Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1503940
MD5:	a7b043cd523abc9ddb4756a6c633b5ca
SHA1:	fc3e8ed8f07dac430b1444b9f9da93b2a14c2383
SHA256:	0c7c457fccc4d44e2a4b827e7c85e0c8af5ad3b5569fc30f775acc3b7662af4a
Tags:	exe
Infos:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of debugger detection

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sleep loop found (likely to delay execution)

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 2468 cmdline: "C:\Users\user\Desktop\file.exe" MD5: A7B043CD523ABC9DDB4756A6C633B5CA)

msedge.exe (PID: 3876 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7196 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2064 --field-trial-handle=2036,i,3849763096522647370,4896450222763674263,262144 --disable-features=TranslateUI /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7220 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7580 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2028 --field-trial-handle=2044,i,11574969173397465828,18444030210144044815,262144 --disable-features=TranslateUI /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8796 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=7332 --field-trial-handle=2044,i,11574969173397465828,18444030210144044815,262144 --disable-features=TranslateUI /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8804 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7304 --field-trial-handle=2044,i,11574969173397465828,18444030210144044815,262144 --disable-features=TranslateUI /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8420 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 4368 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2944 --field-trial-handle=2768,i,548461295133709711,14865383362578032956,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 6788 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=4480 --field-trial-handle=2768,i,548461295133709711,14865383362578032956,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8708 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 9012 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2284 --field-trial-handle=2124,i,5193650039718528943,5512548186967427648,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 5448 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=3596 --field-trial-handle=2124,i,5193650039718528943,5512548186967427648,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

cleanup

HTTP traffic detected: POST /dns-query HTTP/1.1Host: chrome.cloudflare-dns.comConnection: keep-aliveContent-Length: 128Accept: application/dns-messageAccept-Language: *User-Agent: ChromeAccept-Encoding: identityContent-Type: application/dns-message

Source: file.exe, 00000000.00000002.3258606675.0000000001B1A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3258606675.0000000001AE8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3258606675.0000000001B11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.c
Source: data_10.6.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection?placement=88000360&nct=1&fmt=json&ADEFAB=1&OPSYS=WIN10&locale=e
Source: data_10.6.dr	String found in binary or memory: https://azureedge.net
Source: Reporting and NEL.6.dr	String found in binary or memory: https://bzib.nelreports.net/api/report?cat=bingbusiness
Source: Web Data.4.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Web Data.4.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Web Data.4.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Web Data.4.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Web Data.4.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: data_10.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?assetgroup=Arbit
Source: data_10.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtrac
Source: data_10.6.dr	String found in binary or memory: https://msn.com
Source: Web Data.4.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Top Sites.4.dr	String found in binary or memory: https://www.office.com/
Source: Top Sites.4.dr	String found in binary or memory: https://www.office.com/Office

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.5:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.5:49749 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0103EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0103EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0103ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0103ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_0103EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0102AB9C GetKeyState,GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0102AB9C

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_01059576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_01059576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.2003172205.0000000001082000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_16ce020a-b
Source: file.exe, 00000000.00000000.2003172205.0000000001082000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_0e445634-5
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_2e7e3bf7-5
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_ecb61c9e-2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0102D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0102D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_01021201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_01021201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0102E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0102E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FC8060	0_2_00FC8060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01032046	0_2_01032046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01028298	0_2_01028298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FFE4FF	0_2_00FFE4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FF676B	0_2_00FF676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01054873	0_2_01054873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FCCAF0	0_2_00FCCAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FECAA0	0_2_00FECAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FDCC39	0_2_00FDCC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FF6DD9	0_2_00FF6DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FC91C0	0_2_00FC91C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FDB119	0_2_00FDB119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FE1394	0_2_00FE1394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FE1706	0_2_00FE1706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FE781B	0_2_00FE781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FE19B0	0_2_00FE19B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FD997D	0_2_00FD997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FC7920	0_2_00FC7920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FE7A4A	0_2_00FE7A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FE7CA7	0_2_00FE7CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FE1C77	0_2_00FE1C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FF9EEE	0_2_00FF9EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0104BE44	0_2_0104BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FE1F32	0_2_00FE1F32

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00FC9CB3 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00FE0A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00FDF9F2 appears 40 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal68.evad.winEXE@71/318@12/9

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_010337B5 GetLastError,FormatMessageW,

0_2_010337B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010210BF AdjustTokenPrivileges,CloseHandle,		0_2_010210BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010216C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_010216C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_010351CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_010351CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0104A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0104A67C

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0103648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0103648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FC42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00FC42A2

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk

Jump to behavior

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

File created: C:\Users\user\AppData\Local\Temp\f0595a6c-dfec-45aa-9762-0db95696eb8f.tmp

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Login Data.4.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: file.exe	ReversingLabs: Detection: 21%
Source: file.exe	Virustotal: Detection: 22%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2064 --field-trial-handle=2036,i,3849763096522647370,4896450222763674263,262144 --disable-features=TranslateUI /prefetch:3
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2028 --field-trial-handle=2044,i,11574969173397465828,18444030210144044815,262144 --disable-features=TranslateUI /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=7332 --field-trial-handle=2044,i,11574969173397465828,18444030210144044815,262144 --disable-features=TranslateUI /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7304 --field-trial-handle=2044,i,11574969173397465828,18444030210144044815,262144 --disable-features=TranslateUI /prefetch:8
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2944 --field-trial-handle=2768,i,548461295133709711,14865383362578032956,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=4480 --field-trial-handle=2768,i,548461295133709711,14865383362578032956,262144 /prefetch:8
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2284 --field-trial-handle=2124,i,5193650039718528943,5512548186967427648,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=3596 --field-trial-handle=2124,i,5193650039718528943,5512548186967427648,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2064 --field-trial-handle=2036,i,3849763096522647370,4896450222763674263,262144 --disable-features=TranslateUI /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2028 --field-trial-handle=2044,i,11574969173397465828,18444030210144044815,262144 --disable-features=TranslateUI /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=7332 --field-trial-handle=2044,i,11574969173397465828,18444030210144044815,262144 --disable-features=TranslateUI /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7304 --field-trial-handle=2044,i,11574969173397465828,18444030210144044815,262144 --disable-features=TranslateUI /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2944 --field-trial-handle=2768,i,548461295133709711,14865383362578032956,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=4480 --field-trial-handle=2768,i,548461295133709711,14865383362578032956,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2284 --field-trial-handle=2124,i,5193650039718528943,5512548186967427648,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=3596 --field-trial-handle=2124,i,5193650039718528943,5512548186967427648,262144 /prefetch:8

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FC42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00FC42DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FE0A76 push ecx; ret

0_2_00FE0A89

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_E81D8DD3EACFA71E827377A4597DF902			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_E81D8DD3EACFA71E827377A4597DF902			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FDF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00FDF98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01051C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_01051C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-95570

Source: C:\Users\user\Desktop\file.exe

Window / User API: threadDelayed 6462

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.2 %

Source: C:\Users\user\Desktop\file.exe TID: 1964

Thread sleep time: -64620s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe

Thread sleep count: Count: 6462 delay: -10

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0102DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0102DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FFC2A2 FindFirstFileExW,	0_2_00FFC2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0103698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0103698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010368EE FindFirstFileW,FindClose,	0_2_010368EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0102D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0102D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0102D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0102D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0103979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0103979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01039642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_01039642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01039B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_01039B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01035C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_01035C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FC42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00FC42DE

Source: Web Data.12.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Web Data.12.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: Web Data.12.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: Web Data.12.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: Web Data.12.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: Web Data.12.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Web Data.12.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: Web Data.12.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: Web Data.12.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Web Data.12.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: Web Data.12.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Web Data.12.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Web Data.12.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: Web Data.12.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: Web Data.12.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Web Data.12.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: Web Data.12.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: Web Data.12.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: Web Data.12.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Web Data.12.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: Web Data.12.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: Web Data.12.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Web Data.12.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: Web Data.12.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: Web Data.12.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Web Data.12.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Web Data.12.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: Web Data.12.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Web Data.12.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: Web Data.12.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: Web Data.12.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Users\user\Desktop\file.exe

Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep

graph_0-95667

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0103EAA2 BlockInput,

0_2_0103EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FF2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00FF2622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FC42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00FC42DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FE4CE8 mov eax, dword ptr fs:[00000030h]

0_2_00FE4CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_01020B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_01020B62

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FF2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00FF2622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FE083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00FE083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FE09D5 SetUnhandledExceptionFilter,	0_2_00FE09D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FE0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00FE0C21

Source: C:\Users\user\Desktop\file.exe

0_2_01021201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_01002BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_01002BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0102B226 SendInput,keybd_event,

0_2_0102B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0102E355 mouse_event,

0_2_0102E355

Source: C:\Users\user\Desktop\file.exe

0_2_01020B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_01021663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_01021663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FE0698 cpuid

0_2_00FE0698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_01038195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_01038195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0101D27A GetUserNameW,

0_2_0101D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FFB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_00FFB952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FC42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00FC42DE

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01041204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_01041204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01041806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_01041806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	15 System Information Discovery	Distributed Component Object Model	Input Capture	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	2 Process Injection	1 Masquerading	LSA Secrets	221 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	2 Valid Accounts	Cached Domain Credentials	22 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	22 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Link
file.exe	21%	ReversingLabs
file.exe	23%	Virustotal	Browse
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
chrome.cloudflare-dns.com	0%	Virustotal	Browse
s-part-0044.t-0009.fb-t-msedge.net	0%	Virustotal	Browse
bzib.nelreports.net	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
https://bzib.nelreports.net/api/report?cat=bingbusiness	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://chrome.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://www.office.com/Office	0%	Avira URL Cloud	safe
https://www.office.com/	0%	Avira URL Cloud	safe
https://msn.com	0%	Avira URL Cloud	safe
https://www.google.com/favicon.ico	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
https://www.office.com/	0%	Virustotal		Browse
https://www.office.com/Office	0%	Virustotal		Browse
https://www.google.com/favicon.ico	0%	Virustotal		Browse
https://msn.com	0%	Virustotal		Browse
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
chrome.cloudflare-dns.com	172.64.41.3	true	false	0%, Virustotal, Browse	unknown
s-part-0044.t-0009.fb-t-msedge.net	13.107.253.72	true	false	0%, Virustotal, Browse	unknown
bzib.nelreports.net	unknown	unknown	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://chrome.cloudflare-dns.com/dns-query	false	URL Reputation: safe	unknown
https://www.google.com/favicon.ico	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.office.com/	Top Sites.4.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	Web Data.4.dr	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Web Data.4.dr	false	URL Reputation: safe	unknown
https://www.office.com/Office	Top Sites.4.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://bzib.nelreports.net/api/report?cat=bingbusiness	Reporting and NEL.6.dr	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Web Data.4.dr	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	Web Data.4.dr	false	URL Reputation: safe	unknown
https://msn.com	data_10.6.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Web Data.4.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Web Data.4.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
23.219.161.132	unknown	United States	20940	AKAMAI-ASN1EU	false
162.159.61.3	unknown	United States	13335	CLOUDFLARENETUS	false
142.251.40.132	unknown	United States	15169	GOOGLEUS	false
13.107.253.72	s-part-0044.t-0009.fb-t-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
142.250.65.238	unknown	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
172.64.41.3	chrome.cloudflare-dns.com	United States	13335	CLOUDFLARENETUS	false
142.251.35.174	unknown	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.5

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1503940
Start date and time:	2024-09-04 09:11:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal68.evad.winEXE@71/318@12/9
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 42 Number of non-executed functions: 313
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.42.16, 66.102.1.84, 204.79.197.239, 13.107.21.239, 13.107.6.158, 2.19.126.145, 2.19.126.152, 142.250.184.195, 172.217.16.195, 2.23.209.162, 2.23.209.157, 2.23.209.158, 2.23.209.150, 2.23.209.154, 2.23.209.160, 2.23.209.156, 2.23.209.163, 2.23.209.155, 20.103.156.88, 87.248.205.0, 192.229.221.95, 74.125.71.84, 142.250.72.99, 142.251.40.131, 142.250.80.67, 142.251.40.163, 142.251.32.99
Excluded domains from analysis (whitelisted): azurefd-t-fb-prod.trafficmanager.net, config.edge.skype.com.trafficmanager.net, slscr.update.microsoft.com, a416.dscd.akamai.net, edgeassetservice.afd.azureedge.net, arc.msn.com, iris-de-prod-azsc-v2-weu.westeurope.cloudapp.azure.com, e86303.dscx.akamaiedge.net, ocsp.digicert.com, www.bing.com.edgekey.net, config-edge-skype.l-0007.l-msedge.net, msedge.b.tlu.dl.delivery.mp.microsoft.com, arc.trafficmanager.net, www.gstatic.com, l-0007.l-msedge.net, config.edge.skype.com, www.bing.com, edge-microsoft-com.dual-a-0036.a-msedge.net, fs.microsoft.com, accounts.google.com, bzib.nelreports.net.akamaized.net, fonts.gstatic.com, ctldl.windowsupdate.com, b-0005.b-msedge.net, www-www.bing.com.trafficmanager.net, edge.microsoft.com, business-bing-com.b-0005.b-msedge.net, fe3cr.delivery.mp.microsoft.com, l-0007.config.skype.com, edgeassetservice.azureedge.net, azureedge-t-prod.trafficmanager.net, business.bing.com, dual-a-0036.a-msedge.net
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:12:02	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_E81D8DD3EACFA71E827377A4597DF902 "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
09:12:11	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_E81D8DD3EACFA71E827377A4597DF902 "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
162.159.61.3	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	CODX.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	https://metaverifiedbadges.co/175261668994311/index.php?nick=YWZyaWNhbmJ1c2hjYW1wcw==&id=1526032324	Get hash	malicious	Unknown	Browse
	https://swishmax.en.download.it/	Get hash	malicious	PureLog Stealer	Browse
13.107.253.72	tXwWf89bXc.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	https://aka.ms/LearnAboutSenderIdentification	Get hash	malicious	HTMLPhisher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	virus total.pdf	Get hash	malicious	HTMLPhisher	Browse
	https://url.uk.m.mimecastprotect.com/s/P4YvCp88zsEr4xMcPfwuGVGsq?domain=file365-cloud.s3.eu-west-2.amazonaws.com	Get hash	malicious	HTMLPhisher	Browse
	https://security.microsoft.com/url?url=http%3A%2F%2Fwww.galeriaetterem.hu%2Fmodules%2Fbabel%2Fredirect.php%3Fnewlang%3Den_US%26newurl%3Dhttps%3A%2F%2Fmedium.com%2Fm%2Fglobal-identity-2%3FredirectUrl%3Dhttps%3A%2F%2Feuropenicoming.fr%2Fclf%2Findex.html	Get hash	malicious	Unknown	Browse
	https://aka.ms/LearnAboutSenderIdentification	Get hash	malicious	Unknown	Browse
	https://aka.ms/LearnAboutSenderIdentification	Get hash	malicious	Unknown	Browse
239.255.255.250	http://www.renmcf.com/IM~Wpp-tc_9604d766/C/	Get hash	malicious	Unknown	Browse
	#U041a#U043e#U043d#U0442#U0440#U0430#U043a#U0442.shtml	Get hash	malicious	Unknown	Browse
	https://t.ly/nFp5i	Get hash	malicious	Unknown	Browse
	https://monttrek.com.pe/.1111/api/aHR0cHM6Ly9nb29nbGUuY29t&sig=ZDUxNjU0ZTllNzZkYTAxNWE4OTNkZTAyM2ZkZDA1MGViMGIzY2UyOTU1MzY1NGMyNjFlOTExM2ZiMzA5MzdmMg&exp=MTcyNDIzOTUzMQ	Get hash	malicious	HTMLPhisher	Browse
	https://www.cognitoforms.com/Gbauto1/GBAuto	Get hash	malicious	HTMLPhisher	Browse
	https://url.au.m.mimecastprotect.com/s/PfBWC4QZ15ukx20VsOfYC4BNEn?domain=incleecl.com	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	R.exe	Get hash	malicious	AsyncRAT, XWorm	Browse
	https://ms-officeonline365.ru/common/Oauth2.0/connect.php?email=dlwdallmi-dllr@maryland.gov	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
23.219.161.132	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	tXwWf89bXc.exe	Get hash	malicious	Unknown	Browse
	UPrvrJFnEx.exe	Get hash	malicious	Unknown	Browse
	oDkJQOSVzf.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Amadey, Stealc	Browse
	file.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
chrome.cloudflare-dns.com	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	CODX.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	CODX.exe	Get hash	malicious	Unknown	Browse	162.159.61.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
s-part-0044.t-0009.fb-t-msedge.net	tXwWf89bXc.exe	Get hash	malicious	Unknown	Browse	13.107.253.72
	file.exe	Get hash	malicious	Unknown	Browse	13.107.253.72
	file.exe	Get hash	malicious	Unknown	Browse	13.107.253.72
	https://aka.ms/LearnAboutSenderIdentification	Get hash	malicious	HTMLPhisher	Browse	13.107.253.72
	file.exe	Get hash	malicious	Unknown	Browse	13.107.253.72
	virus total.pdf	Get hash	malicious	HTMLPhisher	Browse	13.107.253.72
	https://url.uk.m.mimecastprotect.com/s/P4YvCp88zsEr4xMcPfwuGVGsq?domain=file365-cloud.s3.eu-west-2.amazonaws.com	Get hash	malicious	HTMLPhisher	Browse	13.107.253.72
	https://security.microsoft.com/url?url=http%3A%2F%2Fwww.galeriaetterem.hu%2Fmodules%2Fbabel%2Fredirect.php%3Fnewlang%3Den_US%26newurl%3Dhttps%3A%2F%2Fmedium.com%2Fm%2Fglobal-identity-2%3FredirectUrl%3Dhttps%3A%2F%2Feuropenicoming.fr%2Fclf%2Findex.html	Get hash	malicious	Unknown	Browse	13.107.253.72
	https://aka.ms/LearnAboutSenderIdentification	Get hash	malicious	Unknown	Browse	13.107.253.72
	https://aka.ms/LearnAboutSenderIdentification	Get hash	malicious	Unknown	Browse	13.107.253.72

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	MV ALIADO - S-REQ-19-00064.7Z.exe	Get hash	malicious	FormBook	Browse	172.67.176.77
	https://t.ly/nFp5i	Get hash	malicious	Unknown	Browse	104.20.7.133
	swb00% Halk bankasi Bilgilendirme__11045699-1024 nolu TICARI 02.09.2024.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	https://monttrek.com.pe/.1111/api/aHR0cHM6Ly9nb29nbGUuY29t&sig=ZDUxNjU0ZTllNzZkYTAxNWE4OTNkZTAyM2ZkZDA1MGViMGIzY2UyOTU1MzY1NGMyNjFlOTExM2ZiMzA5MzdmMg&exp=MTcyNDIzOTUzMQ	Get hash	malicious	HTMLPhisher	Browse	104.18.95.41
	https://url.au.m.mimecastprotect.com/s/PfBWC4QZ15ukx20VsOfYC4BNEn?domain=incleecl.com	Get hash	malicious	Unknown	Browse	172.64.155.119
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	R.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	162.159.134.234
	https://ms-officeonline365.ru/common/Oauth2.0/connect.php?email=dlwdallmi-dllr@maryland.gov	Get hash	malicious	Unknown	Browse	188.114.96.3
	EVER V-2408 - VESSEL DETAILS.xlsx.scr.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	CSC LEADER VOY.1 PARTICULARS.pdf.scr.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
CLOUDFLARENETUS	MV ALIADO - S-REQ-19-00064.7Z.exe	Get hash	malicious	FormBook	Browse	172.67.176.77
	https://t.ly/nFp5i	Get hash	malicious	Unknown	Browse	104.20.7.133
	swb00% Halk bankasi Bilgilendirme__11045699-1024 nolu TICARI 02.09.2024.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	https://monttrek.com.pe/.1111/api/aHR0cHM6Ly9nb29nbGUuY29t&sig=ZDUxNjU0ZTllNzZkYTAxNWE4OTNkZTAyM2ZkZDA1MGViMGIzY2UyOTU1MzY1NGMyNjFlOTExM2ZiMzA5MzdmMg&exp=MTcyNDIzOTUzMQ	Get hash	malicious	HTMLPhisher	Browse	104.18.95.41
	https://url.au.m.mimecastprotect.com/s/PfBWC4QZ15ukx20VsOfYC4BNEn?domain=incleecl.com	Get hash	malicious	Unknown	Browse	172.64.155.119
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	R.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	162.159.134.234
	https://ms-officeonline365.ru/common/Oauth2.0/connect.php?email=dlwdallmi-dllr@maryland.gov	Get hash	malicious	Unknown	Browse	188.114.96.3
	EVER V-2408 - VESSEL DETAILS.xlsx.scr.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	CSC LEADER VOY.1 PARTICULARS.pdf.scr.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
AKAMAI-ASN1EU	file.exe	Get hash	malicious	Unknown	Browse	23.219.161.132
	file.exe	Get hash	malicious	Unknown	Browse	23.219.161.132
	file.exe	Get hash	malicious	Unknown	Browse	23.219.161.132
	file.exe	Get hash	malicious	Unknown	Browse	23.200.0.42
	file.exe	Get hash	malicious	Unknown	Browse	23.44.133.57
	file.exe	Get hash	malicious	Unknown	Browse	23.44.133.57
	https://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=lTCgUqihHkmFBEet2SbJL2ghryGY169Ih8KbdC_V2rZUQUFOTzhQMTZVVVI2V1RWNjNGNFhXRjdWVy4u&d=DwMFAg	Get hash	malicious	Unknown	Browse	173.222.108.211
	file.exe	Get hash	malicious	Unknown	Browse	23.55.235.170
	PO#86637.lzh	Get hash	malicious	FormBook	Browse	23.59.250.83
	file.exe	Get hash	malicious	Unknown	Browse	23.44.133.38
MICROSOFT-CORP-MSN-AS-BLOCKUS	https://monttrek.com.pe/.1111/api/aHR0cHM6Ly9nb29nbGUuY29t&sig=ZDUxNjU0ZTllNzZkYTAxNWE4OTNkZTAyM2ZkZDA1MGViMGIzY2UyOTU1MzY1NGMyNjFlOTExM2ZiMzA5MzdmMg&exp=MTcyNDIzOTUzMQ	Get hash	malicious	HTMLPhisher	Browse	20.190.159.75
	https://www.cognitoforms.com/Gbauto1/GBAuto	Get hash	malicious	HTMLPhisher	Browse	150.171.28.10
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.60
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.60
	https://www.google.com/url?q=https://google.com/url?hl%3Den%26q%3Dhttps://google.com/url?q%3DJFt7SBpfnkz37NXTPycl%26rct%3DecYm4gDyqlWjNVTtaSh7%26sa%3Dt%26esrc%3DyN3TRjFzCWurgbW1vOG4%26source%3DzcMGnUNgngXYWBYW2c3r%26cd%3DqBH0Ch4Gn8VGtKfHcUPR%26cad%3D0q4c3js52qUrSH6rI5Ux%26ved%3DxpZpiH8kwVo72kkPvwUH%26uact%3DhzYhur4iRKYoiuCfwC6s%26url%3Damp%252Fareaazul.com.mx%252F.beans%252F&source=gmail&ust=1725454484963000&usg=AOvVaw2xy0LT_ByjSLCoEqCzpyxV#e3YsAE-SURELILYZmFiM3NtcF9wY0BnbG9iYWxmb3VuZHJpZXMuY29t	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.57
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.60
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.57
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.60
	https://850705.formstack.com/forms/23outlook	Get hash	malicious	Unknown	Browse	150.171.27.10

