b919c17f2df1b29404deb923efd
Instruction ID: 3899f250dcf1390358826164a0c7ac88ea3e1e42d92ed6b6bb7a013f3df83a85
Opcode Fuzzy Hash: a9f980cd2d768a00f805c9527b6dcd91a5e23b919c17f2df1b29404deb923efd
Instruction Fuzzy Hash: D9317371A00209AFD710DF54C885EAA7BF9EF04304F148099F905DB352DB75EE45CB65

Function 007541EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0075424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00754264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00754271

Strings

msctls_trackbar32, xrefs: 00754226

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: cc459d56ccb17a9493c877f4a274f1c3ffd45b5386a9541b20056c670ceed992
Instruction ID: 5b70eaf29fa2880065656e63bad4e5b479c1022b1c0525e72baa31b82708c502
Opcode Fuzzy Hash: cc459d56ccb17a9493c877f4a274f1c3ffd45b5386a9541b20056c670ceed992
Instruction Fuzzy Hash: CC11E331240248BEEF205F29CC06FEB3BACEF85B69F114118FA55E2090D2B5D8529B24

Function 00722F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006C6B57: _wcslen.LIBCMT ref: 006C6B6A

Part of subcall function 00722DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00722DC5
Part of subcall function 00722DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00722DD6
Part of subcall function 00722DA7: GetCurrentThreadId.KERNEL32 ref: 00722DDD
Part of subcall function 00722DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00722DE4

GetFocus.USER32 ref: 00722F78

Part of subcall function 00722DEE: GetParent.USER32(00000000), ref: 00722DF9

GetClassNameW.USER32(?,?,00000100), ref: 00722FC3
EnumChildWindows.USER32(?,0072303B), ref: 00722FEB

Strings

%s%d, xrefs: 00722FFF

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: c39954d43aa2d23a7f934f7e7290e4d8580691e60abf9f13f55e085374cada6e
Instruction ID: 9785300e74ed2d6a5f08dbe15b78bd63f05c06be8538786e3760c4ea0681ee0d
Opcode Fuzzy Hash: c39954d43aa2d23a7f934f7e7290e4d8580691e60abf9f13f55e085374cada6e
Instruction Fuzzy Hash: FF110271300215ABDF51BF70DC89FED37AAEF84304F008079B9099B242DE789A0A8B30

Function 00755882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 007558C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 007558EE
DrawMenuBar.USER32(?), ref: 007558FD

Strings

0, xrefs: 0075588F

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 004f01b2a5cb167fc23bdf91ef404e0804ceb1f20db655d006a1ebcbf8ad6319
Instruction ID: 78c7f034761be0276a6f537b25bc1001b925dd773599344e31fff31cbb762243
Opcode Fuzzy Hash: 004f01b2a5cb167fc23bdf91ef404e0804ceb1f20db655d006a1ebcbf8ad6319
Instruction Fuzzy Hash: DF01C431500208EFDB519F51DC44BEEBBB5FF45362F108099E849D6261DBB89A94DF20

Function 0072007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cb361d432f0046fe8100703b17bd7569d018b639d6e533ee982cfd5fd660093
Instruction ID: 1716eac3117b84033a7c034b6b91a288b1ac8be59b224bf7000831a436a84222
Opcode Fuzzy Hash: 2cb361d432f0046fe8100703b17bd7569d018b639d6e533ee982cfd5fd660093
Instruction Fuzzy Hash: DFC17C75A0022AEFDB04CFA4D888EAEB7B5FF48314F108598E405EB252D735ED41CBA0

Function 0074342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00743459
CoUninitialize.OLE32 ref: 00743463
VariantInit.OLEAUT32(?), ref: 0074346E
VariantClear.OLEAUT32(?), ref: 0074371B

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 3c302efa077067bda536bd2ae577fbf03d47e8a69bae4e98fcadaee557ae98b4
Instruction ID: 566d201cd149a709f57b71dbfef555b9aa5e1ad306cb5d8a47df1fb494f6a892
Opcode Fuzzy Hash: 3c302efa077067bda536bd2ae577fbf03d47e8a69bae4e98fcadaee557ae98b4
Instruction Fuzzy Hash: 6AA117756043019FCB40DF28C585A2AB7E5EF88724F05885DF98A9B362DB34EE01CB96

Function 00720436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0075FC08,?), ref: 007205F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0075FC08,?), ref: 00720608
CLSIDFromProgID.OLE32(?,?,00000000,0075CC40,000000FF,?,00000000,00000800,00000000,?,0075FC08,?), ref: 0072062D
_memcmp.LIBVCRUNTIME ref: 0072064E

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 3cf938f7a2ab731cdbadd6657c9d8a95b10815250e74a12ebf6846eedbe483f3
Instruction ID: 66e4c64a8b40699082db98a5baa599a6a1d72da2d9b0fa2a1b11eaeedebc115a
Opcode Fuzzy Hash: 3cf938f7a2ab731cdbadd6657c9d8a95b10815250e74a12ebf6846eedbe483f3
Instruction Fuzzy Hash: 11811E71A00219EFCB04DF94C984EEEB7B9FF89315F204558F506AB251DB75AE06CBA0

Function 00701391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 007014C0

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 421d6d2d681c9187f996414e354dd9d9b7556d42fa56e218038706657e26e091
Instruction ID: b033c6434db05d56596c55e794a44f04a186793a90d6025219ce0057755ff3b9
Opcode Fuzzy Hash: 421d6d2d681c9187f996414e354dd9d9b7556d42fa56e218038706657e26e091
Instruction Fuzzy Hash: 21416A31A00284EFDB216BF98C45ABE3AE6EF41330F544329F519D72E2E77C89419766

Function 00756278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 007562E2
ScreenToClient.USER32(?,?), ref: 00756315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00756382

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: e1c49367dbed97ba42b203cf37d3b0d306de0c2f490a080facd743fe4e4c1300
Instruction ID: 25c909d9fcf202dbb5892d43d1635b0383b2d473144475953e8b3299631fa9e7
Opcode Fuzzy Hash: e1c49367dbed97ba42b203cf37d3b0d306de0c2f490a080facd743fe4e4c1300
Instruction Fuzzy Hash: D4514A74A00249EFCF10DF68D880AEE7BB6FB45361F508169F9159B2A0D778EE85CB50

Function 00741AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00741AFD
WSAGetLastError.WSOCK32 ref: 00741B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00741B8A
WSAGetLastError.WSOCK32 ref: 00741B94

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: d110e1ab95d9b52e6b17c783800ecdc8c00b924aa8a23e8314559440f19ec542
Instruction ID: 104949dab27f1a21c9f13e86a6f4c375f01447ecd4d930c654c8abc5fd3f7809
Opcode Fuzzy Hash: d110e1ab95d9b52e6b17c783800ecdc8c00b924aa8a23e8314559440f19ec542
Instruction Fuzzy Hash: E2418D74600200AFE720AF24C886F2977E6EB44718F94844CF91A9F7D2D776ED82CB94