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	http://www.renmcf.com/IM~Wpp-tc_9604d766/C/	Get hash	malicious	Unknown	Browse	40.68.123.157 184.28.90.27
	#U041a#U043e#U043d#U0442#U0440#U0430#U043a#U0442.shtml	Get hash	malicious	Unknown	Browse	40.68.123.157 184.28.90.27
	https://www.cognitoforms.com/Gbauto1/GBAuto	Get hash	malicious	HTMLPhisher	Browse	40.68.123.157 184.28.90.27
	https://url.au.m.mimecastprotect.com/s/PfBWC4QZ15ukx20VsOfYC4BNEn?domain=incleecl.com	Get hash	malicious	Unknown	Browse	40.68.123.157 184.28.90.27
	file.exe	Get hash	malicious	Unknown	Browse	40.68.123.157 184.28.90.27
	R.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	40.68.123.157 184.28.90.27
	https://ms-officeonline365.ru/common/Oauth2.0/connect.php?email=dlwdallmi-dllr@maryland.gov	Get hash	malicious	Unknown	Browse	40.68.123.157 184.28.90.27
	file.exe	Get hash	malicious	Unknown	Browse	40.68.123.157 184.28.90.27
	https://www.google.com/url?q=https://google.com/url?hl%3Den%26q%3Dhttps://google.com/url?q%3DJFt7SBpfnkz37NXTPycl%26rct%3DecYm4gDyqlWjNVTtaSh7%26sa%3Dt%26esrc%3DyN3TRjFzCWurgbW1vOG4%26source%3DzcMGnUNgngXYWBYW2c3r%26cd%3DqBH0Ch4Gn8VGtKfHcUPR%26cad%3D0q4c3js52qUrSH6rI5Ux%26ved%3DxpZpiH8kwVo72kkPvwUH%26uact%3DhzYhur4iRKYoiuCfwC6s%26url%3Damp%252Fareaazul.com.mx%252F.beans%252F&source=gmail&ust=1725454484963000&usg=AOvVaw2xy0LT_ByjSLCoEqCzpyxV#e3YsAE-SURELILYZmFiM3NtcF9wY0BnbG9iYWxmb3VuZHJpZXMuY29t	Get hash	malicious	HTMLPhisher	Browse	40.68.123.157 184.28.90.27
	file.exe	Get hash	malicious	Unknown	Browse	40.68.123.157 184.28.90.27

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4235
Entropy (8bit):	5.502862794404378
Encrypted:	false
SSDEEP:	96:0q8NkGS1fKKm58rh/cI9URoDotojORBbEvv80CJkmcTwSDS4S4SDS3I4a:/8NBS0+eoDUNl0OkmF
MD5:	4028726D68603A9BC0D447874F8857BA
SHA1:	A1E75C5522E6EC8F42B766066A3C64A20971AB74
SHA-256:	41A5E27EEC4BB1552616174F778F48E167DAFFC6B04B7BA95B05BE4245564BFB
SHA-512:	F587D94089A317AAFCF38967D8CDCACA8443665BF379F14418F66354C417FA5BE72682F565E64F54A25C12FA0C916A9BCED7699CDF38757D51C1FF3BBF140502
Malicious:	false
Preview:	{"dual_engine":{"ie_to_edge":{"redirection_mode":0}},"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false},"tab_stabs":{"closed_without_unfreeze_never_unfrozen":0,"closed_without_unfreeze_previously_unfrozen":0,"discard_without_unfreeze_never_unfrozen":0,"discard_without_unfreeze_previously_unfrozen":0},"tab_stats":{"frozen_daily":0,"unfrozen_daily":0}},"fre":{"oem_bookmarks_set":true},"hardware_acceleration_mode_previous":true,"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAA6cm+TCQIhSpiBui4g20VXEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAADu2zXZwu2jgmsIQoLaAHCsJLncfVUw5RI2OCOwfL18kAAAAAAOgAAAAAIAACAAAACDLyXT7TDWTvdNs3Bfhn4NdW+CsDFNf0EXoeR+7UwLZjAAAAC54NSEPViqVKOsj02Hb0xSGK85wiBSRaJfTbE/322mIhwVXZDzxUTfFHu7UxHFJdlAAAAAL0eqyCQk35gxGI0EXO+Iag8qbD+3ixPVa4/ggsGL2S0Abf16LVqRfPf59Psdhs5R+lSdohLrSkxX54owo

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\21f7f7fa-d606-4f5c-8831-6a45facb1eaf.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2958
Entropy (8bit):	5.599445065489205
Encrypted:	false
SSDEEP:	48:YuBqDPEFMsFiHC0afKcCWdwFgkHB+OdrxuvBdgaRVOaJkXWcT+wlRijWzB0:Xq8NkC1fKKmFjBbEvvbVnJkmcTz8kq
MD5:	C777323F8CF1058D19B232BA4DA28754
SHA1:	1C06C8B8FA373BA9AE225DCFE1D0FDE40F67D1C5
SHA-256:	B9CB961072605C88761449C00C6C63266618DC06D009866A31378C0A1BE31B09
SHA-512:	79FD13233774AF0CC2651476E344E3E62633C5D86E2530587DCB0322D89C45EE0CC5DECF3AC6D161409B0B64469DAAA3ECE6E805C283632DC158BA6A98D4753B
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false},"tab_stabs":{"closed_without_unfreeze_never_unfrozen":0,"closed_without_unfreeze_previously_unfrozen":0,"discard_without_unfreeze_never_unfrozen":0,"discard_without_unfreeze_previously_unfrozen":0},"tab_stats":{"frozen_daily":0,"unfrozen_daily":0}},"hardware_acceleration_mode_previous":true,"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAA6cm+TCQIhSpiBui4g20VXEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAADu2zXZwu2jgmsIQoLaAHCsJLncfVUw5RI2OCOwfL18kAAAAAAOgAAAAAIAACAAAACDLyXT7TDWTvdNs3Bfhn4NdW+CsDFNf0EXoeR+7UwLZjAAAAC54NSEPViqVKOsj02Hb0xSGK85wiBSRaJfTbE/322mIhwVXZDzxUTfFHu7UxHFJdlAAAAAL0eqyCQk35gxGI0EXO+Iag8qbD+3ixPVa4/ggsGL2S0Abf16LVqRfPf59Psdhs5R+lSdohLrSkxX54owo30vLQ=="},"policy":{"last_statistics_update":"13369907512778462"},"profile":{"info_ca

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\7b75617e-35c2-414d-bd8b-ed6ff7a699ba.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.555819879981442
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtaqNynVwIQsdWz71OLaoyikqaJdXBuBuwBdaeNhc5XIQQRCYfJ:YuBqDPafKcCWdYFggBzBdvc5dB0
MD5:	AC18C039A028ED5152FF2CD58C0B04EC
SHA1:	A88DA64588B561B2BE602C0EB8AF14E29290D167
SHA-256:	CEABAB1F356A39989ED5DD9256DDC8B19C68449FFAF8338416BD5F790B91CE86
SHA-512:	89473B93DA7D4999BEE5A39924D042AD091F4296379AD7100C7CDE45987467A5588764B296AC623446079EE54864B3BD5F263F3BD00422B7B47CDA86D55C532A
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAA6cm+TCQIhSpiBui4g20VXEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAADu2zXZwu2jgmsIQoLaAHCsJLncfVUw5RI2OCOwfL18kAAAAAAOgAAAAAIAACAAAACDLyXT7TDWTvdNs3Bfhn4NdW+CsDFNf0EXoeR+7UwLZjAAAAC54NSEPViqVKOsj02Hb0xSGK85wiBSRaJfTbE/322mIhwVXZDzxUTfFHu7UxHFJdlAAAAAL0eqyCQk35gxGI0EXO+Iag8qbD+3ixPVa4/ggsGL2S0Abf16LVqRfPf59Psdhs5R+lSdohLrSkxX54owo30vLQ=="},"profile":{"info_cache":{},"profile_counts_reported":"13369907512744258","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1725433912"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\93d3c154-e712-44a0-af9c-b2d83d333c13.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3335
Entropy (8bit):	5.617431831165169
Encrypted:	false
SSDEEP:	96:0q8NkC1fKKmFDvBbEvv80CJkmcTwSDS4S4SDS3I4a:/8Nb0pl0OkmF
MD5:	9AAF159632F3A2DE04E36B81F4625B5F
SHA1:	32A75373A75C0E9929146D78A3A18ECD7F783BDA
SHA-256:	BA3681F6E047164BB2CB2D269F4E1C0D0FA26C4021C20C0B378B94289BD8B3D3
SHA-512:	AB757CD7C69EC367CBAA7F82C3424B6E3A4868916418CF232451044EAF71CD6704DAA7B615948DAF7E3F6DB3A407DF991A9FC452C7A05B2DFAFCD0DAFB86A83D
Malicious:	false
Preview:	{"dual_engine":{"ie_to_edge":{"redirection_mode":0}},"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false},"tab_stabs":{"closed_without_unfreeze_never_unfrozen":0,"closed_without_unfreeze_previously_unfrozen":0,"discard_without_unfreeze_never_unfrozen":0,"discard_without_unfreeze_previously_unfrozen":0},"tab_stats":{"frozen_daily":0,"unfrozen_daily":0}},"hardware_acceleration_mode_previous":true,"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAA6cm+TCQIhSpiBui4g20VXEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAADu2zXZwu2jgmsIQoLaAHCsJLncfVUw5RI2OCOwfL18kAAAAAAOgAAAAAIAACAAAACDLyXT7TDWTvdNs3Bfhn4NdW+CsDFNf0EXoeR+7UwLZjAAAAC54NSEPViqVKOsj02Hb0xSGK85wiBSRaJfTbE/322mIhwVXZDzxUTfFHu7UxHFJdlAAAAAL0eqyCQk35gxGI0EXO+Iag8qbD+3ixPVa4/ggsGL2S0Abf16LVqRfPf59Psdhs5R+lSdohLrSkxX54owo30vLQ=="},"policy":{"last_statist

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\9db65b5a-4064-4623-bd75-01a0d0f3769b.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	20782
Entropy (8bit):	6.066540365497346
Encrypted:	false
SSDEEP:	384:RtMGQ7LBjuYXGIgtDAW5u0TDJ2q03X8NBSpPodmCQBf6UzI8Z6Ix0FLC:LMGQ7FCYXGIgtDAWtJ4nVodmCq65dLFm
MD5:	48D07F9227B9333B8EC055D32AF7DE2F
SHA1:	CAEB2A03F64EE741F7A6524E6A8DF88750DDDEA2
SHA-256:	BD14879124DCC48DD23369129A25A36AE86A31DF28BF27C6F2C63470343F5779
SHA-512:	53F07C02B1FD6FBAB9969486EDE15569F5142A0EAD8B02B055338FD78BCB676D00FBE6024F7C3A6B742132DD630519F4C65B5B614944498B25B645D31E4FFA8C
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5GOJiTA/oXLTdG6qXtmMBDiyS59PvY7eCklyb4QcfFi7tpdwu3VBt1XNorvM4+RiU6+CjD0kb+pHz7rRm3rXSyzABnWdKBG+Ijlx7hEE4QTzo+AB6fnDLLJBpo7PKv8Ob367/KjUg8mcY6CmCjTJCmtsWFOcUf5vj04cw0e1yZe2WAl8svFn5IC43jfc+dLnGrEyDwAicHCxNdhlrVa5LEtTgt5u2lAK02pd198r5dr5VYgHj55jUJZGTtlg0NlA7S5AnvB8l7z3olnPV2vfCLsugvBUH7vTVIe9Y151SnmS2Auyvcr5UGYXBvzT2s0L3fKpCZl+2D91MLf04NPNNUni9BZmDP4Sfjk2Ig7ktgg8r8InfhHz//zSP7e8bquWlsDJ411jYlhlRsBQRm+LIWvOaiW4hdcyEra5fCtzINfylY7VRB4y

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Ad Blocking\790d8427-4272-4e53-84eb-01819387a6c9.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	107893
Entropy (8bit):	4.640136267101608
Encrypted:	false
SSDEEP:	1536:B/lv4EsQMNeQ9s5VwB34PsiaR+tjvYArQdW+Iuh57P7Q:fwUQC5VwBIiElEd2K57P7Q
MD5:	46EC1899F11FE2F524F4A0ED857B2BF7
SHA1:	830620AD3E3FAC7FE25BD86C291A17AFA245B2CA
SHA-256:	07965BB5BA96950A38D1B7E50D9564F84D383F21D6FB17B6A411925728AF5146
SHA-512:	5496B3873B3C5FA3560593D4E3E9F43F6BFA288C5FC3B879D14269A51938D5DDAD950326D86D8DB606A34F7B235E615237136DB19539A1740CAD9B527BEBAEB2
Malicious:	false
Preview:	{"sites":[{"url":"24video.be"},{"url":"7dnifutbol.bg"},{"url":"6tv.dk"},{"url":"9kefa.com"},{"url":"aculpaedoslb.blogspot.pt"},{"url":"aek-live.gr"},{"url":"arcadepunk.co.uk"},{"url":"acidimg.cc"},{"url":"aazah.com"},{"url":"allehensbeverwijk.nl"},{"url":"amateurgonewild.org"},{"url":"aindasoudotempo.blogspot.com"},{"url":"anorthosis365.com"},{"url":"autoreview.bg"},{"url":"alivefoot.us"},{"url":"arbitro10.com"},{"url":"allhard.org"},{"url":"babesnude.info"},{"url":"aysel.today"},{"url":"animepornx.com"},{"url":"bahisideal20.com"},{"url":"analyseindustrie.nl"},{"url":"bahis10line.org"},{"url":"apoel365.net"},{"url":"bahissitelerisikayetleri.com"},{"url":"bambusratte.com"},{"url":"banzaj.pl"},{"url":"barlevegas.com"},{"url":"baston.info"},{"url":"atomcurve.com"},{"url":"atascadocherba.com"},{"url":"astrologer.gr"},{"url":"adultpicz.com"},{"url":"alleporno.com"},{"url":"beaver-tube.com"},{"url":"beachbabes.info"},{"url":"bearworldmagazine.com"},{"url":"bebegimdensonra.com"},{"url":"autoy

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Ad Blocking\blocklist (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	107893
Entropy (8bit):	4.640136267101608
Encrypted:	false
SSDEEP:	1536:B/lv4EsQMNeQ9s5VwB34PsiaR+tjvYArQdW+Iuh57P7Q:fwUQC5VwBIiElEd2K57P7Q
MD5:	46EC1899F11FE2F524F4A0ED857B2BF7
SHA1:	830620AD3E3FAC7FE25BD86C291A17AFA245B2CA
SHA-256:	07965BB5BA96950A38D1B7E50D9564F84D383F21D6FB17B6A411925728AF5146
SHA-512:	5496B3873B3C5FA3560593D4E3E9F43F6BFA288C5FC3B879D14269A51938D5DDAD950326D86D8DB606A34F7B235E615237136DB19539A1740CAD9B527BEBAEB2
Malicious:	false
Preview:	{"sites":[{"url":"24video.be"},{"url":"7dnifutbol.bg"},{"url":"6tv.dk"},{"url":"9kefa.com"},{"url":"aculpaedoslb.blogspot.pt"},{"url":"aek-live.gr"},{"url":"arcadepunk.co.uk"},{"url":"acidimg.cc"},{"url":"aazah.com"},{"url":"allehensbeverwijk.nl"},{"url":"amateurgonewild.org"},{"url":"aindasoudotempo.blogspot.com"},{"url":"anorthosis365.com"},{"url":"autoreview.bg"},{"url":"alivefoot.us"},{"url":"arbitro10.com"},{"url":"allhard.org"},{"url":"babesnude.info"},{"url":"aysel.today"},{"url":"animepornx.com"},{"url":"bahisideal20.com"},{"url":"analyseindustrie.nl"},{"url":"bahis10line.org"},{"url":"apoel365.net"},{"url":"bahissitelerisikayetleri.com"},{"url":"bambusratte.com"},{"url":"banzaj.pl"},{"url":"barlevegas.com"},{"url":"baston.info"},{"url":"atomcurve.com"},{"url":"atascadocherba.com"},{"url":"astrologer.gr"},{"url":"adultpicz.com"},{"url":"alleporno.com"},{"url":"beaver-tube.com"},{"url":"beachbabes.info"},{"url":"bearworldmagazine.com"},{"url":"bebegimdensonra.com"},{"url":"autoy

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics-spare.pma (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	B5CFA9D6C8FEBD618F91AC2843D50A1C
SHA1:	2BCCBD2F38F15C13EB7D5A89FD9D85F595E23BC3
SHA-256:	BB9F8DF61474D25E71FA00722318CD387396CA1736605E1248821CC0DE3D3AF8
SHA-512:	BD273BF4E10ED6E305ECB7B781CB065545FCE9BE9F1E2968DF22C3A98F82D719855AAFE5FF303D14EA623A5C55E51E924E10033A92A7A6B07725D7E9692B74F5
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics-spare.pma.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	B5CFA9D6C8FEBD618F91AC2843D50A1C
SHA1:	2BCCBD2F38F15C13EB7D5A89FD9D85F595E23BC3
SHA-256:	BB9F8DF61474D25E71FA00722318CD387396CA1736605E1248821CC0DE3D3AF8
SHA-512:	BD273BF4E10ED6E305ECB7B781CB065545FCE9BE9F1E2968DF22C3A98F82D719855AAFE5FF303D14EA623A5C55E51E924E10033A92A7A6B07725D7E9692B74F5
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics\BrowserMetrics-66D80838-F24.pma

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.040496323724205786
Encrypted:	false
SSDEEP:	192:JbbUjLYiVWK+ggCdlkGJtD+FX9Xj2okgV8vYhXxNEq4bcRQM92Hdn8y08Tcm2RGY:xUjjlwGq5VnhBCQoHd08T2RGOD
MD5:	3F7ABF1A8D2CC4C418C834A172320E22
SHA1:	D56E5D6D9984A020C7D233D36CD6E929CD70E2F1
SHA-256:	055BB863EFFE860E6B823DE55402EA975FDC089C411568807647A578056624E9
SHA-512:	44A072E89449BB46C485FFB33515D4700DC976F184DD0BEA763E177F3B992F1540172E8F253B73AB861F290CD252A955811854A59FF9329BD08C0E6B11C70167
Malicious:	false
Preview:	...@..@...@.....C.].....@................a...P..............`... ...i.y.........BrowserMetrics......i.y..Yd. .......A...................v.0.....UV&K.k<................UV&K.k<................UMA.PersistentHistograms.InitResult.....8...i.y.[".................................................i.y.Pq.30..............117.0.2045.47-64..".en-GB...Windows NT..10.0.190452l..x86_64..?........".lkguur20,1(.0..8..B.......2.:.M..BU..Be...?j...GenuineIntel... .. ..........x86_64...J....k..^o..J..l.zL.^o..J....\.^o..J.....f.^o..J....?.^o..P.Z...b.INBXj....... .8.@................................)..$}.CG....L.T.w..Ucw.}....u.$r....9...>.........."....."...2..."..:............B)..1.3.177.11.. .*.RegKeyNotFound2.windowsR...Z......Mbp4@..$...SF@.......Y@.......Y@.......Y@........?........?.................?.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@................Y@.......Y@.......Y@........?........?z.......................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics\BrowserMetrics-66D80839-1C34.pma

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.4512641103671671
Encrypted:	false
SSDEEP:	3072:roxpReUV8yFl2/ZjFodMXuqmWfLeh/h5IRHgzg1HFyOPyMrvn8yVsqrvTxfBzEGG:OeicHRHEaHNF0Py/aHJwFy
MD5:	E458D6B3CA77646BA4D5DAD18A5EAD0F
SHA1:	71E5D31A3BB6A404140DAB75291656B56148D51C
SHA-256:	A3266899C7DAE18461667142A065902456861F9BE6640F21B7E1C2930EF65B31
SHA-512:	83416D84516A07446AE3BFEAB8A818E941848DCF6952B29479CBB9110E1C222F5841968F17B2DF47F7410401BADC3BD601FD2290C695715D073492557855976B
Malicious:	false
Preview:	...@..@...@.....C.].....@................8..x7..............`... ...i.y.........BrowserMetrics......i.y..Yd. .......A...................v.0.....UV&K.k<................UV&K.k<................UMA.PersistentHistograms.InitResult.....8...i.y.[".................................................i.y.Pq.30..............117.0.2045.47-64..".en-GB*...Windows NT..10.0.190452....x86_64..?........".lkguur20,1(.0..8..B....(.....10.0.19041.5462.Google Inc. (Google):bANGLE (Google, Vulkan 1.3.0 (SwiftShader Device (Subzero) (0x0000C0DE)), SwiftShader driver-5.0.0)M..BU..Be...?j...GenuineIntel... .. ..............x86_64...J....s..^o..J...W..^o..J..,jp..^o..J.......^o..J../T...^o..J...X.p.^o..J.....p.^o..J...c...^o..J...Y...^o..J.......^o..J..w....^o..J...G.Y.^o..J..A....^o..J....c..^o..J...c=..^o..J....J..^o..J...h8..^o..J..3.(..^o..J.......^o..J..!n...^o..J...S@".^o..J.......^o..J.......^o..J...j.8.^o..J..@....^o..J.......^o..J...b.J.^o..J..G....^o..J..8...^o..J...#...^o..J....k..^o..J..S..O.^o.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	280
Entropy (8bit):	4.155337931131621
Encrypted:	false
SSDEEP:	3:FiWWltlVmx6Dq4HSRqOFhJXI2EyBl+BVP/Sh/Jzv/nV59Gsl:o1HXyRqsx+BVsJD39J
MD5:	83C5FE7590DA13934A3712C2FCD91FFE
SHA1:	4D06C1C8B8580047014142F53A62746FB421000C
SHA-256:	685ACA59BA966756160FEF44F96441FC9150675BE744D4A2CD6308C153D72749
SHA-512:	6D08E705FA92183C1E861C6F5C59DC162048571EAB86E947B042599C4C386AA44A8FA3C045C47D77D18ECF15B3922CEF2DBAB71BD0FDA031785FDFD8F7678366
Malicious:	false
Preview:	sdPC.....................1....K.A....."1SCRpGKHAwpF5kOwXUUSc/ojBrTkNG2SgkvqW1WE7kI="..................................................................................47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=....................22f188b2-8959-4073-a8c4-774c942e95e3............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\throttle_store.dat