Function 006FB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3c005dc4e2ecbc523875b8d6e1fa556689554f85349725a9fd33bf1aba417bb
Instruction ID: be73817c102ee8f8bb5c99775c502eaa03de36b149e6682d263a9bcd8d7577f9
Opcode Fuzzy Hash: c3c005dc4e2ecbc523875b8d6e1fa556689554f85349725a9fd33bf1aba417bb
Instruction Fuzzy Hash: 43412875A00708AFD724AF78CD41BBABBEAEF84710F10462EF641DB681D375A9018B90

Function 007356D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00735783
GetLastError.KERNEL32(?,00000000), ref: 007357A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 007357CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 007357FA

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 3841b0da2da330b7b5739c131ab5be7cf682a3066698386b53c8987dcc80c0ad
Instruction ID: 2f25adedc86b88db4e24dfbcdf9b33af5b7c1f06e44cb0a0a36be2fce194c338
Opcode Fuzzy Hash: 3841b0da2da330b7b5739c131ab5be7cf682a3066698386b53c8987dcc80c0ad
Instruction Fuzzy Hash: BF41F639600610DFCB11EF15C545A6ABBE2EF89720F19848CE84AAB362CB34FD41DF95

Function 006FD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,006E6D71,00000000,00000000,006E82D9,?,006E82D9,?,00000001,006E6D71,?,00000001,006E82D9,006E82D9), ref: 006FD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 006FD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 006FD9AB
__freea.LIBCMT ref: 006FD9B4

Part of subcall function 006F3820: RtlAllocateHeap.NTDLL(00000000,?,00791444,?,006DFDF5,?,?,006CA976,00000010,00791440,006C13FC,?,006C13C6,?,006C1129), ref: 006F3852

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 2d29603c589b0f50b6c3e20c63b894ae40cf8d6d299846f4466ec4f69c99cd22
Instruction ID: b7f47e359224b5a5835577d520b2b1978dad810acf5bd44abad5cfd8ff1270b9
Opcode Fuzzy Hash: 2d29603c589b0f50b6c3e20c63b894ae40cf8d6d299846f4466ec4f69c99cd22
Instruction Fuzzy Hash: 0931CD72A0020AABDB259FA5DC45EFE7BA7EB40310B054168FD04D6291EB79ED51CBA0

Function 007552C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00755352
GetWindowLongW.USER32(?,000000F0), ref: 00755375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00755382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007553A8

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 0a0a9055a97fc254eb576573cfabb5fa229e02252734e0e8d1ee13eedce40039
Instruction ID: bb25a2c0c5811fa2aaa7822aeabe8785baed3280f7b9b475796f9e0c751f8c50
Opcode Fuzzy Hash: 0a0a9055a97fc254eb576573cfabb5fa229e02252734e0e8d1ee13eedce40039
Instruction Fuzzy Hash: 4F31E430A55A08EFEB319F14CC25BE83761EB0439AF584012FE19962E0C7FD9D88DB41

Function 0072AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 0072ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0072AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0072AC74
SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 0072ACC6

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: ab762d87c24a56c05aabe3a5416d6f56fb8608c7464cfef296e828738addb462
Instruction ID: 257a3988fb69d446652c116c6136bcb5354ca827c8983e8e590d9d8654355f6a
Opcode Fuzzy Hash: ab762d87c24a56c05aabe3a5416d6f56fb8608c7464cfef296e828738addb462
Instruction Fuzzy Hash: 4731F630A04728BFFF258B65EC087FA7BAAAB85310F04421AE485521D1D37D8AC58772

Function 00757674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0075769A
GetWindowRect.USER32(?,?), ref: 00757710
PtInRect.USER32(?,?,00758B89), ref: 00757720
MessageBeep.USER32(00000000), ref: 0075778C

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: c7487f8be51e5af6f852e74e6be3e0caa227e71655157a37f876f37d47626ff0
Instruction ID: 4d67a139704e9c7a10e22a6014c830ac5dd4db07e0fca47df7649eb1a6d29dc7
Opcode Fuzzy Hash: c7487f8be51e5af6f852e74e6be3e0caa227e71655157a37f876f37d47626ff0
Instruction Fuzzy Hash: 8A41BD34609255DFDB06CF58E884FE877F0FB48312F5584A9E8148B260C3B8A94ACF90

Function 007516DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 007516EB

Part of subcall function 00723A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00723A57
Part of subcall function 00723A3D: GetCurrentThreadId.KERNEL32 ref: 00723A5E
Part of subcall function 00723A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007225B3), ref: 00723A65

GetCaretPos.USER32(?), ref: 007516FF
ClientToScreen.USER32(00000000,?), ref: 0075174C
GetForegroundWindow.USER32 ref: 00751752

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 431ef4194fcf05bd0fe80f019c64db3fd5b552858889b3e53183f8bb8ed7509e
Instruction ID: e47cd36aeb5a98d2fa77a450fec171fa9e6627dd4b7ee4cc1f583bceae67b17b
Opcode Fuzzy Hash: 431ef4194fcf05bd0fe80f019c64db3fd5b552858889b3e53183f8bb8ed7509e
Instruction Fuzzy Hash: 0D314171D00249AFC700EFA9C885DEEBBF9EF88304B5084AEE415E7211D7759E45CBA4

Function 0072D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0072D501
Process32FirstW.KERNEL32(00000000,?), ref: 0072D50F
Process32NextW.KERNEL32(00000000,?), ref: 0072D52F
CloseHandle.KERNEL32(00000000), ref: 0072D5DC

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 27417277559ee55d860cbe3ec7f7b454e53a0932c84a429523b62eb50bb22b8b
Instruction ID: f5d721ef95ff40323810a46e38e1d27aa308494ce7bb95d71d32c0bd6ad58583
Opcode Fuzzy Hash: 27417277559ee55d860cbe3ec7f7b454e53a0932c84a429523b62eb50bb22b8b
Instruction Fuzzy Hash: 7A31AD710083009FD311EF50D885FAABBE8EF99344F10082DF581821A1EBB19945CBA6

Function 00758FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006D9BB2

GetCursorPos.USER32(?), ref: 00759001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00717711,?,?,?,?,?), ref: 00759016
GetCursorPos.USER32(?), ref: 0075905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00717711,?,?,?), ref: 00759094

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: d4290a105827798d712d8769a756f1ecad4024ad9b2b44071684e842285403fb
Instruction ID: fbb100d512e61b1397716fbfeeccac42c54536e0b49eae84aaec9bb0dd4aa292
Opcode Fuzzy Hash: d4290a105827798d712d8769a756f1ecad4024ad9b2b44071684e842285403fb
Instruction Fuzzy Hash: 8421D331600118EFDB168F94CC58FFB7BB9EF49362F144459FA09472A1D3B9A960DB60

Function 0072D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0075CB68), ref: 0072D2FB
GetLastError.KERNEL32 ref: 0072D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0072D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0075CB68), ref: 0072D376

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 2af46633293596da2bcbdf1f079a3f92fb6d26ecd39827894548ad856e88a0db
Instruction ID: d2407774fac277d49d0975bd2a9ac1c26b74cd0ba2c3beab22cf708b6d4f3e20
Opcode Fuzzy Hash: 2af46633293596da2bcbdf1f079a3f92fb6d26ecd39827894548ad856e88a0db
Instruction Fuzzy Hash: 3C219F70509311DF8320DF28D8859AA77E4FE56324F104A1DF499C32A2EB35DE49CB97