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	20
Entropy (8bit):	3.6219280948873624
Encrypted:	false
SSDEEP:	3:8g6Vvn:8g6Vv
MD5:	9E4E94633B73F4A7680240A0FFD6CD2C
SHA1:	E68E02453CE22736169A56FDB59043D33668368F
SHA-256:	41C91A9C93D76295746A149DCE7EBB3B9EE2CB551D84365FFF108E59A61CC304
SHA-512:	193011A756B2368956C71A9A3AE8BC9537D99F52218F124B2E64545EEB5227861D372639052B74D0DD956CB33CA72A9107E069F1EF332B9645044849D14AF337
Malicious:	false
Preview:	level=none expiry=0.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\4001e162-da3e-420c-9af3-a3bc908adedc.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24799
Entropy (8bit):	5.5666936573512755
Encrypted:	false
SSDEEP:	768:ESL+C5WPiUfjO8F1+UoAYDCx9Tuqh0VfUC9xbog/OVbul2grw9hpGtuM:ESL+C5WPiUfjOu1jamc2RwtT
MD5:	6BC4EAE8DFE06EB6A23B375700FDC9B7
SHA1:	F1B209AF3E5E4079CF02A6175ADD52E468677771
SHA-256:	3F2B9A648C1E196CD81F4360F0F4BC8EE27B46E63351A5E7CB5F960B250BDE5E
SHA-512:	10EE131CC11D4E7E3CC75F3B803C6CB8B1066C282F518D13AC85036CECE09E0CF676360E91954FC62C1EF99FDE06AAA3E664EFCF3BA55476F96B9571CBBE8FE1
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13369907513455460","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13369907513455460","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\567670c6-b425-4648-a17d-e86f221c4831.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24800
Entropy (8bit):	5.5666650563487385
Encrypted:	false
SSDEEP:	768:ESL+C5WPiUfUO8F1+UoAYDCx9Tuqh0VfUC9xbog/OVbul2grwN8hpGtut:ESL+C5WPiUfUOu1jamc2RNbte
MD5:	AFE1A5EEA5DCF608F0616F23CC72FF11
SHA1:	5917B45E6C920F8B579AD912B915A9C8E1908EA1
SHA-256:	231FEF0FC44BA1BA73CD32554129A8A70A19241DD54BE0990144518769D358EE
SHA-512:	F301FAB23EF0B86F4883FCFD0B264D29123EFAEDEC96F26DEFF337A2E0F5A9A81C6DF1984572A3E0E4F0E1B0DB709D3668251E2B1115DF025A538DA8884D3E47
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13369907513455460","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13369907513455460","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\7a57b088-952c-4bf2-b111-8ccd155e55e2.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6292
Entropy (8bit):	4.966717200779873
Encrypted:	false
SSDEEP:	96:stTqfnis1Db91V9N8zZDs85eh6Cb7/x+6MhmuecmAeFCG2Mu/EJ:stTPsn9NkZDs88bV+FiAMPuMJ
MD5:	A7A1FEA92140BB26B683B50CCA5B899A
SHA1:	884EC3C4200DF7CB62A9645AFDA3CF38C257958E
SHA-256:	82B63DD729F1A1DD94BFA6B34488E7D28F52843007CE619F406AE0280F1C40FC
SHA-512:	1A642380C4CC97E26B58559102F1058A50277D71C53D7C87D4F13B5AF5A9727A3BD000B06EC525D12C454D36E0DADE26CD76E4BAB59B9CFC7458C0C12A72D232
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369907515229854","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"domain_diversity":{"last_reporting_timestamp":"13369907513975494"},"download":{"default_directory":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\KioskDownloads\\","directory_upgrade":true},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version"

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	modified
Size (bytes):	12600
Entropy (8bit):	5.320832297248799
Encrypted:	false
SSDEEP:	192:zAOEH/WCxkD7MDPSYAxmemxb7mngJdv9TXJ4MQmLu5/4eeNdl:sOEOKSXs/J7mGnQmLu5/5eNdl
MD5:	6CDBCFAB3E0F8EEF95F4E58BAD3A4F36
SHA1:	00739DF0796C026EE0E7B26719167EBF6F38A255
SHA-256:	58EFDAE161FEA7B8127CB2DBD30E5405734F40702F14387B5A09E2007485C42D
SHA-512:	FA0661283D0385049118880268D1E2D843C3FDF3289CE2C8ABCB38397AC56F9E45B34479630AFDA1863C84C1E1EC6773B8F4908EB99FFC263823195A0D0A2BB9
Malicious:	false
Preview:	...m.................DB_VERSION.1a./..................QUERY_TIMESTAMP:arbitration_priority_list4...13369907518898178.$QUERY:arbitration_priority_list4....[{"name":"arbitration_priority_list","url":"https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?assetgroup=ArbitrationService","version":{"major":4,"minor":0,"patch":5},"hash":"2DPW9BV28WrPpgGHdKsEvldNQvD7dA0AAxPa3B/lKN0=","size":11989}]..A./..............'ASSET_VERSION:arbitration_priority_list.4.0.5..ASSET:arbitration_priority_list.]{.. "configVersion": 32,.. "PrivilegedExperiences": [.. "ShorelinePrivilegedExperienceID",.. "SHOPPING_AUTO_SHOW_COUPONS_CHECKOUT",.. "SHOPPING_AUTO_SHOW_LOWER_PRICE_FOUND",.. "SHOPPING_AUTO_SHOW_BING_SEARCH",.. "SHOPPING_AUTO_SHOW_REBATES",.. "SHOPPING_AUTO_SHOW_REBATES_CONFIRMATION",.. "SHOPPING_AUTO_SHOW_REBATES_DEACTIVATED",.. "SHOPPING_AUTO_SHOW_REBATES_BING",.. "SHOPPING_AUTO_SHOW_REBATES_ORGANIC",.. "SHOPPING_AUTO_SHOW_PRICE_HIST

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	307
Entropy (8bit):	5.132117988585332
Encrypted:	false
SSDEEP:	6:PaQ1923oH+TcwtOEh1ZB2KLllaTFHP9+q2P923oH+TcwtOEh1tIFUv:PaNYebOEh1ZFLnaTFHV+v4YebOEh16F2
MD5:	3B100170CCD4F988B2630F3ED85E80E2
SHA1:	D4E1D25800E6847695FEA186B67917E57B957E35
SHA-256:	CF4387BE438B45A69B401378E912370BABC1182D9ABF2CCFD1A223816EAE43FE
SHA-512:	F02D75578A751F8FF5109D6ABB11233C07EE2E6C7EC3107833DA0A0116120055362406AE7422798EA5E3A1C40EAEB7773BA3F7B6E8467AAAF260F818B4582B5B
Malicious:	false
Preview:	2024/09/04-03:11:58.109 227c Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db since it was missing..2024/09/04-03:11:58.180 227c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\AssistanceHome\AssistanceHomeSQLite

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	0.3202460253800455
Encrypted:	false
SSDEEP:	6:l9bNFlEuWk8TRH9MRumWEyE4gLueXdNOmWxFxCxmWxYgCxmW5y/mWz4ynLAtD/W4:TLiuWkMORuHEyESeXdwDQ3SOAtD/ie
MD5:	40B18EC43DB334E7B3F6295C7626F28D
SHA1:	0E46584B0E0A9703C6B2EC1D246F41E63AF2296F
SHA-256:	85E961767239E90A361FB6AA0A3FD9DAA57CAAF9E30599BB70124F1954B751C8
SHA-512:	8BDACDC4A9559E4273AD01407D5D411035EECD927385A51172F401558444AD29B5AD2DC5562D1101244665EBE86BBDDE072E75ECA050B051482005EB6A52CDBD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Cache\Cache_Data\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	45056
Entropy (8bit):	0.044084744793847865
Encrypted:	false
SSDEEP:	6:/Fii2+Eb8kM/lOhfTB/ipKLHXRllqd/lNAt:d21EOhfN/ipKLHh/MNAt
MD5:	ED1F0A8EDB1C45380F3B7BEF4FA92368
SHA1:	B69322CF2884348769500B25BA5E11FBD1353163
SHA-256:	DB9B9399C119E202D95A665EB77FAA1FC045D1FEE73F0D9FC55CC8DF5FBFC9C5
SHA-512:	19E094140681794396FCBC0FE28B94F98C657243B83DCC6AFE9B53A48708C12E26D57C0E68A2621306CE2BAC9B0C7B9AEB166760101126366A1A7FBDF4B5BE8C
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Cache\Cache_Data\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.09565134147999216
Encrypted:	false
SSDEEP:	24:IrGV4XQ3eaPVHsqTV4XeaPVHaUAPnQzLIoMmHVIRBNUeG7hNKxuQzVnlJtYT38E0:XV4A3es5V4XesrAzNUeGNcj0T3lWp4
MD5:	1C0DC74BAC639DC1DEC580C444284CBF
SHA1:	435F3736645DE33A45ACDE7369F142B806EB61EE
SHA-256:	7064F3C99263C2AC9969A621BCA348A2ECB4831BA13C44E91FE1AD40BC1981E1
SHA-512:	BBFDAC3F491AA097DF24907E5BB1EE720926C813BFE9EBC4E1DF418A02F649060558CED0CC91BF2889209D285B01D65252F7768F83053D13F3F3C6AE129009EF
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Cache\Cache_Data\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	1056768
Entropy (8bit):	0.2854118544302926
Encrypted:	false
SSDEEP:	384:s8iJtne8iJtn3bt7RJto3bt7RJtokAcSrJtL+ib3f:s8iJte8iJt3b3Jt4b3JtKcEJtCib3f
MD5:	5971C0409F46C100FD9D19E1DA3F32EC
SHA1:	C7A50DE5F8D4253A55B4070F4D89DA222A5A997B
SHA-256:	50DF6C810082BA1B51588F63C48F892216B5874F38C1CA808ABE16E27AF23202
SHA-512:	439B100127B7C29D48D2D4975099252597B5188DEA7A23BE0F9E41C68005F1F7FC84A4CAF5D8C123A8C098D93EF2E24C91C411C30C4714B1C91B0478FEC53C39
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Cache\Cache_Data\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4202496
Entropy (8bit):	0.04312480187296375
Encrypted:	false
SSDEEP:	192:rH/WCxkD7MDPSYAxmemxb7mngJdv9TXJ4MQmLu5/4eeNd:rOKSXs/J7mGnQmLu5/5eNd
MD5:	4D3862637A3E49DEA6B0E914424F7F3E
SHA1:	2ADD705EDC5981DFA1DDA043EF8917DD416CA4B3
SHA-256:	081133A6F01292BF3CDF0BFBAE44EEE97EC2920D820294EA0447EE2D71249D58
SHA-512:	FA1B6C0C9D28F5686D65A17D43EC6473524C7D576CADA3BA68A94B85375C703E750F624CA82ED3A431DBF5A41203A974E041BFCC6681E04CFBE708B34A4AA861
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Cache\Cache_Data\f_000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	gzip compressed data, was "asset", last modified: Fri Aug 2 18:10:34 2024, max compression, original size modulo 2^32 374872
Category:	dropped
Size (bytes):	70207
Entropy (8bit):	7.995911906073242
Encrypted:	true
SSDEEP:	1536:VzseWV/dT2G9zm5w0vgxQUFm6SM6ZYRuB61K+aK+POIwPru:VoNQGIwvs6S9+I6RWPOIwTu
MD5:	9F5A7E038BF08B13BD15338EC7BD4E16
SHA1:	AB69D28EEA9AE289BB86159C341910538CDDE5B9
SHA-256:	BA0BCBBF170ADB0B5119D19D56C2D004579507DFC4A9215BCCC8663C8A486AF8
SHA-512:	48557ECD56DFD2157304FE752E15E44314667EFC79E6C21312723251E4E1F1BF5BE0A76F88F4B4D83FADB9D81BFB1835B1C0E5CFA7B07214A605F58064BB94B1
Malicious:	false
Preview:	.....!.f..asset.....6.0.W..3....[........9m;.....IH.E...j...}.....PR..w.gg.....@.P...?...x....?./.%..Q...x....}..9..e..f.8..Yb@g...i..$...I.......<....k...{..{.Qg..k..q.....i.Y}..._......\?....5 .5 .`..._i'@....H'.f!...x`...f......v.._1w.u.<.........5.:..^.Ua....H6...x....D:.R..L..2.,.s.f.......FE'..%{]-;+.`....N...=\|.:q...9N.k..i.I.8E.i.I.s..Y...8..fe'...Xo...Xo...#.r$N.u2.o.]....^,.k....{E."......Q.N...AY..u.^o.............Z..ce.irN.{.O$.C.......HJ.HJ..J..hOgA.5.nW.\........}E.%-.A."a<..~.[O....~.......xX.G?Y.3O8d8I...&X....V4...0=.iS....].D.L@.YiS...<.W..W+..#mj...p..8^.\U;oV;W`..^..V...G..SC.9.....i%@g.iS=..`..#.H.p.q..E.q...)....).X..M.X.%.,i.%..V..6.nk.@1S@-..Y.6....K.n....:c.My.....h...9..q...f't.iS.v..6D7...d't.iS.v..F.....faG.t.f....lR.J@!l.0O..T.....T2...\.n..-....L..ES.9.:...B..P1@...P.l.fX.aV..Y6.B5......Mt..SS,l..+..J...).i.6......8...:.Z...2.H.8..Z.>.5.Oi..N`:..6.i.n.h.l.e.h.T\.lr...TE+m.T..).D..F..+.6....J...x.`..`.m..H..i....p...v

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Cache\Cache_Data\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	524656
Entropy (8bit):	5.027445846313988E-4
Encrypted:	false
SSDEEP:	3:LsulMb:LsN
MD5:	85ED643CBC83E6A485E274DD6CE16B08
SHA1:	AE00BC70B371A5B2D6EDC47D464F25B162F02F62
SHA-256:	995D1FDD7AE879376E665CF51A2BB9BD133E4E48C1D444DF6F56AF1838D1DBF5
SHA-512:	D7EB612D6DD73F3472756FE990C750F4C6A30ECA0A3C8FF997EC868A623B8F572F2ABF955C325E45A06D8718746E0525E6275FBA77979649FC5083552F57E454
Malicious:	false
Preview:	.........................................].,../.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\js\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	2.1431558784658327
Encrypted:	false
SSDEEP:	3:m+l:m
MD5:	54CB446F628B2EA4A5BCE5769910512E
SHA1:	C27CA848427FE87F5CF4D0E0E3CD57151B0D820D
SHA-256:	FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
SHA-512:	8F6ED2E91AED9BD415789B1DBE591E7EAB29F3F1B48FDFA5E864D7BF4AE554ACC5D82B4097A770DABC228523253623E4296C5023CF48252E1B94382C43123CB0
Malicious:	false
Preview:	0\r..m..................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\js\index-dir\temp-index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.955557653394731
Encrypted:	false
SSDEEP:	3:9plZHC0EMvyKln:iuy+n
MD5:	5D633DE05B328504759A446283E97588
SHA1:	1A6918E67B0FDFA27746D0336FB366D7B10A0420
SHA-256:	1F31607F85B229E646B81F29A97F0C87A8CD7501D19C9E971E84024061A1512F
SHA-512:	501C9FB291E89992E6AEA8C6B8692AD44679FB7AB4443077DCD55FE2564197E39905294B7D0488FE65396F12256A70D0F7163851649953EB4FA8092EB44B4A2B
Malicious:	false
Preview:	(.....\|oy retne...........................,../.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\js\index-dir\the-real-index (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.955557653394731
Encrypted:	false
SSDEEP:	3:9plZHC0EMvyKln:iuy+n
MD5:	5D633DE05B328504759A446283E97588
SHA1:	1A6918E67B0FDFA27746D0336FB366D7B10A0420
SHA-256:	1F31607F85B229E646B81F29A97F0C87A8CD7501D19C9E971E84024061A1512F
SHA-512:	501C9FB291E89992E6AEA8C6B8692AD44679FB7AB4443077DCD55FE2564197E39905294B7D0488FE65396F12256A70D0F7163851649953EB4FA8092EB44B4A2B
Malicious:	false
Preview:	(.....\|oy retne...........................,../.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\wasm\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	2.1431558784658327
Encrypted:	false
SSDEEP:	3:m+l:m
MD5:	54CB446F628B2EA4A5BCE5769910512E
SHA1:	C27CA848427FE87F5CF4D0E0E3CD57151B0D820D
SHA-256:	FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
SHA-512:	8F6ED2E91AED9BD415789B1DBE591E7EAB29F3F1B48FDFA5E864D7BF4AE554ACC5D82B4097A770DABC228523253623E4296C5023CF48252E1B94382C43123CB0
Malicious:	false
Preview:	0\r..m..................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\wasm\index-dir\temp-index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.955557653394731
Encrypted:	false
SSDEEP:	3:1EAtKc9ED8tq+:OIHqD8tj
MD5:	062000DCB8E337B99725459F4CF16C1C
SHA1:	5EBA7959C594ED16A5C4929126A220C0A2E5D703
SHA-256:	7FEA0002288ADFBAE53985D84E7E8EF94EE2EA72CC73517C40312AC64F3D0AC8
SHA-512:	0788D5960B47B3E4F9B7DBB89655FCF854038ECC54790893A09E0682F95F87C657CE2BA6E77E65E68F62625174A5F5656C41062EDD64FF8B5B53F12F33CC6AF7
Malicious:	false
Preview:	(....!..oy retne........................_..,../.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\wasm\index-dir\the-real-index (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.955557653394731
Encrypted:	false
SSDEEP:	3:1EAtKc9ED8tq+:OIHqD8tj
MD5:	062000DCB8E337B99725459F4CF16C1C
SHA1:	5EBA7959C594ED16A5C4929126A220C0A2E5D703
SHA-256:	7FEA0002288ADFBAE53985D84E7E8EF94EE2EA72CC73517C40312AC64F3D0AC8
SHA-512:	0788D5960B47B3E4F9B7DBB89655FCF854038ECC54790893A09E0682F95F87C657CE2BA6E77E65E68F62625174A5F5656C41062EDD64FF8B5B53F12F33CC6AF7
Malicious:	false
Preview:	(....!..oy retne........................_..,../.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.0012471779557650352
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zE:/M/xT02z
MD5:	F50F89A0A91564D0B8A211F8921AA7DE
SHA1:	112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
SHA-256:	B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
SHA-512:	BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNlB3B:Ls3B
MD5:	FCC47E7A01BE5929B874239A4BC198F5
SHA1:	7C82DA4C5C42DA850B9CAEBEDE078F439888C161
SHA-256:	EE5B924AB2DABBA6BE6896F80C1623D735E0AAB2A7C1C67783DFA5C3477205E1
SHA-512:	27EDC710E7755B45A9418F58999DA8C601B5EF5DF681C748BFBDF47F07CF8405BA73FB47204B7B60F328BA52311EA4417422B1B5935288D2AB7C0F26E9D80AEC
Malicious:	false
Preview:	..........................................#,../.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EdgeCoupons\coupons_data.db\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EdgeCoupons\coupons_data.db\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	33
Entropy (8bit):	3.5394429593752084
Encrypted:	false
SSDEEP:	3:iWstvhYNrkUn:iptAd
MD5:	F27314DD366903BBC6141EAE524B0FDE
SHA1:	4714D4A11C53CF4258C3A0246B98E5F5A01FBC12
SHA-256:	68C7AD234755B9EDB06832A084D092660970C89A7305E0C47D327B6AC50DD898
SHA-512:	07A0D529D9458DE5E46385F2A9D77E0987567BA908B53DDB1F83D40D99A72E6B2E3586B9F79C2264A83422C4E7FC6559CAC029A6F969F793F7407212BB3ECD51
Malicious:	false
Preview:	...m.................DB_VERSION.1

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EdgeCoupons\coupons_data.db\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EdgeCoupons\coupons_data.db\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EdgeEDrop\EdgeEDropSQLite.db

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 14, database pages 8, cookie 0xe, schema 4, UTF-8, version-valid-for 14
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.494709561094235
Encrypted:	false
SSDEEP:	24:TLEC30OIcqIn2o0FUFlA2cs0US5S693Xlej2:ThLaJUnAg0UB6I
MD5:	CF7760533536E2AF66EA68BC3561B74D
SHA1:	E991DE2EA8F42AE7E0A96A3B3B8AF87A689C8CCD
SHA-256:	E1F183FAE5652BA52F5363A7E28BF62B53E7781314C9AB76B5708AF9918BE066
SHA-512:	38B15FE7503F6DFF9D39BC74AA0150A7FF038029F973BE9A37456CDE6807BCBDEAB06E624331C8DFDABE95A5973B0EE26A391DB2587E614A37ADD50046470162
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...i............t...c................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EdgeHubAppUsage\EdgeHubAppUsageSQLite.db

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 5, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5094712832659277
Encrypted:	false
SSDEEP:	12:TLW4QpRSJDBJuqJSEDNvrWjJQ9Dl9np59yDLgHFUxOUDaaTXubHa7me5q4iZ7dV:TLqpR+DDNzWjJ0npnyXKUO8+j25XmL
MD5:	D4971855DD087E30FC14DF1535B556B9
SHA1:	9E00DEFC7E54C75163273184837B9D0263AA528C
SHA-256:	EC7414FF1DB052E8E0E359801F863969866F19228F3D5C64F632D991C923F0D2
SHA-512:	ACA411D7819B03EF9C9ACA292D91B1258238DF229B4E165A032DB645E66BFE1148FF3DCFDAC3126FCD34DBD0892F420148E280D9716C63AD9FCDD9E7CA58D71D
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...%.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtraction\EntityExtractionAssetStore.db\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtraction\EntityExtractionAssetStore.db\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	375520
Entropy (8bit):	5.354093301032263
Encrypted:	false
SSDEEP:	6144:vA/imBpx6WdPSxKWcHu5MURacq49QxxPnyEndBuHltBfdK5WNbsVEziP/CfXtLPz:vFdMyq49tEndBuHltBfdK5WNbsVEziPU
MD5:	A6ECC607AB3A9DF08F4772193C7411EF
SHA1:	023D5714BE0B8E449BC625F736D6ED212917A455
SHA-256:	32B1E2D12654AD65E313249B69DFFE108E316B2B48A532FE9108D064C068BBFC
SHA-512:	E2293C39BB0ED673D1908E23405469E879B7F1D435CD0E0E939EE85953D0FB4EF52903BB928D2410F7873991617630F03F6223FBE175704C21B525FC2EB6F609
Malicious:	false
Preview:	...m.................DB_VERSION.1;D6.q...............&QUERY_TIMESTAMP:domains_config_gz2...13369907518914170..QUERY:domains_config_gz2....[{"name":"domains_config_gz","url":"https://edgeassetservice.azureedge.net/assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtractionDomainsConfig","version":{"major":2,"minor":8,"patch":76},"hash":"78Xsq/1H+MXv88uuTT1Rx79Nu2ryKVXh2J6ZzLZd38w=","size":374872}]..*.`~...............ASSET_VERSION:domains_config_gz.2.8.76..ASSET:domains_config_gz...{"config": {"token_limit": 1600, "page_cutoff": 4320, "default_locale_map": {"bg": "bg-bg", "bs": "bs-ba", "el": "el-gr", "en": "en-us", "es": "es-mx", "et": "et-ee", "cs": "cs-cz", "da": "da-dk", "de": "de-de", "fa": "fa-ir", "fi": "fi-fi", "fr": "fr-fr", "he": "he-il", "hr": "hr-hr", "hu": "hu-hu", "id": "id-id", "is": "is-is", "it": "it-it", "ja": "ja-jp", "ko": "ko-kr", "lv": "lv-lv", "lt": "lt-lt", "mk": "mk-mk", "nl": "nl-nl", "nb": "nb-no", "no": "no-no", "pl": "pl-pl", "pt": "pt-pt", "ro": "

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtraction\EntityExtractionAssetStore.db\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtraction\EntityExtractionAssetStore.db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	323
Entropy (8bit):	5.2085557970611545
Encrypted:	false
SSDEEP:	6:Paf1923oH+Tcwtj2WwnvB2KLllahI+q2P923oH+Tcwtj2WwnvIFUv:PaqYebjxwnvFLnahdv4YebjxwnQFUv
MD5:	57875113E4E9AB45B8FE696D9263ED7D
SHA1:	D2C32BBA31AF29D511E569B9A9C85C21FF309645
SHA-256:	CAB97B7AB6A152C14D766C9629B14F5F5997AA3543DD1F260E7E970090394D5A
SHA-512:	18672DA3D96807A109EFE12D378B961DDFF397D4D68ED9FE29E23F34B5F4B66856BA02E551A575B26B140223D0B47603D39C207D04BF3A1EC9D26C9F83C5CED5
Malicious:	false
Preview:	2024/09/04-03:11:58.127 2298 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtractionAssetStore.db since it was missing..2024/09/04-03:11:58.218 2298 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtractionAssetStore.db/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtraction\EntityExtractionAssetStore.db\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtraction\domains_config.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	modified
Size (bytes):	358859
Entropy (8bit):	5.324610939583881
Encrypted:	false
SSDEEP:	6144:CgimBVvUrsc6rRA81b/18jyJNjfvrfM6R1:C1gAg1zfvN
MD5:	7FBC06A2C920136A134A0D68A15D1DE3
SHA1:	7A0F2F0E4FCD6B36D71F84FE071722D2C0646758
SHA-256:	B57D5F0EC0F4CADC625C480EFBB2D5D9028A65E008B6876AC0B7EC9F9FB0BB77
SHA-512:	B31AF836EEB6E014D209F0D78B833CD1576A440C9F754D7B9FDC05991DA730E8A356445DC8F114B9FF0294FA26A4BEC9C503988FD82091B7B807C26EB9919502
Malicious:	false
Preview:	{"aee_config":{"ar":{"price_regex":{"ae":"(((ae\|aed\|\\x{062F}\\x{0660}\\x{0625}\\x{0660}\|\\x{062F}\\.\\x{0625}\|dhs\|dh)\\s\\d{1,3})\|(\\d{1,3}\\s(ae\|aed\|\\x{062F}\\x{0660}\\x{0625}\\x{0660}\|\\x{062F}\\.\\x{0625}\|dhs\|dh)))","dz":"(((dzd\|da\|\\x{062F}\\x{062C})\\s\\d{1,3})\|(\\d{1,3}\\s(dzd\|da\|\\x{062F}\\x{062C})))","eg":"(((e\\x{00a3}\|egp)\\s\\d{1,3})\|(\\d{1,3}\\s(e\\x{00a3}\|egp)))","ma":"(((mad\|dhs\|dh)\\s\\d{1,3})\|(\\d{1,3}\\s(mad\|dhs\|dh)))","sa":"((\\d{1,3}\\s(sar\\s\\x{fdfc}\|sar\|sr\|\\x{fdfc}\|\\.\\x{0631}\\.\\x{0633}))\|((sar\\s\\x{fdfc}\|sar\|sr\|\\x{fdfc}\|\\.\\x{0631}\\.\\x{0633})\\s\\d{1,3}))"},"product_terms":"((\\x{0623}\\x{0636}\\x{0641}\\s\\x{0625}\\x{0644}\\x{0649}\\s\\x{0627}\\x{0644}\\x{0639}\\x{0631}\\x{0628}\\x{0629})\|(\\x{0623}\\x{0636}\\x{0641}\\s\\x{0625}\\x{0644}\\x{0649}\\s\\x{0627}\\x{0644}\\x{062D}\\x{0642}\\x{064A}\\x{0628}\\x{0629})\|(\\x{0627}\\x{0634}\\x{062A}\\x{0631}\\x{064A}\\s*\\x{0627}\\x{0644}\\x{0622}\\x{0646})\|(\\x{062E}\\x{064A}\\x{0627}\\x{0631}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	171
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	3:FQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlX:qTCTCTCTCTCTCTCTCT
MD5:	E952942B492DB39A75DD2669B98EBE74
SHA1:	F6C4DEF325DCA0DFEC01759D7D8610837A370176
SHA-256:	14F92B911F9FE774720461EEC5BB4761AE6BFC9445C67E30BF624A8694B4B1DA
SHA-512:	9193E7BBE7EB633367B39513B48EFED11FD457DCED070A8708F8572D0AB248CBFF37254599A6BFB469637E0DCCBCD986347C6B6075C06FAE2AF08387B560DEA0
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.185724749234167
Encrypted:	false
SSDEEP:	6:PafdR1923oH+TcwttaVdg2KLllaj+q2P923oH+TcwttaPrqIFUv:Pafd8YebDLna6v4Yeb83FUv
MD5:	6DB80289B502555B3400EE72D7AAE564
SHA1:	16E55892B9DE951028BE0CFC9864F4A4CB137CA0
SHA-256:	5F2E265049373630F32A83039F7266DA547048815A44C5AE6A6ACB8E5DDF0006
SHA-512:	5F51F72573426EB1DB6E8250C50197BD2110845EA9D425E4FF49E025E55D6EE4769BEC0E0F0FBDFB3C5C6174176C45F5D1BF4F37FBD1A91D96181A2E6104FFB2
Malicious:	false
Preview:	2024/09/04-03:11:53.521 1d58 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules since it was missing..2024/09/04-03:11:53.530 1d58 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	171
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	3:FQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlX:qTCTCTCTCTCTCTCTCT
MD5:	E952942B492DB39A75DD2669B98EBE74
SHA1:	F6C4DEF325DCA0DFEC01759D7D8610837A370176
SHA-256:	14F92B911F9FE774720461EEC5BB4761AE6BFC9445C67E30BF624A8694B4B1DA
SHA-512:	9193E7BBE7EB633367B39513B48EFED11FD457DCED070A8708F8572D0AB248CBFF37254599A6BFB469637E0DCCBCD986347C6B6075C06FAE2AF08387B560DEA0
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	299
Entropy (8bit):	5.177317808632191
Encrypted:	false
SSDEEP:	6:Pa4Fp1923oH+Tcwtt6FB2KLllaY+q2P923oH+Tcwtt65IFUv:Pa9Yeb8FFLnatv4Yeb8WFUv
MD5:	3637458067DA0BE4560F0B6B40221092
SHA1:	349B5779BCDCD3D0A839D5F286B7337FFE0AE2E6
SHA-256:	B0166E22100AFF2EECD455EB9200FC29E93140E742AAD3484D30ADCA44EDA3E1
SHA-512:	4835EB68279D2DD2249740AD31E7CFE9F55C7523960EE3EBD6BD376E87D47D3864CD3FD3DB163C78531331A147F1BD3D890D26CAC0D404C6A2516F38F8AB92F9
Malicious:	false
Preview:	2024/09/04-03:11:53.531 1d58 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts since it was missing..2024/09/04-03:11:53.540 1d58 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	513
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	6:qTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCT:qWWWWWWWWWWWWWWWWWWWWWWWWWW
MD5:	C92EABB217D45C77F8D52725AD3758F0
SHA1:	43B422AC002BB445E2E9B2C27D74C27CD70C9975
SHA-256:	388C5C95F0F54F32B499C03A37AABFA5E0A31030EC70D0956A239942544B0EEA
SHA-512:	DFD5D1C614F0EBFF97F354DFC23266655C336B9B7112781D7579057814B4503D4B63AB1263258BDA3358E5EE9457429C1A2451B22261A1F1E2D8657F31240D3C
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.140142532746272
Encrypted:	false
SSDEEP:	6:PabRSD1923oH+TcwttYg2KLllaWUUi+q2P923oH+TcwttNIFUv:Pab9YebJLnaWUUi+v4Yeb0FUv
MD5:	2AA3F59AB44B79F2DD6C8E26ABA5E6F2
SHA1:	99F1CA4A4F717909BF8C6895625252AAF4B88F89
SHA-256:	08FEE3D961019CC31856EAE0F7351143EC8EF2028FFF6A9102233D1E5F9C677A
SHA-512:	34737D792E623F23A69F74F48F018296470EE1060429328583CC942ABF7B336623A8433D540E7589B828B8798A756EA594EA065B72129D10A53C9C2EA81FC5C6
Malicious:	false
Preview:	2024/09/04-03:11:55.490 1d4c Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State since it was missing..2024/09/04-03:11:55.503 1d4c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\ExtensionActivityComp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 1, cookie 0x1, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.3169096321222068
Encrypted:	false
SSDEEP:	3:lSWbNFl/sl+ltl4ltllOl83/XWEEabIDWzdWuAzTgdWj3FtFIU:l9bNFlEs1ok8fDEPDadUTgd81Z
MD5:	2554AD7847B0D04963FDAE908DB81074
SHA1:	F84ABD8D05D7B0DFB693485614ECF5204989B74A
SHA-256:	F6EF01E679B9096A7D8A0BD8151422543B51E65142119A9F3271F25F966E6C42
SHA-512:	13009172518387D77A67BBF86719527077BE9534D90CB06E7F34E1CCE7C40B49A185D892EE859A8BAFB69D5EBB6D667831A0FAFBA28AC1F44570C8B68F8C90A4
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\ExtensionActivityEdge

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 8, cookie 0x8, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.40981274649195937
Encrypted:	false
SSDEEP:	24:TL1WK3iOvwxwwweePKmJIOAdQBVA/kjo/TJZwJ9OV3WOT/5eQQ:Tmm+/9ZW943WOT/
MD5:	1A7F642FD4F71A656BE75B26B2D9ED79
SHA1:	51BBF587FB0CCC2D726DDB95C96757CC2854CFAD
SHA-256:	B96B6DDC10C29496069E16089DB0AB6911D7C13B82791868D583897C6D317977
SHA-512:	FD14EADCF5F7AB271BE6D8EF682977D1A0B5199A142E4AB353614F2F96AE9B49A6F35A19CC237489F297141994A4A16B580F88FAC44486FCB22C05B2F1C3F7D1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j............M.....8...b..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Favicons

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 10, cookie 0x8, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6975083372685086
Encrypted:	false
SSDEEP:	24:LLiZxh0GY/l1rWR1PmCx9fZjsBX+T6UwcE85fBmI:EBmw6fU1zBmI
MD5:	F5BBD8449A9C3AB28AC2DE45E9059B01
SHA1:	C569D730853C33234AF2402E69C19E0C057EC165
SHA-256:	825FF36C4431084C76F3D22CE0C75FA321EA680D1F8548706B43E60FCF5B566E
SHA-512:	96ACDED5A51236630A64FAE91B8FA9FAB43E22E0C1BCB80C2DD8D4829E03FBFA75AA6438053599A42EC4BBCF805BF0B1E6DFF9069B2BA182AD0BB30F2542FD3F
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g....._.c...~.2.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................s...;+...indexfavicon_bitmaps_icon_idfavico

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\GPUCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\GPUCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.0012471779557650352
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zE:/M/xT02z
MD5:	F50F89A0A91564D0B8A211F8921AA7DE
SHA1:	112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
SHA-256:	B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
SHA-512:	BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\GPUCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\GPUCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\GPUCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNl4:Ls3
MD5:	A736D936CDED9B33546B46727172024F
SHA1:	1F7F55175E8B884CBB19F910628CE0C870010C40
SHA-256:	1D1EA887E5CBB94D8933B0A772A1F4701B0FD74FA51A6526F3865BEC0D37D5E7
SHA-512:	8D9120C3FB24893B31D20C8E8C861F7B1E8F61079A762FE796CAC94C770F934887A7CC9248B4E7D7E4A3F0E3928023EC2B1130EDF8358AE03DE817A827A7E38B
Malicious:	false
Preview:	..........................................#,../.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\History

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	155648
Entropy (8bit):	0.5407252242845243
Encrypted:	false
SSDEEP:	96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
MD5:	7B955D976803304F2C0505431A0CF1CF
SHA1:	E29070081B18DA0EF9D98D4389091962E3D37216
SHA-256:	987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
SHA-512:	CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
Malicious:	false
Preview:	SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\History-journal

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	0.2191763562065486
Encrypted:	false
SSDEEP:	3:A5lntFlljq7A/mhWJFuQ3yy7IOWUaxol/dweytllrE9SFcTp4AGbNCV9RUIfX:T75fOZl/d0Xi99pEYB
MD5:	1976DC008C52C1983C7CB37FA6104D78
SHA1:	C60E59F131A4915665EF8F7F5DD1AA1F9A3E43B1
SHA-256:	659F0FE91702AEE8AF2A12BF6945CD84BB91872F156A48460C1F465E84055A81
SHA-512:	35DDC8FFD2329E8077FA6C1D35314EB07D5F015416B32DF2989681B0ED8FA7B89CBBDB6CAA0469117C685C28C1C1277ABA274430405849DCA35F92137F1A1D4B
Malicious:	false
Preview:	.............\|.2...&....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\HubApps Icons

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	0.33890226319329847
Encrypted:	false
SSDEEP:	12:TLMfly7aoxrRGcAkSQdC6ae1//fxEjkE/RFL2iFV1eHFxOUwa5qgufTsZ75fOSI:TLYcjr0+Pdajk+FZH1W6UwccI5fBI
MD5:	971F4C153D386AC7ED39363C31E854FC
SHA1:	339841CA0088C9EABDE4AACC8567D2289CCB9544
SHA-256:	B6468DA6EC0EAE580B251692CFE24620D39412954421BBFDECB13EF21BE7BC88
SHA-512:	1A4DD0C2BE163AAB3B81D63DEB4A7DB6421612A6CF1A5685951F86B7D5A40B67FC6585B7E52AA0CC20FF47349F15DFF0C9038086E3A7C78AE0FFBEE6D8AA7F7E
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...:.8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	379
Entropy (8bit):	5.232217165219651
Encrypted:	false
SSDEEP:	6:PanTxm81923oH+TcwtRage8Y55HEZzXELIx2KLllanjO7WM+q2P923oH+TcwtRai:PanUYebRrcHEZrEkVLnana7L+v4YebRz
MD5:	9051D59C89A048DB9FC5F54E914F3EEA
SHA1:	C7C66F880FAC17500CC2D779B721926FED35FBC6
SHA-256:	BBA2047168F1EBF226368958EB1B8DEC5334BDE07573C6ABCF7694AF1BBB8A9C
SHA-512:	B67F62A23DA70D496651CEFE0311F078D8443E81B250B3210188A14995E113E8569A27445A506C6EAB7A8480727FFFA3E7F6899C2164E4935E7E10C5FB8132FD
Malicious:	false
Preview:	2024/09/04-03:11:56.369 1d1c Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold since it was missing..2024/09/04-03:11:56.397 1d1c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	307
Entropy (8bit):	5.166323128615882
Encrypted:	false
SSDEEP:	6:PaG0mAB1923oH+TcwtRa2jM8B2KLllaSvm9+q2P923oH+TcwtRa2jMGIFUv:PazmAMYebRjFLnaSe9+v4YebREFUv
MD5:	E25020C29AD82B24D969BA832DBE00CF
SHA1:	5E48D770F8548E572608B6FD07FFAAEF3637B9F1
SHA-256:	15DB5E084AEF3023BCB55A028A62FDB37899CFB9FB70F8A026642A9D93230AA5
SHA-512:	D227576FA4108D0D5EB1CA637155203E881DA3FC5CFCE388AA74CEB064DA0B7A00986E9EB8D52564FAEAF19E38A1644AE5F2454B6405E6479833EE629F7CCF5E
Malicious:	false
Preview:	2024/09/04-03:11:54.299 1e0c Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb since it was missing..2024/09/04-03:11:55.179 1e0c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Login Data

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network Action Predictor

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 11, cookie 0x6, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	45056
Entropy (8bit):	0.40293591932113104
Encrypted:	false
SSDEEP:	24:TLVgTjDk5Yk8k+/kCkzD3zzbLGfIzLihje90xq/WMFFfeFzfXVVlYWOT/CUFSe:Tmo9n+8dv/qALihje9kqL42WOT/9F
MD5:	ADC0CFB8A1A20DE2C4AB738B413CBEA4
SHA1:	238EF489E5FDC6EBB36F09D415FB353350E7097B
SHA-256:	7C071E36A64FB1881258712C9880F155D9CBAC693BADCC391A1CB110C257CC37
SHA-512:	38C8B7293B8F7BEF03299BAFB981EEEE309945B1BDE26ACDAD6FDD63247C21CA04D493A1DDAFC3B9A1904EFED998E9C7C0C8E98506FD4AC0AB252DFF34566B66
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......=......\.t.+.>...,...=........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\07e857b7-ecbb-4d39-89f6-a6ca7395389e.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	170
Entropy (8bit):	4.89042451592505
Encrypted:	false
SSDEEP:	3:YLb9N+eAXRfHDHERW6JfYoR6oJbQpwhYMKWKWMS7PMVKJq0nMb1KKtiVY:YHpo03h6ubQ+a4MS7PMVKJTnMRK3VY
MD5:	89DA93E9471CD8C8C255E72CA2CF45CB
SHA1:	BEE1905E765B0BB06275A2D6F91598BDA84B3B5A
SHA-256:	79F1C11C178CA0BC1E11CC6569FCFAB5D1B54F0359D878CBD7862F649076EDBA
SHA-512:	09D068514220CDCDF00D73A47E2362B02DF6F227D4666A7E077D8B2B9FC82E29449D2B2ACFC4340C3654C46ECDB9A90373F5B2E2F4F454A1CA334B98CDE74CD9
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[],"supports_quic":{"address":"192.168.2.5","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\12623ef2-f6e9-47bf-88af-b5bfc3488508.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\5ab158f2-8c3b-4230-b9a8-aee3857b37e3.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\63bd92bb-908c-4c6d-b6e1-48f24abe3a6c.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Cookies

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKtiVY:YHkVKJTnMRK3VY
MD5:	2800881C775077E1C4B6E06BF4676DE4
SHA1:	2873631068C8B3B9495638C865915BE822442C8B
SHA-256:	226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
SHA-512:	E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Network Persistent State~RF4438d.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKtiVY:YHkVKJTnMRK3VY
MD5:	2800881C775077E1C4B6E06BF4676DE4
SHA1:	2873631068C8B3B9495638C865915BE822442C8B
SHA-256:	226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
SHA-512:	E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Reporting and NEL

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 9, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	0.7602569676167558
Encrypted:	false
SSDEEP:	48:TaIopKWurJNVr1GJmA8pv82pfurJNVrdHXuccaurJN2VrJ1n4n1GmzNGU1cSBk+m:uIEumQv8m1ccnvS6O3
MD5:	D76E8F83AF59AD68192755A7E80D8EBD
SHA1:	2B818FCC1B720F143A3D69902CC73421A66C15D4
SHA-256:	E2E76BE9027A50C82E1833EC5C410E81F060F19CFAAED36E878FA358B1A5B08B
SHA-512:	0FF76F79CCB6FC08408EB708C4BC7C5A002D5074A27C198F4C31094514FD1FB4B9ADF99A69CA51FB64984214441C6E7F7E591DC7257B042E68CF935080C8322C
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...D.........7............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\SCT Auditing Pending Reports (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\SCT Auditing Pending Reports~RF31ef3.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Sdch Dictionaries (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Trust Tokens