Function 00721571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00721014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0072102A
Part of subcall function 00721014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00721036
Part of subcall function 00721014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00721045
Part of subcall function 00721014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0072104C
Part of subcall function 00721014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00721062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 007215BE
_memcmp.LIBVCRUNTIME ref: 007215E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00721617
HeapFree.KERNEL32(00000000), ref: 0072161E

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 4f1ffee5ac3a61413491325979b5f80ee641217668bfd1deb4ada6b8e0a978c1
Instruction ID: e18a5e8756961f807c27c131e7c0916a95fb6c5514b2be3a05cc00faaf476a83
Opcode Fuzzy Hash: 4f1ffee5ac3a61413491325979b5f80ee641217668bfd1deb4ada6b8e0a978c1
Instruction Fuzzy Hash: 7C21AC71E00218EFDF00DFA4D945BEEB7B8FF50345F498499E401AB241EB78AA04CBA0

Function 00752782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0075280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00752824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00752832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00752840

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: cbe36d950c70d46199023b842320632b2cafca428bafc0553e78ebcd85fba6be
Instruction ID: 699ba0a46b11e80159aadb5df2f470f4c0f555c2f05f1c5abbed9d6fc13597f7
Opcode Fuzzy Hash: cbe36d950c70d46199023b842320632b2cafca428bafc0553e78ebcd85fba6be
Instruction Fuzzy Hash: FD21B031204211AFD715DB24C845FEA7B95EF86325F24815CF8268B6A3DBB9FC86C790

Function 007278F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00728D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0072790A,?,000000FF,?,00728754,00000000,?,0000001C,?,?), ref: 00728D8C
Part of subcall function 00728D7D: lstrcpyW.KERNEL32(00000000,?), ref: 00728DB2
Part of subcall function 00728D7D: lstrcmpiW.KERNEL32(00000000,?,0072790A,?,000000FF,?,00728754,00000000,?,0000001C,?,?), ref: 00728DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00728754,00000000,?,0000001C,?,?,00000000), ref: 00727923
lstrcpyW.KERNEL32(00000000,?), ref: 00727949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00728754,00000000,?,0000001C,?,?,00000000), ref: 00727984

Strings

cdecl, xrefs: 0072797B

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 9dd334dc936513d8990029c077598e6ffb54f39fc2858c08222b026a0b9caadf
Instruction ID: 4f80c89c2fb1516efcc3943d6c57ac0036bbd71d0e410b26883d0832cd5cc28e
Opcode Fuzzy Hash: 9dd334dc936513d8990029c077598e6ffb54f39fc2858c08222b026a0b9caadf
Instruction Fuzzy Hash: 1B11293A200311AFCB155F34E844E7A77A9FF45350B00802AF986CB3A4EF75A841C755

Function 00757CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00757D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00757D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00757D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0073B7AD,00000000), ref: 00757D6B

Part of subcall function 006D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006D9BB2

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 4a8b1ea6834a35e33bac8577c55fe6d898cfd6573ce95d7535ceb1128c728459
Instruction ID: 055b932b2ddcdda66cb54035ee40036216e9f4799747c64d4cab029b20784c60
Opcode Fuzzy Hash: 4a8b1ea6834a35e33bac8577c55fe6d898cfd6573ce95d7535ceb1128c728459
Instruction Fuzzy Hash: FD11DE31604715AFCB158F28EC04AA63BA5EF45362B118328FC35CB2E0E7B89925CB50

Function 00755660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 007556BB
_wcslen.LIBCMT ref: 007556CD
_wcslen.LIBCMT ref: 007556D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00755816

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 7769e5548a255f701a5f55781aaa3ab56f94837e3089afa030e09af034db98a4
Instruction ID: c06dd93abb6c19fe87dbc608e8b77d31732916f4d6e3c47f50a58fd2bc5d3ad0
Opcode Fuzzy Hash: 7769e5548a255f701a5f55781aaa3ab56f94837e3089afa030e09af034db98a4
Instruction Fuzzy Hash: 32110671A0074496DF209F61CC95EEE377CEF00762B10406AFD05D6081EBF8DA88CBA4

Function 006F1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7582ba5c1a3d2e5a49dbe3b8df3e7b38d035c70efeb199d2dd9aa0717d8b77b7
Instruction ID: 6579ba0ebdffcf09fa43c80469346daf74147fa424ce1fc7b029ece6f9ff528a
Opcode Fuzzy Hash: 7582ba5c1a3d2e5a49dbe3b8df3e7b38d035c70efeb199d2dd9aa0717d8b77b7
Instruction Fuzzy Hash: 6D01A2B2209A1EBEF75116786CC0FB7662FDF427F8B34132AF721A52D2DB608C005164

Function 00721A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00721A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00721A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00721A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00721A8A

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: e2475143b9c82e3d327b903382e419c3ec424196ea403ef94e1090663785be1f
Instruction ID: 5b9afc2c0851666b0143dc3dedfba30d350056af2ed3ca410ca0e0a51f8896c7
Opcode Fuzzy Hash: e2475143b9c82e3d327b903382e419c3ec424196ea403ef94e1090663785be1f
Instruction Fuzzy Hash: EB11273A901229FFEB119BA4CD85FADBB78FB18750F2040A1EA00B7290D6716F50DB94

Function 0072E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0072E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0072E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0072E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0072E24D

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 038f9972130ee841c536e4f4c0cac00650555e8ccd26f9fd7e5e257985d533ce
Instruction ID: b86cdddef0735ad9a827320b35eb63e90561be147662d67f2dbec2fb6ce314f3
Opcode Fuzzy Hash: 038f9972130ee841c536e4f4c0cac00650555e8ccd26f9fd7e5e257985d533ce
Instruction Fuzzy Hash: CB110872904369FFD7019BA8AC05ADE7FACEB45311F10821AF925E3290D2B8890087A5

Function 006ED1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,006ECFF9,00000000,00000004,00000000), ref: 006ED218
GetLastError.KERNEL32 ref: 006ED224
__dosmaperr.LIBCMT ref: 006ED22B
ResumeThread.KERNEL32(00000000), ref: 006ED249

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: d73321a42785f9f65f3673cea90d70163e279b5b00a7ab5ffb9ad8b5236d2a25
Instruction ID: 4d1befb8884a2025b21c3061daf8713346d13dd69677dbd69bfeaddd68ebacff
Opcode Fuzzy Hash: d73321a42785f9f65f3673cea90d70163e279b5b00a7ab5ffb9ad8b5236d2a25
Instruction Fuzzy Hash: A201D636806388BFC7115BA7DC09BEE7A6BDF81731F204219FB25921D0DF718A01C6A5

Function 00759EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 006D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006D9BB2

GetClientRect.USER32(?,?), ref: 00759F31
GetCursorPos.USER32(?), ref: 00759F3B
ScreenToClient.USER32(?,?), ref: 00759F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00759F7A

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 1a254941fb0fe5a2807bcd723431760c7a2f2c8131357421bb251ad9123ef995
Instruction ID: e0ddc0dd6ddac53d28d77f94df77bef6d563e274670b1f2267a8e1f8851cda33
Opcode Fuzzy Hash: 1a254941fb0fe5a2807bcd723431760c7a2f2c8131357421bb251ad9123ef995
Instruction Fuzzy Hash: 3611483290021AEFDB01DFA8D889DEE77B9FB05312F504455FA01E3180D3B8BA95CBA5