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	0.36515621748816035
Encrypted:	false
SSDEEP:	24:TLH3lIIAoDJ84l5lDlnDMlRlyKDtM6UwccWfp15fBIe:Tb31DtX5nDOvyKDhU1cSB
MD5:	25363ADC3C9D98BAD1A33D0792405CBF
SHA1:	D06E343087D86EF1A06F7479D81B26C90A60B5C3
SHA-256:	6E019B8B9E389216D5BDF1F2FE63F41EF98E71DA101F2A6BE04F41CC5954532D
SHA-512:	CF7EEE35D0E00945AF221BEC531E8BF06C08880DA00BD103FA561BC069D7C6F955CBA3C1C152A4884601E5A670B7487D39B4AE9A4D554ED8C14F129A74E555F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......X..g...}.....$.X..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\f34beb01-3dcb-44b6-9281-234027b5c63e.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKtiVY:YHkVKJTnMRK3VY
MD5:	2800881C775077E1C4B6E06BF4676DE4
SHA1:	2873631068C8B3B9495638C865915BE822442C8B
SHA-256:	226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
SHA-512:	E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Nurturing\campaign_history

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.46731661083066856
Encrypted:	false
SSDEEP:	12:TL1QAFUxOUDaabZXiDiIF8izX4fhhdWeci2oesJaYi3is25q0S9K0xHZ75fOV:TLiOUOq0afDdWec9sJf5Q7J5fc
MD5:	E93ACF0820CA08E5A5D2D159729F70E3
SHA1:	2C1A4D4924B9AEC1A796F108607404B000877C5D
SHA-256:	F2267FDA7F45499F7A01186B75CEFB799F8D2BC97E2E9B5068952D477294302C
SHA-512:	3BF36C20E04DCF1C16DC794E272F82F68B0DE43F16B4A9746B63B6D6BBC953B00BD7111CDA7AFE85CEBB2C447145483A382B15E2B0A5B36026C3441635D4E50C
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Preferences (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6292
Entropy (8bit):	4.966717200779873
Encrypted:	false
SSDEEP:	96:stTqfnis1Db91V9N8zZDs85eh6Cb7/x+6MhmuecmAeFCG2Mu/EJ:stTPsn9NkZDs88bV+FiAMPuMJ
MD5:	A7A1FEA92140BB26B683B50CCA5B899A
SHA1:	884EC3C4200DF7CB62A9645AFDA3CF38C257958E
SHA-256:	82B63DD729F1A1DD94BFA6B34488E7D28F52843007CE619F406AE0280F1C40FC
SHA-512:	1A642380C4CC97E26B58559102F1058A50277D71C53D7C87D4F13B5AF5A9727A3BD000B06EC525D12C454D36E0DADE26CD76E4BAB59B9CFC7458C0C12A72D232
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369907515229854","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"domain_diversity":{"last_reporting_timestamp":"13369907513975494"},"download":{"default_directory":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\KioskDownloads\\","directory_upgrade":true},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version"

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Preferences~RF3ae33.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6292
Entropy (8bit):	4.966717200779873
Encrypted:	false
SSDEEP:	96:stTqfnis1Db91V9N8zZDs85eh6Cb7/x+6MhmuecmAeFCG2Mu/EJ:stTPsn9NkZDs88bV+FiAMPuMJ
MD5:	A7A1FEA92140BB26B683B50CCA5B899A
SHA1:	884EC3C4200DF7CB62A9645AFDA3CF38C257958E
SHA-256:	82B63DD729F1A1DD94BFA6B34488E7D28F52843007CE619F406AE0280F1C40FC
SHA-512:	1A642380C4CC97E26B58559102F1058A50277D71C53D7C87D4F13B5AF5A9727A3BD000B06EC525D12C454D36E0DADE26CD76E4BAB59B9CFC7458C0C12A72D232
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369907515229854","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"domain_diversity":{"last_reporting_timestamp":"13369907513975494"},"download":{"default_directory":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\KioskDownloads\\","directory_upgrade":true},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version"

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Preferences~RF42372.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6292
Entropy (8bit):	4.966717200779873
Encrypted:	false
SSDEEP:	96:stTqfnis1Db91V9N8zZDs85eh6Cb7/x+6MhmuecmAeFCG2Mu/EJ:stTPsn9NkZDs88bV+FiAMPuMJ
MD5:	A7A1FEA92140BB26B683B50CCA5B899A
SHA1:	884EC3C4200DF7CB62A9645AFDA3CF38C257958E
SHA-256:	82B63DD729F1A1DD94BFA6B34488E7D28F52843007CE619F406AE0280F1C40FC
SHA-512:	1A642380C4CC97E26B58559102F1058A50277D71C53D7C87D4F13B5AF5A9727A3BD000B06EC525D12C454D36E0DADE26CD76E4BAB59B9CFC7458C0C12A72D232
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369907515229854","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"domain_diversity":{"last_reporting_timestamp":"13369907513975494"},"download":{"default_directory":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\KioskDownloads\\","directory_upgrade":true},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version"

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\PreferredApps

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	33
Entropy (8bit):	4.051821770808046
Encrypted:	false
SSDEEP:	3:YVXADAEvTLSJ:Y9AcEvHSJ
MD5:	2B432FEF211C69C745ACA86DE4F8E4AB
SHA1:	4B92DA8D4C0188CF2409500ADCD2200444A82FCC
SHA-256:	42B55D126D1E640B1ED7A6BDCB9A46C81DF461FA7E131F4F8C7108C2C61C14DE
SHA-512:	948502DE4DC89A7E9D2E1660451FCD0F44FD3816072924A44F145D821D0363233CC92A377DBA3A0A9F849E3C17B1893070025C369C8120083A622D025FE1EACF
Malicious:	false
Preview:	{"preferred_apps":[],"version":1}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\README

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	182
Entropy (8bit):	4.2629097520179995
Encrypted:	false
SSDEEP:	3:RGXKRjg0QwVIWRKXECSAV6jDyhjgHGAW+LB2Z4MKLFE1SwhiFAfXQmWyKBPMwRgK:z3frsUpAQQgHGwB26MK8Sw06fXQmWtRT
MD5:	643E00B0186AA80523F8A6BED550A925
SHA1:	EC4056125D6F1A8890FFE01BFFC973C2F6ABD115
SHA-256:	A0C9ABAE18599F0A65FC654AD36251F6330794BEA66B718A09D8B297F3E38E87
SHA-512:	D91A934EAF7D9D669B8AD4452234DE6B23D15237CB4D251F2C78C8339CEE7B4F9BA6B8597E35FE8C81B3D6F64AE707C68FF492903C0EDC3E4BAF2C6B747E247D
Malicious:	false
Preview:	Microsoft Edge settings and storage represent user-selected preferences and information and MUST not be extracted, overwritten or modified except through Microsoft Edge defined APIs.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Secure Preferences (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24799
Entropy (8bit):	5.5666936573512755
Encrypted:	false
SSDEEP:	768:ESL+C5WPiUfjO8F1+UoAYDCx9Tuqh0VfUC9xbog/OVbul2grw9hpGtuM:ESL+C5WPiUfjOu1jamc2RwtT
MD5:	6BC4EAE8DFE06EB6A23B375700FDC9B7
SHA1:	F1B209AF3E5E4079CF02A6175ADD52E468677771
SHA-256:	3F2B9A648C1E196CD81F4360F0F4BC8EE27B46E63351A5E7CB5F960B250BDE5E
SHA-512:	10EE131CC11D4E7E3CC75F3B803C6CB8B1066C282F518D13AC85036CECE09E0CF676360E91954FC62C1EF99FDE06AAA3E664EFCF3BA55476F96B9571CBBE8FE1
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13369907513455460","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13369907513455460","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Secure Preferences~RF37f05.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24799
Entropy (8bit):	5.5666936573512755
Encrypted:	false
SSDEEP:	768:ESL+C5WPiUfjO8F1+UoAYDCx9Tuqh0VfUC9xbog/OVbul2grw9hpGtuM:ESL+C5WPiUfjOu1jamc2RwtT
MD5:	6BC4EAE8DFE06EB6A23B375700FDC9B7
SHA1:	F1B209AF3E5E4079CF02A6175ADD52E468677771
SHA-256:	3F2B9A648C1E196CD81F4360F0F4BC8EE27B46E63351A5E7CB5F960B250BDE5E
SHA-512:	10EE131CC11D4E7E3CC75F3B803C6CB8B1066C282F518D13AC85036CECE09E0CF676360E91954FC62C1EF99FDE06AAA3E664EFCF3BA55476F96B9571CBBE8FE1
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13369907513455460","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13369907513455460","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	118
Entropy (8bit):	3.160877598186631
Encrypted:	false
SSDEEP:	3:S8ltHlS+QUl1ASEGhTFljljljl:S85aEFljljljl
MD5:	7733303DBE19B64C38F3DE4FE224BE9A
SHA1:	8CA37B38028A2DB895A4570E0536859B3CC5C279
SHA-256:	B10C1BA416A632CD57232C81A5C2E8EE76A716E0737D10EABE1D430BEC50739D
SHA-512:	E8CD965BCA0480DB9808CB1B461AC5BF5935C3CBF31C10FDF090D406F4BC4F3187D717199DCF94197B8DF24C1D6E4FF07241D8CFFFD9AEE06CCE9674F0220E29
Malicious:	false
Preview:	*...#................version.1..namespace-..&f.................&f.................&f.................&f...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.087012382976858
Encrypted:	false
SSDEEP:	6:PfAB1923oH+TcwtSQM72KLllNFQ9+q2P923oH+TcwtSQMxIFUv:PfAMYeb0LnXQ9+v4YebrFUv
MD5:	69949183C14EEE16201F241E1B6931E5
SHA1:	DE46B0DA1CDA7BD5396A48C267CA2D9E63B3EAD8
SHA-256:	64508D5968C4312873C12FA53B3C1D37959E5C68480D8AC32758C285F96C0135
SHA-512:	522F48CBD20D635543ECA503B6FB37C68433637B4CBBCF1AEA7E3C77D3ADA2CE36EFFF9D13842FA2C27669BAB2324D5EE54065B9F1430EBE7016E58CCD1C42FD
Malicious:	false
Preview:	2024/09/04-03:12:11.259 1e0c Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage since it was missing..2024/09/04-03:12:11.280 1e0c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Shortcuts

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.44194574462308833
Encrypted:	false
SSDEEP:	12:TLiNCcUMskMVcIWGhWxBzEXx7AAQlvsdFxOUwa5qgufTJpbZ75fOS:TLisVMnYPhIY5Qlvsd6UwccNp15fB
MD5:	B35F740AA7FFEA282E525838EABFE0A6
SHA1:	A67822C17670CCE0BA72D3E9C8DA0CE755A3421A
SHA-256:	5D599596D116802BAD422497CF68BE59EEB7A9135E3ED1C6BEACC48F73827161
SHA-512:	05C0D33516B2C1AB6928FB34957AD3E03CB0A8B7EEC0FD627DD263589655A16DEA79100B6CC29095C3660C95FD2AFB2E4DD023F0597BD586DD664769CABB67F8
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g....."....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	3.473726825238924
Encrypted:	false
SSDEEP:	3:41tt0diERGn:et084G
MD5:	148079685E25097536785F4536AF014B
SHA1:	C5FF5B1B69487A9DD4D244D11BBAFA91708C1A41
SHA-256:	F096BC366A931FBA656BDCD77B24AF15A5F29FC53281A727C79F82C608ECFAB8
SHA-512:	C2556034EA51ABFBC172EB62FF11F5AC45C317F84F39D4B9E3DDBD0190DA6EF7FA03FE63631B97AB806430442974A07F8E81B5F7DC52D9F2FCDC669ADCA8D91F
Malicious:	false
Preview:	.On.!................database_metadata.1

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	323
Entropy (8bit):	5.136983395178237
Encrypted:	false
SSDEEP:	6:PaF1923oH+TcwtgUh2gr52KLllaa1+q2P923oH+TcwtgUh2ghZIFUv:PaYYeb3hHJLnaaAv4Yeb3hHh2FUv
MD5:	391F6433774594572391569D07D8E8CE
SHA1:	84D8563A3B23DCCC0980DE20D5E7AC3C07B8A105
SHA-256:	858CA5210587F2301AA069685EFADE91CF5751D7B0AD50C16FBA8FC48D35F511
SHA-512:	8CBC1D61885B47C38AED8A27E3A5F41F178808C8E8E24982DCC8DB4EB8765D2FC4FD713672AF46DCCDD14B853CC4BE064FF43A510178A5A204715C3B5AF48399
Malicious:	false
Preview:	2024/09/04-03:11:53.497 1d58 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database since it was missing..2024/09/04-03:11:53.519 1d58 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\Cache_Data\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\Cache_Data\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	8.280239615765425E-4
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2:/M/xT02
MD5:	D0D388F3865D0523E451D6BA0BE34CC4
SHA1:	8571C6A52AACC2747C048E3419E5657B74612995
SHA-256:	902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
SHA-512:	376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\Cache_Data\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\Cache_Data\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\Cache_Data\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	524656
Entropy (8bit):	5.027445846313988E-4
Encrypted:	false
SSDEEP:	3:Lsulxp+:Lse
MD5:	9D9FCC9BF9121824BC81DD06780E1383
SHA1:	27CD1D9462C752322AA2FC4B85BA03E5BBF555FA
SHA-256:	A400EF296ECB013E43EB02D07FCF1C9BD19C460A06795819300854EFB615F96C
SHA-512:	B950CA537662DAAA8CE79D7E2FE2FA4E66B5416CA10E090DDBD1CD518C427F462EB644BAB56F55F90D505C1F753B4BE4BDBC30B7B23056DB931349E2430A0F6F
Malicious:	false
Preview:	.........................................?w,../.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	2.1431558784658327
Encrypted:	false
SSDEEP:	3:m+l:m
MD5:	54CB446F628B2EA4A5BCE5769910512E
SHA1:	C27CA848427FE87F5CF4D0E0E3CD57151B0D820D
SHA-256:	FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
SHA-512:	8F6ED2E91AED9BD415789B1DBE591E7EAB29F3F1B48FDFA5E864D7BF4AE554ACC5D82B4097A770DABC228523253623E4296C5023CF48252E1B94382C43123CB0
Malicious:	false
Preview:	0\r..m..................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index-dir\temp-index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.9972243200613975
Encrypted:	false
SSDEEP:	3:/DEbS:IbS
MD5:	A9E5156AF29507C5100E9DCCE053EE13
SHA1:	5AC2618385387EC9469090A5D27083A780778674
SHA-256:	AEF19BE8D1413CABDA5CE45A326F80EBD7C8D4F81021B351F2C3D2441AB47265
SHA-512:	892530CF8B71F135F720141F294B2C3BF9AEF34BC1F347282BD007F7E2FB52ABB14D7425134C765E74ACFD40BF4088BF2D1BAB6853BFD7A5E51B6BD39F91E2EC
Malicious:	false
Preview:	(....Q^.oy retne........................GP#,../.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index-dir\the-real-index (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.9972243200613975
Encrypted:	false
SSDEEP:	3:/DEbS:IbS
MD5:	A9E5156AF29507C5100E9DCCE053EE13
SHA1:	5AC2618385387EC9469090A5D27083A780778674
SHA-256:	AEF19BE8D1413CABDA5CE45A326F80EBD7C8D4F81021B351F2C3D2441AB47265
SHA-512:	892530CF8B71F135F720141F294B2C3BF9AEF34BC1F347282BD007F7E2FB52ABB14D7425134C765E74ACFD40BF4088BF2D1BAB6853BFD7A5E51B6BD39F91E2EC
Malicious:	false
Preview:	(....Q^.oy retne........................GP#,../.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	2.1431558784658327
Encrypted:	false
SSDEEP:	3:m+l:m
MD5:	54CB446F628B2EA4A5BCE5769910512E
SHA1:	C27CA848427FE87F5CF4D0E0E3CD57151B0D820D
SHA-256:	FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
SHA-512:	8F6ED2E91AED9BD415789B1DBE591E7EAB29F3F1B48FDFA5E864D7BF4AE554ACC5D82B4097A770DABC228523253623E4296C5023CF48252E1B94382C43123CB0
Malicious:	false
Preview:	0\r..m..................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm\index-dir\temp-index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.9972243200613975
Encrypted:	false
SSDEEP:	3:SFT9EeNT:SFGkT
MD5:	A0B162B75DD50183A9388714FE731B6F
SHA1:	4FA8AB838BCD1BC2A029A0EE2AC9D1429E48D549
SHA-256:	D260C55E486F87673E6842D8757A93F1E5C24A5B8CF0D69B964069BAF58FFC25
SHA-512:	2BFB225A516075F3710E2AAB1E4D7E17A94679F2E3B7E02B80AA3E4912EE4D9E85F87FCAB71695497CECFF692D01C8497FAA38A663689A30C911DA2DCED2FE66
Malicious:	false
Preview:	(....`.Ioy retne........................B.#,../.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm\index-dir\the-real-index (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.9972243200613975
Encrypted:	false
SSDEEP:	3:SFT9EeNT:SFGkT
MD5:	A0B162B75DD50183A9388714FE731B6F
SHA1:	4FA8AB838BCD1BC2A029A0EE2AC9D1429E48D549
SHA-256:	D260C55E486F87673E6842D8757A93F1E5C24A5B8CF0D69B964069BAF58FFC25
SHA-512:	2BFB225A516075F3710E2AAB1E4D7E17A94679F2E3B7E02B80AA3E4912EE4D9E85F87FCAB71695497CECFF692D01C8497FAA38A663689A30C911DA2DCED2FE66
Malicious:	false
Preview:	(....`.Ioy retne........................B.#,../.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.0012471779557650352
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zE:/M/xT02z
MD5:	F50F89A0A91564D0B8A211F8921AA7DE
SHA1:	112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
SHA-256:	B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
SHA-512:	BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNldEKl:Ls3e+
MD5:	D6C67456CB59EDE7C5B56DCF1496F899
SHA1:	6D57BDCD85AAE4555850BE626F2E47ADDDBB980C
SHA-256:	EE7875915A91F2CF4BA55824228B051E9FD1E773D9C0AE4C104EAB2EC8D9E222
SHA-512:	90A056CAFE0DD1CA3DB6762E41EDB4AF5961D14B657EA1904B22CF07AF13BC6B673534DCFD63A15304395C708A838A4973227AE5E85A7E50A8B1301A06378F73
Malicious:	false
Preview:	..........................................&,../.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.0012471779557650352
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zE:/M/xT02z
MD5:	F50F89A0A91564D0B8A211F8921AA7DE
SHA1:	112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
SHA-256:	B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
SHA-512:	BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNlDDJ5a:Ls3fJ5
MD5:	9B2EB11BABFABC3A31C7C440E210D5CB
SHA1:	869E9BB2B0E56A8BDB21808029FBAF6A71B8ACF7
SHA-256:	FEF068D03562EA1408455D73A1DFC4B58AFD403D8046CA31BABFFD730C7F43E2
SHA-512:	270CA0F75E56538850A02B1E6AEF94D0C0998871D37167D80A47FF39DEACF8A0AD14A0FB8A65CE4C465E2F37A2C2D6EC549B110645D43288E1387A153A96C411
Malicious:	false
Preview:	.........................................'&,../.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	405
Entropy (8bit):	5.176637382835414
Encrypted:	false
SSDEEP:	12:PaWJAMYebqqBvFLnaWS9+v4YebqqBQFUv:CoBYebq8LaA4YebqZ2
MD5:	8ED8363058F3D6F298FAD6FEA66F046B
SHA1:	F733D7F87DB2B2391BE60537128C223FA8EB44CA
SHA-256:	04EB11A65B486BE12BF110882F658C2544C69537D0424A61727D3DF2A1DD3170
SHA-512:	E16629ED511FAB7A1C0DEB05CB6648EC43A1AA7A976E192BE1E8E9F83022E829994EFF0C82189F2116E1BE8F5A890046BFD86C60C78596EE7B3507001D41CCDF
Malicious:	false
Preview:	2024/09/04-03:11:55.519 1e0c Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb since it was missing..2024/09/04-03:11:55.553 1e0c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\37f186b9-1b40-4eae-9e7a-7fcc7c541fa2.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\416fb995-8180-4a26-b019-6a9c8322fdfa.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	111
Entropy (8bit):	4.718418993774295
Encrypted:	false
SSDEEP:	3:YLb9N+eAXRfHDH2LS7PMVKJq0nMb1KKtiVY:YHpoeS7PMVKJTnMRK3VY
MD5:	285252A2F6327D41EAB203DC2F402C67
SHA1:	ACEDB7BA5FBC3CE914A8BF386A6F72CA7BAA33C6
SHA-256:	5DFC321417FC31359F23320EA68014EBFD793C5BBED55F77DAB4180BBD4A2026
SHA-512:	11CE7CB484FEE66894E63C31DB0D6B7EF66AD0327D4E7E2EB85F3BCC2E836A3A522C68D681E84542E471E54F765E091EFE1EE4065641B0299B15613EB32DCC0D
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[],"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\59c0a184-18bc-405a-8d5a-18219ddd9e95.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKtiVY:YHkVKJTnMRK3VY
MD5:	2800881C775077E1C4B6E06BF4676DE4
SHA1:	2873631068C8B3B9495638C865915BE822442C8B
SHA-256:	226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
SHA-512:	E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKtiVY:YHkVKJTnMRK3VY
MD5:	2800881C775077E1C4B6E06BF4676DE4
SHA1:	2873631068C8B3B9495638C865915BE822442C8B
SHA-256:	226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
SHA-512:	E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Network Persistent State~RF4436e.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKtiVY:YHkVKJTnMRK3VY
MD5:	2800881C775077E1C4B6E06BF4676DE4
SHA1:	2873631068C8B3B9495638C865915BE822442C8B
SHA-256:	226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
SHA-512:	E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Reporting and NEL

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 9, cookie 0x4, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	0.5559635235158827
Encrypted:	false
SSDEEP:	48:T6IopKWurJNVr1GJmA8pv82pfurJNVrdHXuccaurJN2VrJ1n4n1GmzNGU1cSB:OIEumQv8m1ccnvS6
MD5:	9AAAE8C040B616D1378F3E0E17689A29
SHA1:	F91E7DE07F1DA14D15D067E1F50C3B84A328DBB7
SHA-256:	5B94D63C31AE795661F69B9D10E8BFD115584CD6FEF5FBB7AA483FDC6A66945B
SHA-512:	436202AB8B6BB0318A30946108E6722DFF781F462EE05980C14F57F347EDDCF8119E236C3290B580CEF6902E1B59FB4F546D6BD69F62479805B39AB0F3308EC1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...D.........7............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\SCT Auditing Pending Reports (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Sdch Dictionaries (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Trust Tokens

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	0.36515621748816035
Encrypted:	false
SSDEEP:	24:TLH3lIIAoDJ84l5lDlnDMlRlyKDtM6UwccWfp15fBIe:Tb31DtX5nDOvyKDhU1cSB
MD5:	25363ADC3C9D98BAD1A33D0792405CBF
SHA1:	D06E343087D86EF1A06F7479D81B26C90A60B5C3
SHA-256:	6E019B8B9E389216D5BDF1F2FE63F41EF98E71DA101F2A6BE04F41CC5954532D
SHA-512:	CF7EEE35D0E00945AF221BEC531E8BF06C08880DA00BD103FA561BC069D7C6F955CBA3C1C152A4884601E5A670B7487D39B4AE9A4D554ED8C14F129A74E555F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......X..g...}.....$.X..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\c7376ac5-d0d6-4291-8a2e-706e36359414.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	61
Entropy (8bit):	3.7273991737283296
Encrypted:	false
SSDEEP:	3:S8ltHlS+QUl1ASEGhTFl:S85aEFl
MD5:	9F7EADC15E13D0608B4E4D590499AE2E
SHA1:	AFB27F5C20B117031328E12DD3111A7681FF8DB5
SHA-256:	5C3A5B578AB9FE853EAD7040BC161929EA4F6902073BA2B8BB84487622B98923
SHA-512:	88455784C705F565C70FA0A549C54E2492976E14643E9DD0A8E58C560D003914313DF483F096BD33EC718AEEC7667B8DE063A73627AA3436BA6E7E562E565B3F
Malicious:	false
Preview:	*...#................version.1..namespace-..&f...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	393
Entropy (8bit):	5.153611747363445
Encrypted:	false
SSDEEP:	6:PzhAB1923oH+Tcwt0jqEKj0QM72KLll/9+q2P923oH+Tcwt0jqEKj0QMxIFUv:PdAMYebqqB6Ln/9+v4YebqqBZFUv
MD5:	F0413CA35C33FFFC90F7C14EEB6242AA
SHA1:	FA4DF4E56E662C9BAEF2F35D234FA92758BF0A8E
SHA-256:	997108008093B099559CC6F99BDEA42C201078740137213CED9FC61F1DA1E6B4
SHA-512:	984CC389815EB1DF5CF00276C7EAE51DAA3CFB2E35E00D204D480C063262BC91D57D05EF48BC1633324144D40CB80B4D21FF8401482D7BD8C4CBF1D581783554
Malicious:	false
Preview:	2024/09/04-03:12:11.367 1e0c Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage since it was missing..2024/09/04-03:12:11.403 1e0c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	46
Entropy (8bit):	4.019797536844534
Encrypted:	false
SSDEEP:	3:sLollttz6sjlGXU2tkn:qolXtWswXU2tkn
MD5:	90881C9C26F29FCA29815A08BA858544
SHA1:	06FEE974987B91D82C2839A4BB12991FA99E1BDD
SHA-256:	A2CA52E34B6138624AC2DD20349CDE28482143B837DB40A7F0FBDA023077C26A
SHA-512:	15F7F8197B4FC46C4C5C2570FB1F6DD73CB125F9EE53DFA67F5A0D944543C5347BDAB5CCE95E91DD6C948C9023E23C7F9D76CFF990E623178C92F8D49150A625
Malicious:	false
Preview:	...n'................_mts_schema_descriptor...