Function 006C600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 006C604C
GetStockObject.GDI32(00000011), ref: 006C6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 006C606A

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 9c58937d0a02117368b7a0acfbb3bb34620628f0b19dc5ea50a22e456ba1afa2
Instruction ID: 41582f8c9d18c5e39f31b712c78861dcb3c635d6bcc2c6dec14f5916d23de356
Opcode Fuzzy Hash: 9c58937d0a02117368b7a0acfbb3bb34620628f0b19dc5ea50a22e456ba1afa2
Instruction Fuzzy Hash: 1811A172201608BFEF124F94CD44FFA7B6AEF0C365F004216FA0462110C7769C60DB94

Function 006E3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 006E3B56

Part of subcall function 006E3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 006E3AD2
Part of subcall function 006E3AA3: ___AdjustPointer.LIBCMT ref: 006E3AED

_UnwindNestedFrames.LIBCMT ref: 006E3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 006E3B7C
CallCatchBlock.LIBVCRUNTIME ref: 006E3BA4

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 4b9b7e26d345d6dca73f34bdf7add103ed6db464adacda4b9dfa2e4a4bde5df1
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 55014032101289BBDF125E96CC4AEEB3F6EEF58754F044018FE4856221C732D961DBA4

Function 006F3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,006C13C6,00000000,00000000,?,006F301A,006C13C6,00000000,00000000,00000000,?,006F328B,00000006,FlsSetValue), ref: 006F30A5
GetLastError.KERNEL32(?,006F301A,006C13C6,00000000,00000000,00000000,?,006F328B,00000006,FlsSetValue,00762290,FlsSetValue,00000000,00000364,?,006F2E46), ref: 006F30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,006F301A,006C13C6,00000000,00000000,00000000,?,006F328B,00000006,FlsSetValue,00762290,FlsSetValue,00000000), ref: 006F30BF

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 46ff374f35ee86117cbb1181eb47972882c18df13a920a5073a5499f6b1b10ac
Instruction ID: 92e2216a01f920c0ea24990b12dff7a2ebf3404d1616921323860c46a0247006
Opcode Fuzzy Hash: 46ff374f35ee86117cbb1181eb47972882c18df13a920a5073a5499f6b1b10ac
Instruction Fuzzy Hash: 8F01F73230133AAFCB314B799C44EB77B9AAF05BA1B104621FA06E3340CF25D942C6E4

Function 00727464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0072747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00727497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 007274AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 007274CA

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: d613bfb9594a8caa6fbc992ba98cc4639717055f46612d4536cc3a9b20df4803
Instruction ID: 9d2ef0e16c4b39720c8e27d48fef3644f8318de77ec94c4bfc59f0dc81e92129
Opcode Fuzzy Hash: d613bfb9594a8caa6fbc992ba98cc4639717055f46612d4536cc3a9b20df4803
Instruction Fuzzy Hash: C611D6B12053A49FE720DF14EE08F927FFCEB00B10F108569A616D7151D7B8E904DB51

Function 0072B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0072ACD3,?,00008000), ref: 0072B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0072ACD3,?,00008000), ref: 0072B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0072ACD3,?,00008000), ref: 0072B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0072ACD3,?,00008000), ref: 0072B126

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 9a1fa289483bc9a0eb8c149e965f6a4e4ae524c7496bb140e3a9dc13e1a56489
Instruction ID: 1e9e12c350d0cda16bc01261370d46a6a040603566427bfbcde270d4bcf81434
Opcode Fuzzy Hash: 9a1fa289483bc9a0eb8c149e965f6a4e4ae524c7496bb140e3a9dc13e1a56489
Instruction Fuzzy Hash: C3116171C01A3DDBCF11AFE4E9697EEBB78FF09711F118085D941B2141CB7859508B55

Function 00757E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00757E33
ScreenToClient.USER32(?,?), ref: 00757E4B
ScreenToClient.USER32(?,?), ref: 00757E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00757E8A

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: ec413c4e0d97ac32632ec452c911de66f15117328550c9d1e86c4390d9e19d65
Instruction ID: ffe4c077e1f785fdc169fb0ee345e356f92af0c46d4275a9898e122904860824
Opcode Fuzzy Hash: ec413c4e0d97ac32632ec452c911de66f15117328550c9d1e86c4390d9e19d65
Instruction Fuzzy Hash: B51142B9D0024AAFDB41CF98D884AEEBBF9FF08311F509066E915E3210D775AA54CF94

Function 00722DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00722DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00722DD6
GetCurrentThreadId.KERNEL32 ref: 00722DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00722DE4

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 24a3c44b84a6d9fe003167b3b8da775aecb2679a06e69c390d3d773ac7ffd3ec
Instruction ID: 8cb54194bc0ca13d0addcb15195b0aaf560fd574cfef210ca7c739b74f4882c8
Opcode Fuzzy Hash: 24a3c44b84a6d9fe003167b3b8da775aecb2679a06e69c390d3d773ac7ffd3ec
Instruction Fuzzy Hash: 08E06D722013347BD7211B72AC0EFEB3E6CEB42BA2F004015B105D10819AE8C941C6B0

Function 00758863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 006D9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 006D9693
Part of subcall function 006D9639: SelectObject.GDI32(?,00000000), ref: 006D96A2
Part of subcall function 006D9639: BeginPath.GDI32(?), ref: 006D96B9
Part of subcall function 006D9639: SelectObject.GDI32(?,00000000), ref: 006D96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00758887
LineTo.GDI32(?,?,?), ref: 00758894
EndPath.GDI32(?), ref: 007588A4
StrokePath.GDI32(?), ref: 007588B2

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: c6e6f3b9241cda718106adb2f6b04e5b14c4719df952591c573e3d23fa8cb28a
Instruction ID: fa70f9c1d10ac7ca075d5bbe4f2c216d9922bac3d223c0c3afd8e6733782cb17
Opcode Fuzzy Hash: c6e6f3b9241cda718106adb2f6b04e5b14c4719df952591c573e3d23fa8cb28a
Instruction Fuzzy Hash: 2CF03A36041759BBEB136F94AC09FCA3B59AF06322F44C005FA11651E1C7B96521CBA9

Function 006D98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 006D98CC
SetTextColor.GDI32(?,?), ref: 006D98D6
SetBkMode.GDI32(?,00000001), ref: 006D98E9
GetStockObject.GDI32(00000005), ref: 006D98F1

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 29af5bbaeb0e47400587e1de3a5be5b07b72677e42e0ef1f7b0c2cee6ccc4d34
Instruction ID: fe984a86648bca985b34360c8629e099fa92d5e88aa65355c962e60f5477263b
Opcode Fuzzy Hash: 29af5bbaeb0e47400587e1de3a5be5b07b72677e42e0ef1f7b0c2cee6ccc4d34
Instruction Fuzzy Hash: FCE06531244784AEDB225B79AC09BD83F21AB11336F14C219F6F9580E1C7B54650DB10

Function 0072162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00721634
OpenThreadToken.ADVAPI32(00000000,?,?,?,007211D9), ref: 0072163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,007211D9), ref: 00721648
OpenProcessToken.ADVAPI32(00000000,?,?,?,007211D9), ref: 0072164F