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	299
Entropy (8bit):	5.212653332896842
Encrypted:	false
SSDEEP:	6:PalvUSD1923oH+Tcwtkx2KLllaOAN+q2P923oH+TcwtCIFUv:Pa9UfYebkVLnabN+v4YebLFUv
MD5:	6349B8D3294CB4F52685F097D0421669
SHA1:	DBA351987A58C7B753C738E562CDC2E78B7BDA7C
SHA-256:	6E7E5E4858B3361A6554CBD7F986DFD344A3C94672CA5F8B7B9325CC21DF0D04
SHA-512:	F247FE8E7CA7D25F926160C3A280F3A3C468820FCE7204CAA6C4F00FE30904A8E0F7A651FF5757597D8301986CF1F66656D50F42EC4FAF9D65EF4B7D1FAB5BD5
Malicious:	false
Preview:	2024/09/04-03:11:53.460 1d4c Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB since it was missing..2024/09/04-03:11:53.507 1d4c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Top Sites

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.3528485475628876
Encrypted:	false
SSDEEP:	12:TLiN6CZhDu6MvDOF5yEHFxOUwa5qguYZ75fOSiPe2d:TLiwCZwE8I6Uwcco5fBtC
MD5:	F2B4FB2D384AA4E4D6F4AEB0BBA217DC
SHA1:	2CD70CFB3CE72D9B079170C360C1F563B6BF150E
SHA-256:	1ECC07CD1D383472DAD33D2A5766625009EA5EACBAEDE2417ADA1842654CBBC8
SHA-512:	48D03991660FA1598B3E002F5BC5F0F05E9696BCB2289240FA8CCBB2C030CDD23245D4ECC0C64DA1E7C54B092C3E60AE0427358F63087018BF0E6CEDC471DD34
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g.....4....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Visited Links

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.002110589502647469
Encrypted:	false
SSDEEP:	3:ImtV0SRFtl:IiV0SNl
MD5:	DF8592963801D508FCEB9FC827CCA7AF
SHA1:	FD7FA71529448BE1B71ABA8DDFD077C2B76A2D34
SHA-256:	B540DDC30BBA6B77E30A5826E2EB77CCF4188B3E29B7158EE5C7C6DF84309A72
SHA-512:	BD1893FA9A5F367F5FF53435D398C0676672D26D73022A0CCC12FBD93A006A355C6EB15FC74E75E4FEE15B32060B018BA0590A8792F69A58334E62A628857A5B
Malicious:	false
Preview:	VLnk.....?......+.wl....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Web Data

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 4, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	182272
Entropy (8bit):	1.0766846350070096
Encrypted:	false
SSDEEP:	192:erb2qAdB9TbTbuDDsnxCkOvSAE+WslKOMq+vVumYP5n66:e/2qOB1nxCkOvSAELyKOMq+vVumSp
MD5:	C9A82134ACFF48C64480FAE82DCD4140
SHA1:	EF0C3060C7369B4C15F4E2186D3169DAF7B95614
SHA-256:	C329BD1885D770F4B1AC1E58D322AB9211583B29927C7F8193456D226EE34711
SHA-512:	C939D362BFFEBFFDB16B973CB77EB55465F57D1AC9FB7F1CF7CE5B86CBE5822DB44045624C3D8F6E3CAA781E756F104782B1AED60F9B81E4CEE199D554ADF66E
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\WebAssistDatabase

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 10, database pages 7, cookie 0xb, schema 4, UTF-8, version-valid-for 10
Category:	dropped
Size (bytes):	14336
Entropy (8bit):	0.7836182415564406
Encrypted:	false
SSDEEP:	24:LLqlCouxhK3thdkSdj5QjUsEGcGBXp22iSBgm+xjgm:uOK3tjkSdj5IUltGhp22iSBgm+xj/
MD5:	AA9965434F66985F0979719F3035C6E1
SHA1:	39FC31CBB2BB4F8FA8FB6C34154FB48FBCBAEEF4
SHA-256:	F42877E694E9AFC76E1BBA279F6EC259E28A7E7C574EFDCC15D58EFAE06ECA09
SHA-512:	201667EAA3DF7DBCCF296DE6FCF4E79897C1BB744E29EF37235C44821A18EAD78697DFEB9253AA01C0DC28E5758E2AF50852685CDC9ECA1010DBAEE642590CEA
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..................n..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\arbitration_service_config.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with very long lines (3951), with CRLF line terminators
Category:	dropped
Size (bytes):	11755
Entropy (8bit):	5.190465908239046
Encrypted:	false
SSDEEP:	192:hH4vrmqRBB4W4PoiUDNaxvR5FCHFcoaSbqGEDI:hH4vrmUB6W4jR3GaSbqGEDI
MD5:	07301A857C41B5854E6F84CA00B81EA0
SHA1:	7441FC1018508FF4F3DBAA139A21634C08ED979C
SHA-256:	2343C541E095E1D5F202E8D2A0807113E69E1969AF8E15E3644C51DB0BF33FBF
SHA-512:	00ADE38E9D2F07C64648202F1D5F18A2DFB2781C0517EAEBCD567D8A77DBB7CB40A58B7C7D4EC03336A63A20D2E11DD64448F020C6FF72F06CA870AA2B4765E0
Malicious:	false
Preview:	{.. "DefaultCohort": {.. "21f3388b-c2a5-4791-8f6e-a4cad6d17f4f.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.BingHomePage.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Covid.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Finance.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Jobs.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.KnowledgeCard.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Local.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.NTP3PCLICK.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.NotifySearchPage.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Recipe.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.SearchPage.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Sports.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Travel.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Weather.Bubble": 1,.. "2cb2db96-3bd0-403e-abe2-9269b3761041.Bubble": 1,.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\b56be7c3-6e35-4032-b4d4-a21743a99d49.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6528
Entropy (8bit):	4.975857128743755
Encrypted:	false
SSDEEP:	96:stTqfnis1Db91V9N8zZDs85eh6Cb7/x+6MhmuecmAeFZQG2Mu/EJ:stTPsn9NkZDs88bV+FiAePuMJ
MD5:	32098654A7CFB8D8248975BCD62CBC70
SHA1:	8B8EBAB09393801EDA493B17D4EB33B948C4D330
SHA-256:	EFD6D0C2AC76AB60A32BDB3D1D886BD2BFD8C2BBF79CC983C12FAAFD3E5EDF55
SHA-512:	4577442F1C5D095F538EF8B47DD1814666C8636B96DA0E27F2CF22A241E03B88C7CBD632BB2A935708F1DA5BC216DAB1C35FDA346C8C698BA79E31655445E2C1
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369907515229854","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"domain_diversity":{"last_reporting_timestamp":"13369907513975494"},"download":{"default_directory":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\KioskDownloads\\","directory_upgrade":true},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version"

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\c2841f7d-a15c-46fd-a9a9-6951768e8839.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\ea3f27b9-ce5a-44a3-885a-2568d72dc9ef.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6426
Entropy (8bit):	4.973807339878892
Encrypted:	false
SSDEEP:	96:stTqfnis1Db91V9N8zZDs85eh6Cb7/x+6MhmuecmAeFmQG2Mu/EJ:stTPsn9NkZDs88bV+FiAzPuMJ
MD5:	3A7D575F4B100D44DE95F7D5EB53737A
SHA1:	A6F1BA3446B4886DDA21452AF41A8F8204635E4B
SHA-256:	DF052010941C6D0B6A12F8C179E77CEDE08B8C39EE4A3F33CD980EC426046EC4
SHA-512:	5D125D219DB73FE9A07AC1B705CD158A279744A8FB30B7DD8F32633C4A2B455A7112E1EDC688F1A772D03B45B965DDC22F1626D096FB3248099977B103E518B8
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369907515229854","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"domain_diversity":{"last_reporting_timestamp":"13369907513975494"},"download":{"default_directory":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\KioskDownloads\\","directory_upgrade":true},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version"

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\f04d920a-54d7-48c7-ae8a-ffcde39be0ab.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\heavy_ad_intervention_opt_out.db

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 4, cookie 0x2, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.35226517389931394
Encrypted:	false
SSDEEP:	12:TLC+waBg9LBgVDBgQjiZBgKuFtuQkMbmgcVAzO5kMCgGUg5OR:TLPdBgtBgJBgQjiZS53uQFE27MCgGZsR
MD5:	D2CCDC36225684AAE8FA563AFEDB14E7
SHA1:	3759649035F23004A4C30A14C5F0B54191BEBF80
SHA-256:	080AEE864047C67CB1586A5BA5EDA007AFD18ECC2B702638287E386F159D7AEE
SHA-512:	1A915AF643D688CA68AEDC1FF26C407D960D18DFDE838B417C437D7ADAC7B91C906E782DCC414784E64287915BD1DE5BB6A282E59AA9FEB8C384B4D4BC5F70EC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......Q......Q......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\load_statistics.db

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, writer version 2, read version 2, file counter 1, database pages 1, cookie 0, schema 0, unknown 0 encoding, version-valid-for 1
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.0905602561507182
Encrypted:	false
SSDEEP:	3:lSWFN3sl+ltlMWll:l9Fys1M
MD5:	A8E75ACC11904CB877E15A0D0DE03941
SHA1:	FBEE05EA246A7F08F7390237EA8B7E49204EF0E0
SHA-256:	D78C40FEBE1BA7EC83660B78E3F6AB7BC45AB822B8F21B03B16B9CB4F3B3A259
SHA-512:	A7B52B0575D451466A47AFFE3DCC0BC7FC9A6F8AB8194DA1F046AADA0EDDCCA76B4326AA9F19732BA50359B51EC72896BB8FA2FC23BAA6847C33AB51218511A4
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\load_statistics.db-journal

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.28499812076190567
Encrypted:	false
SSDEEP:	3:7FEG2l/0V/l/FlFll:7+/l/Q
MD5:	C41EC32633D00C357CC3E99B199EB7D7
SHA1:	96EE5F947A4AE61A272D3645E5CD9F99DA7041F0
SHA-256:	C1B3655E33FD23086F0F3E7148BF53AF8569233B23737ED206F00689C730CD17
SHA-512:	9D57C81D56F29523DA9D09DC2D855D0FB1829A8DC535A7C4B8E6D90DCF788C037FEF584FF504BE78BA1941A074EC1D2F354B3E9DC1F746CB5D9511F1B904FF57
Malicious:	false
Preview:	.... .c........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\load_statistics.db-shm

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.04999003977853625
Encrypted:	false
SSDEEP:	6:GLW0HptwW0HptLML9X8hslotGLNl0ml/XoQDeX:aJtOJtEGEjVl/XoQ
MD5:	26009B8A56BC063CB01C5B1798462F25
SHA1:	61FAA18415D8B4BFF1290AE7857E6463BF32BF1A
SHA-256:	ACA60F960C380497EA6DEEF119D546B601DD7F9118B2ECA7288233B56B7AE89F
SHA-512:	E3CC292EEF8CB9AC581C12A2F5E5EE22070742D2D1027B03F9895D91F34FA8E06BED52295725FE69478B9B31EF9821756C60C6473ABED829F9210A40E14453DB
Malicious:	false
Preview:	..-...............................[:..u..`a.O...-...............................[:..u..`a.O.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\load_statistics.db-wal

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	70072
Entropy (8bit):	0.9986737763054836
Encrypted:	false
SSDEEP:	48:+zxUlO+H5cbX+28n9VAKAFXX+/V2VAKAFXX++xOqVAKAFXX+4LnUYVAKAFXX+DDw:2xYHD25Ns/TNsMO5Ns46NsDDxO
MD5:	86F61BB5B8A9F19AC415F503F3AA30F8
SHA1:	7D94641D86F1C0A66CD95CAAFF03B03BC6ED8805
SHA-256:	EB1F2F87E0158813BB062EA55D14C9E1D15D7D703CDBF1C9F41377A90EF9DA4A
SHA-512:	FF5745BC2D31DBEA9D8EEF6ED94ED6016A58489B09BB7D4A72E78425D0BAC26DAA374FF4EF0BE91DD921989D990AD3B0A9A453098EFDF04B4693A93BFBB0EFA4
Malicious:	false
Preview:	7....-.............[:..r..]N.............[:..c.k1...SQLite format 3......@ ..........................................................................j.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	modified
Size (bytes):	1566
Entropy (8bit):	5.486093957647574
Encrypted:	false
SSDEEP:	48:gB8TSBSqQclUP+HRHoxuIYjIYczcqkNMYjMYBy7AlkfAlkd3s:W0qQaIYjIYczcbNMYjMYoYcYw3s
MD5:	B9103FF0AC4DAACAD047673AC8EA9235
SHA1:	A9F7D30BF74A6E61DA6D8C4DDF4B4E5E083D01B3
SHA-256:	ED76FB85FFA70E31197A625C0B70773B8717C5BC3A92E5C309B999E058666173
SHA-512:	B1A04C52329AF237E3027A05BB452B3D0928D33CAB0D01ABB3C61B3985BF8E64BD922556288327867F441CC8A4E4A0D09DE5761C498B737EAC5CBC23571BF5C2
Malicious:	false
Preview:	A..r.................20_1_1...1.,U.................20_1_1...1..&f....................................4_IPH_CompanionSidePanel...IPH_CompanionSidePanel.....$4_IPH_CompanionSidePanelRegionSearch(."IPH_CompanionSidePanelRegionSearch......4_IPH_DownloadToolbarButton...IPH_DownloadToolbarButton.....&4_IPH_FocusHelpBubbleScreenReaderPromo.$IPH_FocusHelpBubbleScreenReaderPromo......4_IPH_GMCCastStartStop...IPH_GMCCastStartStop......4_IPH_HighEfficiencyMode...IPH_HighEfficiencyMode......4_IPH_LiveCaption...IPH_LiveCaption......4_IPH_PasswordsAccountStorage!..IPH_PasswordsAccountStorage....."4_IPH_PasswordsWebAppProfileSwitch&. IPH_PasswordsWebAppProfileSwitch.....-4_IPH_PriceInsightsPageActionIconLabelFeature1.+IPH_PriceInsightsPageActionIconLabelFeature......4_IPH_PriceTrackingChipFeature"..IPH_PriceTrackingChipFeature.....&4_IPH_PriceTrackingEmailConsentFeature.$IPH_PriceTrackingEmailConsentFeature.....-4_IPH_PriceTrackingPageActionIconLabelFeature1.+IPH_PriceTrackingPageActionIconLabelFe

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.24985343238742
Encrypted:	false
SSDEEP:	6:Pa7AD1923oH+Tcwt0rl2KLllaZ5FN+q2P923oH+Tcwt0rK+IFUv:PakmYebeLna7FN+v4Yeb13FUv
MD5:	68CFB13AC5BDFDA13DEC5EE9B9FEDB79
SHA1:	4057551FA56F3E11C9524C76804B7695C789051F
SHA-256:	81D135B3325D3507F16539A15CEA2959987EC87445DE51FF1DC8FD47F48F6E0D
SHA-512:	450E39A3A0EE06C1326665B0780CA87997486B72D43A839E7758DAFAFB89B98F306849CD46C5B28485EFD817750D0A813A36D6EF60934069F34EF885370EB425
Malicious:	false
Preview:	2024/09/04-03:11:54.785 1d4c Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db since it was missing..2024/09/04-03:11:54.797 1d4c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	729
Entropy (8bit):	3.958141412815535
Encrypted:	false
SSDEEP:	12:G0nYUtTNop//z3p/Wui+it/4JbZfPStub/RG0lbANqa:G0nYUtypD3RXi6FZfc25m
MD5:	FBC524D02048C176A0A5D1B8B752932A
SHA1:	294C48557549A4C978326D9B7969E293A024F157
SHA-256:	F3FC95AE128DB918FC126F15CD9D96618482BA6ACCC622AAA19B10CE80B15EA0
SHA-512:	9B6434442E11610B8B5DDA43AA56656599925C9C8F0A364DDB69D15B37A912D223EE600012468E0DB723CAF3546FFBDF56F085A0159EA7968BBACE894AAFF856
Malicious:	false
Preview:	.h.6.................__global... .t...................__global... .9..b.................33_..........................33_........v.................21_.....vuNX.................21_.....<...................20_.....,.1..................19_.....QL.s.................18_.....!....................3_.....n.b..................4_.........................37_.......`.................38_.....].$&.................39_.....4.9..................20_......R...................20_.......1..................19_......(...................18_.....:.=..................3_......W2..................4_.....)..>.................37_..........................38_.....h.#..................39_.....P"...................9_.........................9_.....

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	313
Entropy (8bit):	5.214250563124712
Encrypted:	false
SSDEEP:	6:Padq1923oH+Tcwt0rzs52KLlla6SN+q2P923oH+Tcwt0rzAdIFUv:PahYeb99Lna6i+v4YebyFUv
MD5:	4AA92A7DD58C21E0AA7E010BF41F50BC
SHA1:	A4DD9BB0904BF7E4FA03CAF378C456AD5A0D71D3
SHA-256:	7BAEFFA675FF53BA1F6448B378C967ED3A80D99B77A2F430EF527BA31989F8AB
SHA-512:	8154E010F8D2ABB1AC3BC16273D15DC03E30CD8E7AC391F47508906F338D45275C7AD0AA9EB1A070173595CAE6E7222EC2F52AA5DA22358BA3C6A94362762517
Malicious:	false
Preview:	2024/09/04-03:11:53.988 1d4c Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata since it was missing..2024/09/04-03:11:54.782 1d4c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GrShaderCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GrShaderCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	8.280239615765425E-4
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2:/M/xT02
MD5:	D0D388F3865D0523E451D6BA0BE34CC4
SHA1:	8571C6A52AACC2747C048E3419E5657B74612995
SHA-256:	902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
SHA-512:	376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GrShaderCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GrShaderCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GrShaderCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	8.81240594570408E-4
Encrypted:	false
SSDEEP:	3:LsNlGB:Ls3
MD5:	FFBC9F8E45C2BC6526C8D40503BC7363
SHA1:	3030991A4EB8E0EA8A44ECF28B812BF42D173E2E
SHA-256:	8542B5C06AF5E179CF4F9DB1149B3D50FE0BF6D6EFD817320DDA752F59E2C69E
SHA-512:	1430E33627FC361E8E00BADC5B58CD75784A8E416D36B71B6192D57325E76AA0C9D9E45E1CF02334770A4DF0BE7D50844A1D4A7C1B2626BE95C632A32145791B
Malicious:	false
Preview:	........................................+.(,../.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GraphiteDawnCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GraphiteDawnCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	8.280239615765425E-4
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2:/M/xT02
MD5:	D0D388F3865D0523E451D6BA0BE34CC4
SHA1:	8571C6A52AACC2747C048E3419E5657B74612995
SHA-256:	902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
SHA-512:	376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GraphiteDawnCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GraphiteDawnCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GraphiteDawnCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNlnNxl:Ls3l
MD5:	E9E197062428050EED4592C8E68A72FB
SHA1:	4B11C3B15924AA6C78D7FD19AF0444BAFFB1A64D
SHA-256:	B90B707D7E11D9D83982D63FAE0C0CD7212BD14124095726D8EE7A9B021CCDD5
SHA-512:	7DA97715D5358D7126E782FE3F02CCA27FF111E30ADB63CC203D86127C14E9B75BD01BA532E031C668A387D413B71625D63FDCF1E97BBB24FE4FA852CB5B5773
Malicious:	false
Preview:	..........................................(,../.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Last Browser

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	120
Entropy (8bit):	3.32524464792714
Encrypted:	false
SSDEEP:	3:tbloIlrJFlXnpQoWcNylRjlgbYnPdJiG6R7lZAUAl:tbdlrYoWcV0n1IGi7kBl
MD5:	A397E5983D4A1619E36143B4D804B870
SHA1:	AA135A8CC2469CFD1EF2D7955F027D95BE5DFBD4
SHA-256:	9C70F766D3B84FC2BB298EFA37CC9191F28BEC336329CC11468CFADBC3B137F4
SHA-512:	4159EA654152D2810C95648694DD71957C84EA825FCCA87B36F7E3282A72B30EF741805C610C5FA847CA186E34BDE9C289AAA7B6931C5B257F1D11255CD2A816
Malicious:	false
Preview:	C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Last Version

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	13
Entropy (8bit):	2.7192945256669794
Encrypted:	false
SSDEEP:	3:NYLFRQI:ap2I
MD5:	BF16C04B916ACE92DB941EBB1AF3CB18
SHA1:	FA8DAEAE881F91F61EE0EE21BE5156255429AA8A
SHA-256:	7FC23C9028A316EC0AC25B09B5B0D61A1D21E58DFCF84C2A5F5B529129729098
SHA-512:	F0B7DF5517596B38D57C57B5777E008D6229AB5B1841BBE74602C77EEA2252BF644B8650C7642BD466213F62E15CC7AB5A95B28E26D3907260ED1B96A74B65FB
Malicious:	false
Preview:	117.0.2045.47

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.555819879981442
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtaqNynVwIQsdWz71OLaoyikqaJdXBuBuwBdaeNhc5XIQQRCYfJ:YuBqDPafKcCWdYFggBzBdvc5dB0
MD5:	AC18C039A028ED5152FF2CD58C0B04EC
SHA1:	A88DA64588B561B2BE602C0EB8AF14E29290D167
SHA-256:	CEABAB1F356A39989ED5DD9256DDC8B19C68449FFAF8338416BD5F790B91CE86
SHA-512:	89473B93DA7D4999BEE5A39924D042AD091F4296379AD7100C7CDE45987467A5588764B296AC623446079EE54864B3BD5F263F3BD00422B7B47CDA86D55C532A
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAA6cm+TCQIhSpiBui4g20VXEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAADu2zXZwu2jgmsIQoLaAHCsJLncfVUw5RI2OCOwfL18kAAAAAAOgAAAAAIAACAAAACDLyXT7TDWTvdNs3Bfhn4NdW+CsDFNf0EXoeR+7UwLZjAAAAC54NSEPViqVKOsj02Hb0xSGK85wiBSRaJfTbE/322mIhwVXZDzxUTfFHu7UxHFJdlAAAAAL0eqyCQk35gxGI0EXO+Iag8qbD+3ixPVa4/ggsGL2S0Abf16LVqRfPf59Psdhs5R+lSdohLrSkxX54owo30vLQ=="},"profile":{"info_cache":{},"profile_counts_reported":"13369907512744258","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1725433912"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF3106c.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.555819879981442
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtaqNynVwIQsdWz71OLaoyikqaJdXBuBuwBdaeNhc5XIQQRCYfJ:YuBqDPafKcCWdYFggBzBdvc5dB0
MD5:	AC18C039A028ED5152FF2CD58C0B04EC
SHA1:	A88DA64588B561B2BE602C0EB8AF14E29290D167
SHA-256:	CEABAB1F356A39989ED5DD9256DDC8B19C68449FFAF8338416BD5F790B91CE86
SHA-512:	89473B93DA7D4999BEE5A39924D042AD091F4296379AD7100C7CDE45987467A5588764B296AC623446079EE54864B3BD5F263F3BD00422B7B47CDA86D55C532A
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAA6cm+TCQIhSpiBui4g20VXEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAADu2zXZwu2jgmsIQoLaAHCsJLncfVUw5RI2OCOwfL18kAAAAAAOgAAAAAIAACAAAACDLyXT7TDWTvdNs3Bfhn4NdW+CsDFNf0EXoeR+7UwLZjAAAAC54NSEPViqVKOsj02Hb0xSGK85wiBSRaJfTbE/322mIhwVXZDzxUTfFHu7UxHFJdlAAAAAL0eqyCQk35gxGI0EXO+Iag8qbD+3ixPVa4/ggsGL2S0Abf16LVqRfPf59Psdhs5R+lSdohLrSkxX54owo30vLQ=="},"profile":{"info_cache":{},"profile_counts_reported":"13369907512744258","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1725433912"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF3131c.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.555819879981442
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtaqNynVwIQsdWz71OLaoyikqaJdXBuBuwBdaeNhc5XIQQRCYfJ:YuBqDPafKcCWdYFggBzBdvc5dB0
MD5:	AC18C039A028ED5152FF2CD58C0B04EC
SHA1:	A88DA64588B561B2BE602C0EB8AF14E29290D167
SHA-256:	CEABAB1F356A39989ED5DD9256DDC8B19C68449FFAF8338416BD5F790B91CE86
SHA-512:	89473B93DA7D4999BEE5A39924D042AD091F4296379AD7100C7CDE45987467A5588764B296AC623446079EE54864B3BD5F263F3BD00422B7B47CDA86D55C532A
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAA6cm+TCQIhSpiBui4g20VXEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAADu2zXZwu2jgmsIQoLaAHCsJLncfVUw5RI2OCOwfL18kAAAAAAOgAAAAAIAACAAAACDLyXT7TDWTvdNs3Bfhn4NdW+CsDFNf0EXoeR+7UwLZjAAAAC54NSEPViqVKOsj02Hb0xSGK85wiBSRaJfTbE/322mIhwVXZDzxUTfFHu7UxHFJdlAAAAAL0eqyCQk35gxGI0EXO+Iag8qbD+3ixPVa4/ggsGL2S0Abf16LVqRfPf59Psdhs5R+lSdohLrSkxX54owo30vLQ=="},"profile":{"info_cache":{},"profile_counts_reported":"13369907512744258","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1725433912"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF339dd.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.555819879981442
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtaqNynVwIQsdWz71OLaoyikqaJdXBuBuwBdaeNhc5XIQQRCYfJ:YuBqDPafKcCWdYFggBzBdvc5dB0
MD5:	AC18C039A028ED5152FF2CD58C0B04EC
SHA1:	A88DA64588B561B2BE602C0EB8AF14E29290D167
SHA-256:	CEABAB1F356A39989ED5DD9256DDC8B19C68449FFAF8338416BD5F790B91CE86
SHA-512:	89473B93DA7D4999BEE5A39924D042AD091F4296379AD7100C7CDE45987467A5588764B296AC623446079EE54864B3BD5F263F3BD00422B7B47CDA86D55C532A
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAA6cm+TCQIhSpiBui4g20VXEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAADu2zXZwu2jgmsIQoLaAHCsJLncfVUw5RI2OCOwfL18kAAAAAAOgAAAAAIAACAAAACDLyXT7TDWTvdNs3Bfhn4NdW+CsDFNf0EXoeR+7UwLZjAAAAC54NSEPViqVKOsj02Hb0xSGK85wiBSRaJfTbE/322mIhwVXZDzxUTfFHu7UxHFJdlAAAAAL0eqyCQk35gxGI0EXO+Iag8qbD+3ixPVa4/ggsGL2S0Abf16LVqRfPf59Psdhs5R+lSdohLrSkxX54owo30vLQ=="},"profile":{"info_cache":{},"profile_counts_reported":"13369907512744258","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1725433912"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF37e1a.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.555819879981442
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtaqNynVwIQsdWz71OLaoyikqaJdXBuBuwBdaeNhc5XIQQRCYfJ:YuBqDPafKcCWdYFggBzBdvc5dB0
MD5:	AC18C039A028ED5152FF2CD58C0B04EC
SHA1:	A88DA64588B561B2BE602C0EB8AF14E29290D167
SHA-256:	CEABAB1F356A39989ED5DD9256DDC8B19C68449FFAF8338416BD5F790B91CE86
SHA-512:	89473B93DA7D4999BEE5A39924D042AD091F4296379AD7100C7CDE45987467A5588764B296AC623446079EE54864B3BD5F263F3BD00422B7B47CDA86D55C532A
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAA6cm+TCQIhSpiBui4g20VXEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAADu2zXZwu2jgmsIQoLaAHCsJLncfVUw5RI2OCOwfL18kAAAAAAOgAAAAAIAACAAAACDLyXT7TDWTvdNs3Bfhn4NdW+CsDFNf0EXoeR+7UwLZjAAAAC54NSEPViqVKOsj02Hb0xSGK85wiBSRaJfTbE/322mIhwVXZDzxUTfFHu7UxHFJdlAAAAAL0eqyCQk35gxGI0EXO+Iag8qbD+3ixPVa4/ggsGL2S0Abf16LVqRfPf59Psdhs5R+lSdohLrSkxX54owo30vLQ=="},"profile":{"info_cache":{},"profile_counts_reported":"13369907512744258","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1725433912"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF3fc14.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.555819879981442
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtaqNynVwIQsdWz71OLaoyikqaJdXBuBuwBdaeNhc5XIQQRCYfJ:YuBqDPafKcCWdYFggBzBdvc5dB0
MD5:	AC18C039A028ED5152FF2CD58C0B04EC
SHA1:	A88DA64588B561B2BE602C0EB8AF14E29290D167
SHA-256:	CEABAB1F356A39989ED5DD9256DDC8B19C68449FFAF8338416BD5F790B91CE86
SHA-512:	89473B93DA7D4999BEE5A39924D042AD091F4296379AD7100C7CDE45987467A5588764B296AC623446079EE54864B3BD5F263F3BD00422B7B47CDA86D55C532A
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAA6cm+TCQIhSpiBui4g20VXEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAADu2zXZwu2jgmsIQoLaAHCsJLncfVUw5RI2OCOwfL18kAAAAAAOgAAAAAIAACAAAACDLyXT7TDWTvdNs3Bfhn4NdW+CsDFNf0EXoeR+7UwLZjAAAAC54NSEPViqVKOsj02Hb0xSGK85wiBSRaJfTbE/322mIhwVXZDzxUTfFHu7UxHFJdlAAAAAL0eqyCQk35gxGI0EXO+Iag8qbD+3ixPVa4/ggsGL2S0Abf16LVqRfPf59Psdhs5R+lSdohLrSkxX54owo30vLQ=="},"profile":{"info_cache":{},"profile_counts_reported":"13369907512744258","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1725433912"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF42334.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.555819879981442
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtaqNynVwIQsdWz71OLaoyikqaJdXBuBuwBdaeNhc5XIQQRCYfJ:YuBqDPafKcCWdYFggBzBdvc5dB0
MD5:	AC18C039A028ED5152FF2CD58C0B04EC
SHA1:	A88DA64588B561B2BE602C0EB8AF14E29290D167
SHA-256:	CEABAB1F356A39989ED5DD9256DDC8B19C68449FFAF8338416BD5F790B91CE86
SHA-512:	89473B93DA7D4999BEE5A39924D042AD091F4296379AD7100C7CDE45987467A5588764B296AC623446079EE54864B3BD5F263F3BD00422B7B47CDA86D55C532A
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAA6cm+TCQIhSpiBui4g20VXEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAADu2zXZwu2jgmsIQoLaAHCsJLncfVUw5RI2OCOwfL18kAAAAAAOgAAAAAIAACAAAACDLyXT7TDWTvdNs3Bfhn4NdW+CsDFNf0EXoeR+7UwLZjAAAAC54NSEPViqVKOsj02Hb0xSGK85wiBSRaJfTbE/322mIhwVXZDzxUTfFHu7UxHFJdlAAAAAL0eqyCQk35gxGI0EXO+Iag8qbD+3ixPVa4/ggsGL2S0Abf16LVqRfPf59Psdhs5R+lSdohLrSkxX54owo30vLQ=="},"profile":{"info_cache":{},"profile_counts_reported":"13369907512744258","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1725433912"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF48346.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.555819879981442
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtaqNynVwIQsdWz71OLaoyikqaJdXBuBuwBdaeNhc5XIQQRCYfJ:YuBqDPafKcCWdYFggBzBdvc5dB0
MD5:	AC18C039A028ED5152FF2CD58C0B04EC
SHA1:	A88DA64588B561B2BE602C0EB8AF14E29290D167
SHA-256:	CEABAB1F356A39989ED5DD9256DDC8B19C68449FFAF8338416BD5F790B91CE86
SHA-512:	89473B93DA7D4999BEE5A39924D042AD091F4296379AD7100C7CDE45987467A5588764B296AC623446079EE54864B3BD5F263F3BD00422B7B47CDA86D55C532A
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAA6cm+TCQIhSpiBui4g20VXEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAADu2zXZwu2jgmsIQoLaAHCsJLncfVUw5RI2OCOwfL18kAAAAAAOgAAAAAIAACAAAACDLyXT7TDWTvdNs3Bfhn4NdW+CsDFNf0EXoeR+7UwLZjAAAAC54NSEPViqVKOsj02Hb0xSGK85wiBSRaJfTbE/322mIhwVXZDzxUTfFHu7UxHFJdlAAAAAL0eqyCQk35gxGI0EXO+Iag8qbD+3ixPVa4/ggsGL2S0Abf16LVqRfPf59Psdhs5R+lSdohLrSkxX54owo30vLQ=="},"profile":{"info_cache":{},"profile_counts_reported":"13369907512744258","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1725433912"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Nurturing\campaign_history

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.46731661083066856
Encrypted:	false
SSDEEP:	12:TL1QAFUxOUDaabZXiDiIF8izX4fhhdWeci2oesJaYi3is25q0S9K0xHZ75fOV:TLiOUOq0afDdWec9sJf5Q7J5fc
MD5:	E93ACF0820CA08E5A5D2D159729F70E3
SHA1:	2C1A4D4924B9AEC1A796F108607404B000877C5D
SHA-256:	F2267FDA7F45499F7A01186B75CEFB799F8D2BC97E2E9B5068952D477294302C
SHA-512:	3BF36C20E04DCF1C16DC794E272F82F68B0DE43F16B4A9746B63B6D6BBC953B00BD7111CDA7AFE85CEBB2C447145483A382B15E2B0A5B36026C3441635D4E50C
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\ShaderCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\ShaderCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	8.280239615765425E-4
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2:/M/xT02
MD5:	D0D388F3865D0523E451D6BA0BE34CC4
SHA1:	8571C6A52AACC2747C048E3419E5657B74612995
SHA-256:	902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
SHA-512:	376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\ShaderCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\ShaderCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\ShaderCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNlPE:Ls3
MD5:	9664EC432611D347CDB532C8416BF648
SHA1:	D203251420199735C0580AF165F8AAE0E2A49630
SHA-256:	DBE18D8580F6387C62E354D0D6FD221BB23FA77BD3D2EF0AC98AB540127A78F6
SHA-512:	2E4EB07AE1D75EB6D17A6211E4DD053D3D2A45F66A0A4DD3E3F1B8341F003E1423D332843391D3421C066A3D72DD45291DE3A7E9A99199F1F5CAF244C8B34F43
Malicious:	false
Preview:	........................................H..+../.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\customSettings

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	47
Entropy (8bit):	4.3818353308528755
Encrypted:	false
SSDEEP:	3:2jRo6jhM6ceYcUtS2djIn:5I2uxUt5Mn
MD5:	48324111147DECC23AC222A361873FC5
SHA1:	0DF8B2267ABBDBD11C422D23338262E3131A4223
SHA-256:	D8D672F953E823063955BD9981532FC3453800C2E74C0CC3653D091088ABD3B3
SHA-512:	E3B5DB7BA5E4E3DE3741F53D91B6B61D6EB9ECC8F4C07B6AE1C2293517F331B716114BAB41D7935888A266F7EBDA6FABA90023EFFEC850A929986053853F1E02
Malicious:	false
Preview:	customSettings_F95BA787499AB4FA9EFFF472CE383A14

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\customSettings_F95BA787499AB4FA9EFFF472CE383A14

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	35
Entropy (8bit):	4.014438730983427
Encrypted:	false
SSDEEP:	3:YDMGA2ADH/AYKEqsYq:YQXT/bKE1F
MD5:	BB57A76019EADEDC27F04EB2FB1F1841
SHA1:	8B41A1B995D45B7A74A365B6B1F1F21F72F86760
SHA-256:	2BAE8302F9BD2D87AE26ACF692663DF1639B8E2068157451DA4773BD8BD30A2B
SHA-512:	A455D7F8E0BE9A27CFB7BE8FE0B0E722B35B4C8F206CAD99064473F15700023D5995CC2C4FAFDB8FBB50F0BAB3EC8B241E9A512C0766AAAE1A86C3472C589FFD
Malicious:	false
Preview:	{"forceServiceDetermination":false}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\customSynchronousLookupUris

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	29
Entropy (8bit):	3.922828737239167
Encrypted:	false
SSDEEP:	3:2NGw+K+:fwZ+
MD5:	7BAAFE811F480ACFCCCEE0D744355C79
SHA1:	24B89AE82313084BB8BBEB9AD98A550F41DF7B27
SHA-256:	D5743766AF0312C7B7728219FC24A03A4FB1C2A54A506F337953FBC2C1B847C7
SHA-512:	70FE1C197AF507CC0D65E99807D245C896A40A4271BA1121F9B621980877B43019E584C48780951FC1AD2A5D7D146FC6EA4678139A5B38F9B6F7A5F1E2E86BA3
Malicious:	false
Preview:	customSynchronousLookupUris_0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\customSynchronousLookupUris_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	35302
Entropy (8bit):	7.99333285466604
Encrypted:	true
SSDEEP:	768:rRhaFePY38QBsj61g3g01LXoDGPpgb8KbMcnjrQCckBuJyqk3x8cBBT:rLP+TBK6ZQLXSsaMcnHQQcox80
MD5:	0E06E28C3536360DE3486B1A9E5195E8
SHA1:	EB768267F34EC16A6CCD1966DCA4C3C2870268AB
SHA-256:	F2658B1C913A96E75B45E6ADB464C8D796B34AC43BAF1635AA32E16D1752971C
SHA-512:	45F1E909599E2F63372867BC359CF72FD846619DFEB5359E52D5700E0B1BCFFE5FF07606511A3BFFDDD933A0507195439457E4E29A49EB6451F26186B7240041
Malicious:	false
Preview:	.......murmur3.....IN...9.......0..X..#l....C....]......pv..E..........,..?.N?....V..B-..F.1....g\|..._.>'.-(V... .=.7P.m....#}.r.....>.LE...G.A.h5........J..=..L^-.Zl++,..h..o.y..~j.]u...W...&s.........M..........h3b..[.5.]..V^w.........a....6g3..%.gy../{\|Z.B..X.}5.]..t.1.H&B.[.).$Y......2....L.t...{...[WE.yy.]..e.v0..\.J3..T.`1Lnh.../..-=w...W.&N7.nz.P...z......'i..R6....../....t.[..&-.....T&l..e....$.8.."....Iq....J.v..\|.6.M...zE...a9uw..'.$6.L..m$......NB).JL.G.7}8(`....J.)b.E.m...c.0I.V...\|$....;.k.......8v..l.:..@.F.........K..2...%(...kA......LJd~._A.N.....$3...5....Z"...X=.....%.........6.k.....F..1..l,ia..i.i....y.M..Cl........}.I..r..-+=b.6....%...#...W..K.....=.F....~.....[.......-...../;....~.09..d.....GR..H.lR...m.Huh9.:..A H./)..D.F..Y.n7.....7D.O.a;>Z.K....w...sq..qo3N...8@.zpD.Ku......+.Z=.zNFgP._@.z.ic.......3.....+..j...an%...X..7.q..A.l.7.S2..+....1.s.b..z...@v..!.y...N.C.XQ.p.\..x8(.<.....cq.(

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\edgeSettings

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	18
Entropy (8bit):	3.5724312513221195
Encrypted:	false
SSDEEP:	3:kDnaV6bVon:kDYa2
MD5:	5692162977B015E31D5F35F50EFAB9CF
SHA1:	705DC80E8B32AC8B68F7E13CF8A75DCCB251ED7D
SHA-256:	42CCB5159B168DBE5D5DDF026E5F7ED3DBF50873CFE47C7C3EF0677BB07B90D4
SHA-512:	32905A4CC5BCE0FE8502DDD32096F40106625218BEDC4E218A344225D6DF2595A7B70EEB3695DCEFDD894ECB2B66BED479654E8E07F02526648E07ACFE47838C
Malicious:	false
Preview:	edgeSettings_2.0-0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\edgeSettings_2.0-0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3581
Entropy (8bit):	4.459693941095613
Encrypted:	false
SSDEEP:	96:JTMhnytNaSA4BOsNQNhnUZTFGKDIWHCgL5tfHaaJzRHF+P1sYmnfHUdT+GWBH7Y/:KyMot7vjFU
MD5:	BDE38FAE28EC415384B8CFE052306D6C
SHA1:	3019740AF622B58D573C00BF5C98DD77F3FBB5CD
SHA-256:	1F4542614473AE103A5EE3DEEEC61D033A40271CFF891AAA6797534E4DBB4D20
SHA-512:	9C369D69298EBF087412EDA782EE72AFE5448FD0D69EA5141C2744EA5F6C36CDF70A51845CDC174838BAC0ADABDFA70DF6AEDBF6E7867578AE7C4B7805A8B55E
Malicious:	false
Preview:	{"models":[],"geoidMaps":{"gw_my":"https://malaysia.smartscreen.microsoft.com/","gw_tw":"https://taiwan.smartscreen.microsoft.com/","gw_at":"https://austria.smartscreen.microsoft.com/","gw_es":"https://spain.smartscreen.microsoft.com/","gw_pl":"https://poland.smartscreen.microsoft.com/","gw_se":"https://sweden.smartscreen.microsoft.com/","gw_kr":"https://southkorea.smartscreen.microsoft.com/","gw_br":"https://brazil.smartscreen.microsoft.com/","au":"https://australia.smartscreen.microsoft.com/","dk":"https://denmark.smartscreen.microsoft.com/","gw_sg":"https://singapore.smartscreen.microsoft.com/","gw_fr":"https://france.smartscreen.microsoft.com/","gw_ca":"https://canada.smartscreen.microsoft.com/","test":"https://eu-9.smartscreen.microsoft.com/","gw_il":"https://israel.smartscreen.microsoft.com/","gw_au":"https://australia.smartscreen.microsoft.com/","gw_ffl4mod":"https://unitedstates4.ss.wd.microsoft.us/","gw_ffl4":"https://unitedstates1.ss.wd.microsoft.us/","gw_eu":"https://europe.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\synchronousLookupUris