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 4c6fe22809b6bb6c4f8b0888f6a6e8ea90e2022194d1e2aa1ad407e396b94471
Instruction ID: a2f99d36ea4f5b3e1d16ad3d30a09f17dcb20fed4ba1f8e94706d28a8d5c4874
Opcode Fuzzy Hash: 4c6fe22809b6bb6c4f8b0888f6a6e8ea90e2022194d1e2aa1ad407e396b94471
Instruction Fuzzy Hash: D8E04F71602321AFD7201BA0AE0DB8A3B68BF54B92F148808F249C9080DAAC4440C758

Function 0071D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0071D858
GetDC.USER32(00000000), ref: 0071D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0071D882
ReleaseDC.USER32(?), ref: 0071D8A3

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: ac1fae12627f6447bee0df38d9ccf06e9d7fffa112131ab6ed43c4196e31fd1c
Instruction ID: 6d8fdc6703072f9dee6164b11e83c20365548ef5d0607f68a5c5f9bda5d74c60
Opcode Fuzzy Hash: ac1fae12627f6447bee0df38d9ccf06e9d7fffa112131ab6ed43c4196e31fd1c
Instruction Fuzzy Hash: E6E0ED70800304DFCB429FA098087ADBBB2EB48311B108009E80AE7250C7784A419F44

Function 0071D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0071D86C
GetDC.USER32(00000000), ref: 0071D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0071D882
ReleaseDC.USER32(?), ref: 0071D8A3

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 302b1694118ab9b7605221461a9a2c924083e17f36695d2e0bde9952fa12368a
Instruction ID: 7f2d529f669a7581ec34cee8ca9c354bc60616f73b26fc3977d34d5894486437
Opcode Fuzzy Hash: 302b1694118ab9b7605221461a9a2c924083e17f36695d2e0bde9952fa12368a
Instruction Fuzzy Hash: F3E09A75C00304DFCF52AFA0D8087ADBBB6FB48712B148449E95AE7250C77C5A02DF54

Function 00734D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 006C7620: _wcslen.LIBCMT ref: 006C7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00734ED4

Strings

LPT, xrefs: 00734DFB
*, xrefs: 00734E10

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 410788db9c78779d5700705a7fdb5650520ba8f9abd8d6fed1a760d7f7a86702
Instruction ID: fdbc0f631d8b0aee1161e2e028ba4b7107f3172f5e5b81e93b451479d2d6ea8b
Opcode Fuzzy Hash: 410788db9c78779d5700705a7fdb5650520ba8f9abd8d6fed1a760d7f7a86702
Instruction Fuzzy Hash: DD914D75A002059FDB18DF58C484EAABBF1EF44304F18809DE80A9F362D739EE85CB91

Function 00747771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0071569E,00000000,?,0075CC08,?,00000000,00000000), ref: 007478DD

Part of subcall function 006C6B57: _wcslen.LIBCMT ref: 006C6B6A

CharUpperBuffW.USER32(0071569E,00000000,?,0075CC08,00000000,?,00000000,00000000), ref: 0074783B

Strings

<sx, xrefs: 007477C8

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <sx
API String ID: 3544283678-2298222301
Opcode ID: 5c96514d69d2af7d1376bdf12e4be2bd4d36d1b8e036927aaf6c86ca8fc32c21
Instruction ID: 8cd0ae2142a5dc7ff1aa3a3f9c01334c2b6398d70e2021cc0b0fe987cf092d94
Opcode Fuzzy Hash: 5c96514d69d2af7d1376bdf12e4be2bd4d36d1b8e036927aaf6c86ca8fc32c21
Instruction Fuzzy Hash: 2D612A72914128AACF49EBE4CC91EFDB379FF14304B44452DF542A7191EF38AA05DBA4

Function 006DE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 006DE1B1

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 6fedce58d67edd7eb24cc8becfc9387d1c25498373d8cf806a4b640f9e903609
Instruction ID: cc14f2fe7fb7fa8d361a0ae76ea2bc9d0cf2e7d2dfd59caa11a3d6e57d1167ed
Opcode Fuzzy Hash: 6fedce58d67edd7eb24cc8becfc9387d1c25498373d8cf806a4b640f9e903609
Instruction Fuzzy Hash: 79512635900346DFEB15EF68C481AFA7BA6EF55310F64805AEC519F3D0D6399E82CBA0

Function 006DF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 006DF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 006DF2BB

Strings

@, xrefs: 006DF2AF

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: aabc3d5a3a77015b6a78ad3339537d184b14e5adfbda28eef4a208ac7250ecd7
Instruction ID: e5ad22fc36f2d2cae8db367f9174c45d1b94e37d39a61970854efc2e9147d122
Opcode Fuzzy Hash: aabc3d5a3a77015b6a78ad3339537d184b14e5adfbda28eef4a208ac7250ecd7
Instruction Fuzzy Hash: 655164714087449BD360AF10D886BABBBF9FF84310F81884CF199411A5EB309969CB6A

Function 00745745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 007457E0
_wcslen.LIBCMT ref: 007457EC

Strings

CALLARGARRAY, xrefs: 007457E6, 007457EB

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 00d64e5fcbc12a6bd955fb37c7ea1cf0a110f8c18a62b99e5bcb6a241ada8ff1
Instruction ID: 29779bf4be36ceb799c645eb35bbadb4084325a4d99a3365265e3106acfb4bb7
Opcode Fuzzy Hash: 00d64e5fcbc12a6bd955fb37c7ea1cf0a110f8c18a62b99e5bcb6a241ada8ff1
Instruction Fuzzy Hash: FE418231E00209DFCB14DFA9C8859BEBBF9EF59314F10406DE505A7252DB789D81CBA0

Function 0073D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0073D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0073D13A

Strings

|, xrefs: 0073D10B

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: ef87a9bd55a946d60b50d01e7bbfef7f88092cf12da78682d3ef93b062565bad
Instruction ID: 40bf6ac3b4b1d738d8698a2a17d72073225c39eeff35e5f43d488f56d94e9f26
Opcode Fuzzy Hash: ef87a9bd55a946d60b50d01e7bbfef7f88092cf12da78682d3ef93b062565bad
Instruction Fuzzy Hash: 3E311871D01209ABDF55EFA4DC85EEE7BBAFF08304F00001DF815A6162D735A916CB54

Function 0075356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00753621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0075365C

Strings

static, xrefs: 007535BC

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 1997676383429adbacd3da5fc23f6b23991894c98bdd3d7b5c5be254bd7176f2
Instruction ID: 5f36c40e41881d0d16ed854b563284ea59a7eb670b340baf793ad089ca182c1b
Opcode Fuzzy Hash: 1997676383429adbacd3da5fc23f6b23991894c98bdd3d7b5c5be254bd7176f2
Instruction Fuzzy Hash: 5D31AC71100204AEDB109F38CC80FFB73A9FF88761F00961DF8A597290DAB9AD96C764

Function 00754537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0075461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00754634