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	47
Entropy (8bit):	4.493433469104717
Encrypted:	false
SSDEEP:	3:kfKbQSQSuLA5:kyUc5
MD5:	3F90757B200B52DCF5FDAC696EFD3D60
SHA1:	569A2E1BED9ECCDF7CD03E270AEF2BD7FF9B0E77
SHA-256:	1EE63F0A3502CFB7DF195FABBA41A7805008AB2CCCDAEB9AF990409D163D60C8
SHA-512:	39252BBAA33130DF50F36178A8EAB1D09165666D8A229FBB3495DD01CBE964F87CD2E6FCD479DFCA36BE06309EF18FEDA7F14722C57545203BBA24972D4835C8
Malicious:	false
Preview:	synchronousLookupUris_636976985063396749.rel.v2

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\synchronousLookupUris_636976985063396749.rel.v2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	35302
Entropy (8bit):	7.99333285466604
Encrypted:	true
SSDEEP:	768:rRhaFePY38QBsj61g3g01LXoDGPpgb8KbMcnjrQCckBuJyqk3x8cBBT:rLP+TBK6ZQLXSsaMcnHQQcox80
MD5:	0E06E28C3536360DE3486B1A9E5195E8
SHA1:	EB768267F34EC16A6CCD1966DCA4C3C2870268AB
SHA-256:	F2658B1C913A96E75B45E6ADB464C8D796B34AC43BAF1635AA32E16D1752971C
SHA-512:	45F1E909599E2F63372867BC359CF72FD846619DFEB5359E52D5700E0B1BCFFE5FF07606511A3BFFDDD933A0507195439457E4E29A49EB6451F26186B7240041
Malicious:	false
Preview:	.......murmur3.....IN...9.......0..X..#l....C....]......pv..E..........,..?.N?....V..B-..F.1....g\|..._.>'.-(V... .=.7P.m....#}.r.....>.LE...G.A.h5........J..=..L^-.Zl++,..h..o.y..~j.]u...W...&s.........M..........h3b..[.5.]..V^w.........a....6g3..%.gy../{\|Z.B..X.}5.]..t.1.H&B.[.).$Y......2....L.t...{...[WE.yy.]..e.v0..\.J3..T.`1Lnh.../..-=w...W.&N7.nz.P...z......'i..R6....../....t.[..&-.....T&l..e....$.8.."....Iq....J.v..\|.6.M...zE...a9uw..'.$6.L..m$......NB).JL.G.7}8(`....J.)b.E.m...c.0I.V...\|$....;.k.......8v..l.:..@.F.........K..2...%(...kA......LJd~._A.N.....$3...5....Z"...X=.....%.........6.k.....F..1..l,ia..i.i....y.M..Cl........}.I..r..-+=b.6....%...#...W..K.....=.F....~.....[.......-...../;....~.09..d.....GR..H.lR...m.Huh9.:..A H./)..D.F..Y.n7.....7D.O.a;>Z.K....w...sq..qo3N...8@.zpD.Ku......+.Z=.zNFgP._@.z.ic.......3.....+..j...an%...X..7.q..A.l.7.S2..+....1.s.b..z...@v..!.y...N.C.XQ.p.\..x8(.<.....cq.(

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\topTraffic

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	50
Entropy (8bit):	3.9904355005135823
Encrypted:	false
SSDEEP:	3:0xXF/XctY5GUf+:0RFeUf+
MD5:	E144AFBFB9EE10479AE2A9437D3FC9CA
SHA1:	5AAAC173107C688C06944D746394C21535B0514B
SHA-256:	EB28E8ED7C014F211BD81308853F407DF86AEBB5F80F8E4640C608CD772544C2
SHA-512:	837D15B3477C95D2D71391D677463A497D8D9FFBD7EB42E412DA262C9B5C82F22CE4338A0BEAA22C81A06ECA2DF7A9A98B7D61ECACE5F087912FD9BA7914AF3F
Malicious:	false
Preview:	topTraffic_170540185939602997400506234197983529371

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\topTraffic_170540185939602997400506234197983529371

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	575056
Entropy (8bit):	7.999649474060713
Encrypted:	true
SSDEEP:	12288:fXdhUG0PlM/EXEBQlbk19RrH76Im4u8C1jJodha:Ji80e9Rb7Tm4u8CnR
MD5:	BE5D1A12C1644421F877787F8E76642D
SHA1:	06C46A95B4BD5E145E015FA7E358A2D1AC52C809
SHA-256:	C1CE928FBEF4EF5A4207ABAFD9AB6382CC29D11DDECC215314B0522749EF6A5A
SHA-512:	FD5B100E2F192164B77F4140ADF6DE0322F34D7B6F0CF14AED91BACAB18BB8F195F161F7CF8FB10651122A598CE474AC4DC39EDF47B6A85C90C854C2A3170960
Malicious:	false
Preview:	...._+jE.`..}....S..1....G}s..E....y".Wh.^.W.H...-...#.A...KR...9b........>k......bU.IVo...D......Y..[l.yx.......'c=..I0.....E.d...-...1 ....m../C...OQ.........qW..<:N.....38.u..X-..s....<..U.,Mi..._.......`.Y/.........^..,.E..........j@..G8..N.... ..Ea...4.+.79k.!T.-5W..!..@+..!.P..LDG.....V."....L.... .(#..$..&......C.....%A.T}....K_.S..'Q.".d....s....(j.D!......Ov..)d0)."(..%..-..G..L.}....i.....m9;.....t.w..0....f?..-..M.c.3.....N7K.T..D>.3.x...z..u$5!..4..T.....U.O^L{.5..=E..'..;.}(\|.6.:..f!.>...?M.8......P.D.J.I4.<....y.E....>....i%.6..Y.@..n.....M..r..C.f.;..<..0.H...F....h.......HB1]1....u..:...H..k....B.Q..J...@}j~.#...'Y.J~....I...ub.&..L[z..1.W/.Ck....M.......[.......N.F..z.{nZ~d.V.4.u.K.V.......X.<p..cz..>....X...W..da3(..g..Z$.L4.j=~.p.l.\.[e.&&.Y ...U)..._.^r0.,.{_......`S..[....(.\..p.bt.g..%.$+....f.....d....Im..f...W ......G..i_8a..ae..7....pS.....z-H..A.s.4.3..O.r.....u.S......a.}..v.-/..... ...a.x#./:...sS&U.().xL...pg

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Variations

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	86
Entropy (8bit):	4.3751917412896075
Encrypted:	false
SSDEEP:	3:YQ3JYq9xSs0dMEJAELJ2rjozQan:YQ3Kq9X0dMgAEwjM
MD5:	961E3604F228B0D10541EBF921500C86
SHA1:	6E00570D9F78D9CFEBE67D4DA5EFE546543949A7
SHA-256:	F7B24F2EB3D5EB0550527490395D2F61C3D2FE74BB9CB345197DAD81B58B5FED
SHA-512:	535F930AFD2EF50282715C7E48859CC2D7B354FF4E6C156B94D5A2815F589B33189FFEDFCAF4456525283E993087F9F560D84CFCF497D189AB8101510A09C472
Malicious:	false
Preview:	{"user_experience_metrics.stability.exited_cleanly":false,"variations_crash_streak":0}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\a2161567-2fa3-4e4e-9a09-a8b1448f4760.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	70466
Entropy (8bit):	6.072982542500913
Encrypted:	false
SSDEEP:	1536:LMGQ5XMBG7AdCiWMRidC0Y1RhhC2sG0CNRWyNpeeGRTmek6FQIS2tqidLY:LMrJM87AdYMRiiDhRf7NpeeG5Fk6FQLb
MD5:	ECA03C282D15338988F6411E46E02846
SHA1:	A70C2C03877744C7B470C88AB1AD0B8146B6B44B
SHA-256:	4D621DDFFAE3E56F2F2CF6833AF392A594CC7920588D28F6E89833474F063609
SHA-512:	4794AC9854C33127DB56FA660AFD60B5D96722277868AAC1F5A860CA508A04A17ADC49D97B798BF0EC3DC027F1F5E64EB6C03498AEDA3BA2BD34EF3C4CAC99ED
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5GOJiTA/oXLTdG6qXtmMBDiyS59PvY7eCklyb4QcfFi7tpdwu3VBt1XNorvM4+RiU6+CjD0kb+pHz7rRm3rXSyzABnWdKBG+Ijlx7hEE4QTzo+AB6fnDLLJBpo7PKv8Ob367/KjUg8mcY6CmCjTJCmtsWFOcUf5vj04cw0e1yZe2WAl8svFn5IC43jfc+dLnGrEyDwAicHCxNdhlrVa5LEtTgt5u2lAK02pd198r5dr5VYgHj55jUJZGTtlg0NlA7S5AnvB8l7z3olnPV2vfCLsugvBUH7vTVIe9Y151SnmS2Auyvcr5UGYXBvzT2s0L3fKpCZl+2D91MLf04NPNNUni9BZmDP4Sfjk2Ig7ktgg8r8InfhHz//zSP7e8bquWlsDJ411jYlhlRsBQRm+LIWvOaiW4hdcyEra5fCtzINfylY7VRB4y

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\a3e60a1c-f525-4698-988b-3ba69fb2c3e4.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2958
Entropy (8bit):	5.599445065489205
Encrypted:	false
SSDEEP:	48:YuBqDPEFMsFiHC0afKcCWdwFgkHB+OdrxuvBdgaRVOaJkXWcT+wlRijWzB0:Xq8NkC1fKKmFjBbEvvbVnJkmcTz8kq
MD5:	C777323F8CF1058D19B232BA4DA28754
SHA1:	1C06C8B8FA373BA9AE225DCFE1D0FDE40F67D1C5
SHA-256:	B9CB961072605C88761449C00C6C63266618DC06D009866A31378C0A1BE31B09
SHA-512:	79FD13233774AF0CC2651476E344E3E62633C5D86E2530587DCB0322D89C45EE0CC5DECF3AC6D161409B0B64469DAAA3ECE6E805C283632DC158BA6A98D4753B
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false},"tab_stabs":{"closed_without_unfreeze_never_unfrozen":0,"closed_without_unfreeze_previously_unfrozen":0,"discard_without_unfreeze_never_unfrozen":0,"discard_without_unfreeze_previously_unfrozen":0},"tab_stats":{"frozen_daily":0,"unfrozen_daily":0}},"hardware_acceleration_mode_previous":true,"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAA6cm+TCQIhSpiBui4g20VXEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAADu2zXZwu2jgmsIQoLaAHCsJLncfVUw5RI2OCOwfL18kAAAAAAOgAAAAAIAACAAAACDLyXT7TDWTvdNs3Bfhn4NdW+CsDFNf0EXoeR+7UwLZjAAAAC54NSEPViqVKOsj02Hb0xSGK85wiBSRaJfTbE/322mIhwVXZDzxUTfFHu7UxHFJdlAAAAAL0eqyCQk35gxGI0EXO+Iag8qbD+3ixPVa4/ggsGL2S0Abf16LVqRfPf59Psdhs5R+lSdohLrSkxX54owo30vLQ=="},"policy":{"last_statistics_update":"13369907512778462"},"profile":{"info_ca

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\da0d91ea-3bce-4681-89ad-1cf50a65d9cd.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	20781
Entropy (8bit):	6.066521931297836
Encrypted:	false
SSDEEP:	384:RtMGQ7LBjuYXGIgtDAW5u0TDJ2q03X8NBSRPodmCQBf6UzI8Z6Ix0FLC:LMGQ7FCYXGIgtDAWtJ4n9odmCq65dLFm
MD5:	68B592C0AED6C6E090E4C3CB6879C6EC
SHA1:	5B9CAFCC99EAC05655AFCA0354EAD36F168AF946
SHA-256:	567813D77E5F84A4610EB4559DB0E6CDE4CC40A208DD90DAB6D922CD6AC7E5F6
SHA-512:	ECA38B07251524E3E5F383C6A37A474CC207E12F6F41882D64BD047946F784F4B400B21E1E0081D2379E22F5772ACE6454F06A184F45B7DF84810970CF2C330E
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5GOJiTA/oXLTdG6qXtmMBDiyS59PvY7eCklyb4QcfFi7tpdwu3VBt1XNorvM4+RiU6+CjD0kb+pHz7rRm3rXSyzABnWdKBG+Ijlx7hEE4QTzo+AB6fnDLLJBpo7PKv8Ob367/KjUg8mcY6CmCjTJCmtsWFOcUf5vj04cw0e1yZe2WAl8svFn5IC43jfc+dLnGrEyDwAicHCxNdhlrVa5LEtTgt5u2lAK02pd198r5dr5VYgHj55jUJZGTtlg0NlA7S5AnvB8l7z3olnPV2vfCLsugvBUH7vTVIe9Y151SnmS2Auyvcr5UGYXBvzT2s0L3fKpCZl+2D91MLf04NPNNUni9BZmDP4Sfjk2Ig7ktgg8r8InfhHz//zSP7e8bquWlsDJ411jYlhlRsBQRm+LIWvOaiW4hdcyEra5fCtzINfylY7VRB4y

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\f7ce3b13-72e8-4169-93c0-6314c4254be2.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24105
Entropy (8bit):	6.057729912997717
Encrypted:	false
SSDEEP:	384:RtMGQ7LBjuYXGIgtDAW5u0TDJ2q03X8NGRPvlkqdFVEQIS2rQBf6UzI8Z6Ix0FLC:LMGQ7FCYXGIgtDAWtJ4nvvliQIS2rq68
MD5:	BC9923F890CCD12963AE97DB0CFA2B0A
SHA1:	8F3BBF34058361FB2278E25405A53AC02160E30C
SHA-256:	7C9FD74336AE3E10D4B85628F8B48AE0A5EDE3B40AA476F846B531F9E72D671C
SHA-512:	5FABC4E9A1F362BA78D85E2F92D612D8B22A9FD0383D041E0B8FCFFDC77B43B9E67D3078EE7566C65EF49E61EB8EFA1E5B40CC438A5D1BD822F2F08FBF56437F
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5GOJiTA/oXLTdG6qXtmMBDiyS59PvY7eCklyb4QcfFi7tpdwu3VBt1XNorvM4+RiU6+CjD0kb+pHz7rRm3rXSyzABnWdKBG+Ijlx7hEE4QTzo+AB6fnDLLJBpo7PKv8Ob367/KjUg8mcY6CmCjTJCmtsWFOcUf5vj04cw0e1yZe2WAl8svFn5IC43jfc+dLnGrEyDwAicHCxNdhlrVa5LEtTgt5u2lAK02pd198r5dr5VYgHj55jUJZGTtlg0NlA7S5AnvB8l7z3olnPV2vfCLsugvBUH7vTVIe9Y151SnmS2Auyvcr5UGYXBvzT2s0L3fKpCZl+2D91MLf04NPNNUni9BZmDP4Sfjk2Ig7ktgg8r8InfhHz//zSP7e8bquWlsDJ411jYlhlRsBQRm+LIWvOaiW4hdcyEra5fCtzINfylY7VRB4y

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\ff349b6b-a244-4822-8a93-8a39f8087cd8.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	70427
Entropy (8bit):	6.0729090632045635
Encrypted:	false
SSDEEP:	1536:LMGQ5XMBG2AdCiWMRidC0Y1RhhC2sG0CNRWyNpeeGRTmek6FQIS2tqidLY:LMrJM82AdYMRiiDhRf7NpeeG5Fk6FQLb
MD5:	EFC3222619FFBA97EB339BB42FFC5660
SHA1:	A26A79D854F8224F99F05DD44E74E2D99F213902
SHA-256:	88B43969E7C0B22209AFFB276144571C7D9EACF88878E58FA045B77C0C32A450
SHA-512:	DB6C3FF9BB1AF8F2A7957FC7A70FB5AA91D2F36D8A928F3C78647873F2F73E87F0E7D4825666C108AC15904B71860437BECFEFC9F8CBEF716CE578CADCF34543
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5GOJiTA/oXLTdG6qXtmMBDiyS59PvY7eCklyb4QcfFi7tpdwu3VBt1XNorvM4+RiU6+CjD0kb+pHz7rRm3rXSyzABnWdKBG+Ijlx7hEE4QTzo+AB6fnDLLJBpo7PKv8Ob367/KjUg8mcY6CmCjTJCmtsWFOcUf5vj04cw0e1yZe2WAl8svFn5IC43jfc+dLnGrEyDwAicHCxNdhlrVa5LEtTgt5u2lAK02pd198r5dr5VYgHj55jUJZGTtlg0NlA7S5AnvB8l7z3olnPV2vfCLsugvBUH7vTVIe9Y151SnmS2Auyvcr5UGYXBvzT2s0L3fKpCZl+2D91MLf04NPNNUni9BZmDP4Sfjk2Ig7ktgg8r8InfhHz//zSP7e8bquWlsDJ411jYlhlRsBQRm+LIWvOaiW4hdcyEra5fCtzINfylY7VRB4y

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\1998919b-a83e-4f5a-ba4c-2dd144b9cc9f.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.09072033289002
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMBwuF9hDO6vP6O+ztbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynEV6atbz8hu3VlXr4CRo1
MD5:	07D6936E1A20F9EBF21AC2932E0BED41
SHA1:	B68349C21F0DC298A75E1CCE0FCA775DB0629DE4
SHA-256:	394D2F2B1D8C4BD1BDDD41CA0CF4D631B3FAAC29C83D615833F5EC8D23A4C42E
SHA-512:	9AFDE4832DF57753EB438AE3D182A410B294424854A4E52FD1088342C912C8163CE496D3200A0873906F94CFE4E3F9DEE3D20559B9F0900450BCD7C06072267A
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\53c4dc06-e559-4b95-bb0f-9acdd23c1f20.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44673
Entropy (8bit):	6.096048301961058
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4xkBUFuuhDO6vP6OaANm4akSdcGoup1Xl3jVzXr4CCAg:z/Ps+wsI7yOEH66Pchu3VlXr4CRo1
MD5:	F5A55437F84FA8AB50D5B65A87BA31EE
SHA1:	D83F7AD03E160D3661A4C08A931321CF0365610B
SHA-256:	5F0FA1492DEA61514F52DA8E4F7DD69C8DAE7151023A0C846034C85D052D4DEE
SHA-512:	1964E6B86AD0714DF437194794E4CAB4765E3669972C84605B9325322E07D1CE5493B286C3A2D218005FEF3EB65D7397AFCB9BB823C257C1387758C64846321C
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\968ee84f-4edb-4b7a-b4da-2d69c6bf2285.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44673
Entropy (8bit):	6.0959139262134165
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4xkBUFuuhDO6vP6Oas8m4GnE8yscGoup1Xl3jVzXr4CW:z/Ps+wsI7yOEH66ichu3VlXr4CRo1
MD5:	997A3B9CC9F6236749293CB3BAD854DC
SHA1:	F712A626970EC2501BC308524DBA16B441049423
SHA-256:	7E1350B5D66A0478F5D2FE7B9BC4C65E8A5AB4DFFFC74C6602A175EAF382ADB1
SHA-512:	27B9E066BDF32ECB5E45042BB6A141E5670FB46A3DDE944B073AF1EA8B7D4C14F1F14006F1E4AB0072EFEE54AB02ED40DAE7FD1670D51AD67E7F4EC5E1B761C8
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\98861998-ba5d-486c-b993-06f4f6419353.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44673
Entropy (8bit):	6.095901231953137
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4xkBUFuuhDO6vP6OasNm4GnE8yscGoup1Xl3jVzXr4CW:z/Ps+wsI7yOEH665chu3VlXr4CRo1
MD5:	6B115853FD2BF7B83E3032A87BEC5BE8
SHA1:	FDF7B2012FE8158332790C1CF7FE30BE7291E54C
SHA-256:	665F96A40D68A38054E9FF8399A7E7DE71D17EC20FB2428D581C095FB972DC46
SHA-512:	D82B68FA2CE67B699815F0AAB13D0A9C2618DD24FFDD581D6CECFE4A381BD5F8F6E349C3D340D61FEF0120F6F3739D88F342627A4292590C5D3E5294C3933266
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-66D80853-2204.pma

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.1351787894955864
Encrypted:	false
SSDEEP:	1536:7c0hLOOkiAZYhqWfxurqERGfV1pjUaQRG:7c0LO3isYhqWDhfV1pjUad
MD5:	822701823CFC425295F9D962E37F7CAC
SHA1:	FDAAFA9D012D1CADA19095096F73CB9CA143163D
SHA-256:	1593BD65776A3FC57792BD4D8E4E013D23E521E5FACA28BFC6024C1E281D53D1
SHA-512:	D88521C899CD5DB6261A0E95AFE8977D85EAD780C04597D8F71AFD462392BE50B63192258F385E17823B10136749414DBAD338A194C7DFF6C6C666A673063E66
Malicious:	false
Preview:	...@..@...@.....C.].....@...............06...%..............`... ...i.y.........BrowserMetrics......i.y..Yd. .......A...................v.0.....UV&K.k<................UV&K.k<................UMA.PersistentHistograms.InitResult.....8...i.y.[".................................................i.y.Pq.30..............117.0.2045.47-64..".en-GB...Windows NT..10.0.190452l..x86_64..?........".lkguur20,1(.0..8..B.......2.:.M..BU..Be...?j...GenuineIntel... .. ..........x86_64...J....k..^o..J..l.zL.^o..J....\.^o..J.....f.^o..J....?.^o..P.Z...b.INBXj....... .8.@..............(......................w..U].0r........>.........."....."...24.."."pZLhTaJ23hN5uQxwzu0K2CYes/dvJuE93VbIVV/LnRA=".:............B)..1.3.177.11.. .*.RegKeyNotFound2.windowsR...Z...u...V.S@..$...SF@.......Y@.......4@.......Y@........?........?.........................Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......4@.......Y@................Y@.......Y@.......Y@........?........?2..........I...... .`2.......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	280
Entropy (8