Strings

', xrefs: 0075458E

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: b16f20442d3791c6b3a3cf3bb66f27a80bf764b0a2e236a56850c1894e15d96f
Instruction ID: 78ea3b99b7edf6f51a6108946f5fc151002a3624944b5a6a7bb56836049f5599
Opcode Fuzzy Hash: b16f20442d3791c6b3a3cf3bb66f27a80bf764b0a2e236a56850c1894e15d96f
Instruction Fuzzy Hash: 87312774A0130AAFDB14CFA9C990BDA7BB5FF09315F10406AED04AB341E7B4A995CF90

Function 007531EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0075327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00753287

Strings

Combobox, xrefs: 00753249

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 34533a930d2d64ebf2bd4bd7931be4ee1b88ed3c545e4616cfda78e255b44101
Instruction ID: 8cd3db667ec9314d500b7a12ce6876b1514687916abef74c43070abbf55272e6
Opcode Fuzzy Hash: 34533a930d2d64ebf2bd4bd7931be4ee1b88ed3c545e4616cfda78e255b44101
Instruction Fuzzy Hash: 5111E271300608BFFF219E54DC80EFB376AFB943A5F104128F918E72A0D6B99D558760

Function 00753710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 006C600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 006C604C
Part of subcall function 006C600E: GetStockObject.GDI32(00000011), ref: 006C6060
Part of subcall function 006C600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 006C606A

GetWindowRect.USER32(00000000,?), ref: 0075377A
GetSysColor.USER32(00000012), ref: 00753794

Strings

static, xrefs: 00753757

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: e643c008afb6669a7cc170e812230b9b961298364c145a4179c143866492f3bc
Instruction ID: 352528898c851e14fc6e8ead82376f1a55335dcfce04b0c4aef4c717b3198803
Opcode Fuzzy Hash: e643c008afb6669a7cc170e812230b9b961298364c145a4179c143866492f3bc
Instruction Fuzzy Hash: 5E1159B2A10209AFDB01DFA8CC45EEA7BB8EB08355F004918FD55E2250E779E8659B50

Function 0073CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0073CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0073CDA6

Strings

<local>, xrefs: 0073CD66

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: fa537c7e85cbb05a3581299522f3d84445b5904d74ba97e8d050fef9c6e24ea3
Instruction ID: f26c2e95f950e0a66206caa49a8d4db0a607bee7b85557992bfe426133507293
Opcode Fuzzy Hash: fa537c7e85cbb05a3581299522f3d84445b5904d74ba97e8d050fef9c6e24ea3
Instruction Fuzzy Hash: D811C6753256317AE7364B668C45FE7BE6CEF127A4F004226B109A3181D7789840D7F0

Function 00753429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 007534AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 007534BA

Strings

edit, xrefs: 0075348F

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 31c299646375ebf605049c666f22f2d600c2cc8bb05519b040644b0548b3472e
Instruction ID: 06509e18b3b857bb53ad44c80907f3462269f6dbfac414d1b29fc0fe6feb4f5f
Opcode Fuzzy Hash: 31c299646375ebf605049c666f22f2d600c2cc8bb05519b040644b0548b3472e
Instruction Fuzzy Hash: 9511BF71100248AFEB128E64DC44AFB376AEB043B5F508724FD61931E0C7B9DC999754

Function 00726C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 006C9CB3: _wcslen.LIBCMT ref: 006C9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00726CB6
_wcslen.LIBCMT ref: 00726CC2

Strings

STOP, xrefs: 00726CBC, 00726CC1

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 8bb9c13fe17d8754bbb97b7ea4f86461b2264681ecf0aba20935afb88eba4782
Instruction ID: 3c36c5d8855ab196bdd779ee746ccc6411a2bb6c340c9e1775df4dd709077056
Opcode Fuzzy Hash: 8bb9c13fe17d8754bbb97b7ea4f86461b2264681ecf0aba20935afb88eba4782
Instruction Fuzzy Hash: A7012632B0053A8BCB20BFFDEC809BF37B5EB60710700053AE86293190EB39E940C660

Function 00721CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006C9CB3: _wcslen.LIBCMT ref: 006C9CBD

Part of subcall function 00723CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00723CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00721D4C

Strings

ComboBox, xrefs: 00721CEB
ListBox, xrefs: 00721D16

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 81a049f2a653c82799459387d28c46a4411ed50b069c3596f47f5c99c70a5db4
Instruction ID: 9a7f49ec6a94766d36fba2b045fbaae67dc2d14af7b47e928df80902441f77b9
Opcode Fuzzy Hash: 81a049f2a653c82799459387d28c46a4411ed50b069c3596f47f5c99c70a5db4
Instruction Fuzzy Hash: C701D875741224EBCB08EFA4EC55EFE7769FB66350B44091EF832572C1EA3859088774

Function 00721BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006C9CB3: _wcslen.LIBCMT ref: 006C9CBD

Part of subcall function 00723CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00723CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00721C46

Strings

ComboBox, xrefs: 00721BE5
ListBox, xrefs: 00721C10

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 8ef138519b96832fa31d9f0259ae3d5da763a33f54b7d9489dec92a7c13db834
Instruction ID: 20742e5f49191b7e7d11e71631e5bab74a642b4a6d9de561596b2c3faa7749fb
Opcode Fuzzy Hash: 8ef138519b96832fa31d9f0259ae3d5da763a33f54b7d9489dec92a7c13db834
Instruction Fuzzy Hash: AE01F7B56811186ACB08FB90D965EFF77A8EB21340F50041DA416732C1EA289F4887B5

Function 00721C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006C9CB3: _wcslen.LIBCMT ref: 006C9CBD

Part of subcall function 00723CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00723CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00721CC8

Strings

ComboBox, xrefs: 00721C69
ListBox, xrefs: 00721C94

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 565605d9b908227727cb30ec866c803570b28e6194a293f5122c831c032e4ba8
Instruction ID: d6f0c353bd952d3cd72d6768d6719b35a249d1e9cacdcfc63f172a4940421174
Opcode Fuzzy Hash: 565605d9b908227727cb30ec866c803570b28e6194a293f5122c831c032e4ba8
Instruction Fuzzy Hash: 2501D6B568122867CB04FBA0DA15FFE77A8EB21340F54042DB81273281EA689F58C7B5

Function 006DA4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 006DA529

Part of subcall function 006C9CB3: _wcslen.LIBCMT ref: 006C9CBD

Strings

3yq, xrefs: 006DA545, 006DA54D, 006DA552
,%y, xrefs: 006DA509

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%y$3yq
API String ID: 2551934079-3864033816
Opcode ID: 8ebc4179513fb60824b0467d0cade4611669ea5d1cc926b7d010e65802513d36
Instruction ID: 663b1584f05954fb3a91dea97da54ba98f5cef3ad2972fb375d25d4929dda750
Opcode Fuzzy Hash: 8ebc4179513fb60824b0467d0cade4611669ea5d1cc926b7d010e65802513d36
Instruction Fuzzy Hash: 6301F232A05610ABDA04F7A9E81BBAD33A6DB05710F50006EF5125B3C3EE549D428AAF

Function 00721D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006C9CB3: _wcslen.LIBCMT ref: 006C9CBD

Part of subcall function 00723CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00723CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00721DD3

Strings

ComboBox, xrefs: 00721D75
ListBox, xrefs: 00721DA0

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: e48ab5884da966b7493c96d6c8c47ba05e9f4378e56f5b29d349c5c06c989f90
Instruction ID: 8a6db663475f2043816d62e296b74b5bd41e47548f9e68280b43af29c4af4a09
Opcode Fuzzy Hash: e48ab5884da966b7493c96d6c8c47ba05e9f4378e56f5b29d349c5c06c989f90
Instruction Fuzzy Hash: 83F0A4B1B41228A6DB18FBA4DC56FFE7778FB11350F440D1DB832632C1DA685A088274

Function 006FCADA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 006F2D74: GetLastError.KERNEL32(?,?,006F5686,00703CD6,?,00000000,?,006F5B6A,?,?,?,?,?,006EE6D1,?,00788A48), ref: 006F2D78
Part of subcall function 006F2D74: _free.LIBCMT ref: 006F2DAB
Part of subcall function 006F2D74: SetLastError.KERNEL32(00000000,?,?,?,?,006EE6D1,?,00788A48,00000010,006C4F4A,?,?,00000000,00703CD6), ref: 006F2DEC
Part of subcall function 006F2D74: _abort.LIBCMT ref: 006F2DF2

_abort.LIBCMT ref: 006FCB0C
_free.LIBCMT ref: 006FCB40

Strings

X, xrefs: 006FCB46, 006FCB4E

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ErrorLast_abort_free
String ID: X
API String ID: 289325740-1677210272
Opcode ID: 998348a893dc920a190be4e15a5a682b1c4308a172b0892706013fa2e8944ab5
Instruction ID: 95d983a5fbcbf1550ca0ba9a3c3892f8f5aa5293a228ce70e3086f915d06a503
Opcode Fuzzy Hash: 998348a893dc920a190be4e15a5a682b1c4308a172b0892706013fa2e8944ab5
Instruction Fuzzy Hash: 6501C035D81B2E9BC762AF5C9A4227DB372BF04B70B14421AEA10A3381C7382D41DFD9

Function 00758172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00793018,0079305C), ref: 007581BF
CloseHandle.KERNEL32 ref: 007581D1

Strings

\0y, xrefs: 0075818A

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0y
API String ID: 3712363035-1819865517
Opcode ID: ce9f071819d1fbcd38ca12864f41893378abe223a25779503244005737f8eda6
Instruction ID: 6b66c2d7ab2673d62d233b7193c0a21f9ae636a8dd7d316d61ac55361158fdbc
Opcode Fuzzy Hash: ce9f071819d1fbcd38ca12864f41893378abe223a25779503244005737f8eda6
Instruction Fuzzy Hash: 83F089B1641304BFF75067696C46FB73A5EDB04751F008426BB08D51A1E6BE8E0187FD

Function 0074747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00747493
_wcslen.LIBCMT ref: 007474B9

Strings

3, 3, 16, 1, xrefs: 00747483

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: a81283a1061d6cb602eca919fd0839422fbbaa1db5b48da545d663808d961de0
Instruction ID: 88ec1e1d92237eaebb33b4af3471da675d22322df564d891499f9aa949f2117b
Opcode Fuzzy Hash: a81283a1061d6cb602eca919fd0839422fbbaa1db5b48da545d663808d961de0
Instruction Fuzzy Hash: E4E02B422153E0109279227E9CC197F578ACFC9750710182FF981D2267EF98CD91D3F5

Function 00720B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00720B23

Strings

Error allocating memory., xrefs: 00720B1C
AutoIt, xrefs: 00720B17

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 95bbda5b363e5cabe437dcb5bf4a9fd00e848928cc9a81bf5156fadde679b47c
Instruction ID: 3fd7d83084053343d1aea1bff8dad8f5285737fdda47859655fc190205e4e319
Opcode Fuzzy Hash: 95bbda5b363e5cabe437dcb5bf4a9fd00e848928cc9a81bf5156fadde679b47c
Instruction Fuzzy Hash: D7E092712843182AD25137957C07FC97A85CF09B51F10042EFB48555C38AD6285046ED

Function 006E0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 006DF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,006E0D71,?,?,?,006C100A), ref: 006DF7CE

IsDebuggerPresent.KERNEL32(?,?,?,006C100A), ref: 006E0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,006C100A), ref: 006E0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 006E0D7F

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 007c395a7c73dded9d332b0350642c3569ab3da74e910a5424f26c47a60bdac2
Instruction ID: a3f2641a5f678537a645a0a32768c79c2d97d7be0fc33f91f182a0354e8dd4ee
Opcode Fuzzy Hash: 007c395a7c73dded9d332b0350642c3569ab3da74e910a5424f26c47a60bdac2
Instruction Fuzzy Hash: A6E06D702003818FE3619FB9E8047967BE1BF00745F00892DE882C6651DBF8E4888BA1

Function 006DE398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 006DE3D5

Strings

0%y, xrefs: 006DE3B5
8%y, xrefs: 006DE3CA

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%y$8%y
API String ID: 1385522511-1387198761
Opcode ID: 2bab89d4dbba6585c1925e65a7d188bdba715a053146366c1eaded7ca16dc5b6
Instruction ID: 558edf626fa9429b5b8b0d3b5520277a54db37afc767aaa385cae30716be22a0
Opcode Fuzzy Hash: 2bab89d4dbba6585c1925e65a7d188bdba715a053146366c1eaded7ca16dc5b6
Instruction Fuzzy Hash: 24E02631C0AA10EBCA04B718F854AEC3357AB44320B1341FBE1028F3D3DB792883868C

Function 00733017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0073302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00733044

Strings

aut, xrefs: 00733038

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 29934f749f6de0816312673e8d72d09f4061a10b8ba592495d3802258eaa6010
Instruction ID: 9acc9bc4ca2630910c0faef5e423add720d8fb051e26b6008c1dc742672753fe
Opcode Fuzzy Hash: 29934f749f6de0816312673e8d72d09f4061a10b8ba592495d3802258eaa6010
Instruction Fuzzy Hash: EDD0A5719403147BDB30A7949C4DFC73B6CD704751F0041517655D60D1DAF4D544CBD4

Function 0071D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0071D220

Strings

%.3d, xrefs: 0071D22B
X64, xrefs: 0071D2A8

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: daa47e4b155768959bb690f92e2529f71efff5dcec0bd6b3c3a851ad18bf9e66
Instruction ID: c6d5938cea6d67303ca881341f9d39f7f337fa7fe640df2d62acde873848e71d
Opcode Fuzzy Hash: daa47e4b155768959bb690f92e2529f71efff5dcec0bd6b3c3a851ad18bf9e66
Instruction Fuzzy Hash: 4FD012B1C08218E9CBA0A7D4CC499F9B37CFB19301F608453F91791080D63CD988AF61

Function 00752356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0075236C
PostMessageW.USER32(00000000), ref: 00752373

Part of subcall function 0072E97B: Sleep.KERNELBASE ref: 0072E9F3

Strings

Shell_TrayWnd, xrefs: 00752365

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: df0ec332bbecf7cd58a739584a5d5d93093e9e3a0d12c6ff538147fe0ae255e1
Instruction ID: deaca400a7132a3fc05b75acc0e51a41158e9a4a7c0e7391b2253ad6dbed43d1
Opcode Fuzzy Hash: df0ec332bbecf7cd58a739584a5d5d93093e9e3a0d12c6ff538147fe0ae255e1
Instruction Fuzzy Hash: 46D0C9723C1310BAE665B770AC1FFC666149B04B11F5089567645AA1D0D9E8B8418A58

Function 00752322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0075232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0075233F

Part of subcall function 0072E97B: Sleep.KERNELBASE ref: 0072E9F3

Strings

Shell_TrayWnd, xrefs: 00752325

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: a1c674c3e98c787430e63a5602ab96a1cc97a0e6a0c89f471b7b720d819769b2
Instruction ID: 4f7f9ec8b32a99af20fa0f801e1bb0c574d454e2b118ebe631ae9263e0e9d28a
Opcode Fuzzy Hash: a1c674c3e98c787430e63a5602ab96a1cc97a0e6a0c89f471b7b720d819769b2
Instruction Fuzzy Hash: 70D012763D4310BBE664B770EC1FFC67A149B00B11F1089567745AA1D0D9F8B841CB58

Function 006DF7E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11windowCOMMON

Download Yara Rule

APIs

DestroyIcon.USER32(00010437), ref: 006DF7EA

Strings

H, xrefs: 006DF7F0
, xrefs: 006DF804

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: DestroyIcon
String ID: H$
API String ID: 1234817797-3363244028
Opcode ID: 3ab0ecfe499d95ef9a9edccde96de4ee3530a192be9751562f9f3cf796621aa0
Instruction ID: cb5c8d5fb390a18733076c6c46f999899fc300577e8df9346715b9cd2fc2d589
Opcode Fuzzy Hash: 3ab0ecfe499d95ef9a9edccde96de4ee3530a192be9751562f9f3cf796621aa0
Instruction Fuzzy Hash: A2C01220B02203474F4C77A8B8A9BB4226BEBC9301390483F6103C77A0CE18883146BE

Function 006FBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 006FBE93
GetLastError.KERNEL32 ref: 006FBEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 006FBEFC

Memory Dump Source

Source File: 00000000.00000002.3362131380.00000000006C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true

Associated: 00000000.00000002.3362105272.00000000006C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.000000000075C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362205841.0000000000782000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362297273.000000000078C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3362338774.0000000000794000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: badad6fa2ddb691e2c5edece191d32d83ccb1249a8b4c526f67cdda63b53634c
Instruction ID: 20e8a1a9580670a75879245fb1a26a291b192d6ecd8caa27e9b856fdb1ccb748
Opcode Fuzzy Hash: badad6fa2ddb691e2c5edece191d32d83ccb1249a8b4c526f67cdda63b53634c
Instruction Fuzzy Hash: FC41F83460220EAFCF218F69CC44AFA7BA7EF41350F149169FA59972A1DB308D01CB55

Source: Joe Sandbox View	IP Address: 13.107.246.42 13.107.246.42
Source: Joe Sandbox View	IP Address: 23.55.235.170 23.55.235.170
Source: Joe Sandbox View	IP Address: 162.159.61.3 162.159.61.3
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250

Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: global traffic	HTTP traffic detected: GET /assets/arbitration_priority_list/4.0.5/asset?assetgroup=ArbitrationService HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: ArbitrationServiceSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtractionDomainsConfig HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: EntityExtractionDomainsConfigSec-Mesh-Client-Edge-Version: 117.0.2045.55Sec-Mesh-Client-Edge-Channel: stableSec-Mesh-Client-OS: WindowsSec-Mesh-Client-OS-Version: 10.0.19045Sec-Mesh-Client-Arch: x86_64Sec-Mesh-Client-WebView: 0Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1Host: play.google.comConnection: keep-aliveAccept: /Access-Control-Request-Method: POSTAccess-Control-Request-Headers: x-goog-authuserOrigin: https://accounts.google.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Sec-Fetch-Mode: corsSec-Fetch-Site: same-siteSec-Fetch-Dest: emptyReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9
Source: global traffic	HTTP traffic detected: OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1Host: play.google.comConnection: keep-aliveAccept: /Access-Control-Request-Method: POSTAccess-Control-Request-Headers: x-goog-authuserOrigin: https://accounts.google.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Sec-Fetch-Mode: corsSec-Fetch-Site: same-siteSec-Fetch-Dest: emptyReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.2045.55"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.55", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.150"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9
Source: global traffic	HTTP traffic detected: OPTIONS /api/report?cat=bingbusiness HTTP/1.1Host: bzib.nelreports.netConnection: keep-aliveOrigin: https://business.bing.comAccess-Control-Request-Method: POSTAccess-Control-Request-Headers: content-typeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8

Source: global traffic	HTTP traffic detected: GET /assets/arbitration_priority_list/4.0.5/asset?assetgroup=ArbitrationService HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: ArbitrationServiceSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtractionDomainsConfig HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: EntityExtractionDomainsConfigSec-Mesh-Client-Edge-Version: 117.0.2045.55Sec-Mesh-Client-Edge-Channel: stableSec-Mesh-Client-OS: WindowsSec-Mesh-Client-OS-Version: 10.0.19045Sec-Mesh-Client-Arch: x86_64Sec-Mesh-Client-WebView: 0Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.55sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.2045.55"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.55", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.150"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=kmCaG8x8tzDDLSy&MD=U4hRGUfS HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=kmCaG8x8tzDDLSy&MD=U4hRGUfS HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: global traffic	DNS traffic detected: DNS query: bzib.nelreports.net
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.197.71.89
Source: unknown	TCP traffic detected without corresponding DNS query: 20.197.71.89
Source: unknown	TCP traffic detected without corresponding DNS query: 20.197.71.89
Source: unknown	TCP traffic detected without corresponding DNS query: 20.197.71.89
Source: unknown	TCP traffic detected without corresponding DNS query: 20.197.71.89
Source: unknown	TCP traffic detected without corresponding DNS query: 20.197.71.89
Source: unknown	TCP traffic detected without corresponding DNS query: 20.197.71.89
Source: unknown	TCP traffic detected without corresponding DNS query: 20.197.71.89
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.197.71.89
Source: unknown	TCP traffic detected without corresponding DNS query: 20.197.71.89
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.174
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.174
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.174
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.174
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.174
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.174
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.164
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.164
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.164
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.174
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.174
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.174
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.174
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.174
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.174
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.174
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.174

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\23628a14-910b-4ba1-b815-a4db2809a720.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\5ecc7219-59ec-45ec-94b0-5c6bbb753c1e.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\67f9a387-887d-47e1-813f-14827f39e251.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\68408403-595b-428c-aca4-b0af2d9d44f9.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\7ba7bb5d-56ef-4a07-9bd5-9107e223bd7f.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Ad Blocking\ad881d14-5caa-4810-89dc-8d95abc34f2b.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Ad Blocking\blocklist (copy)

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics-spare.pma (copy)

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics-spare.pma.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics\BrowserMetrics-66D76739-1484.pma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics\BrowserMetrics-66D76739-1B90.pma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\throttle_store.dat

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\077c119b-65df-4da8-9a71-fe29844df7c8.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\19600334-ac7f-47e5-a0a2-ce01bf3a3d1a.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\2345e4fd-e288-453a-82df-f87c286424c3.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\6807fa09-e136-4e58-a68d-59b5e567cd5f.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\8daea1ba-59d2-4949-a839-5ca8a22adac4.tmp

Windows Analysis Report
file.exe

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre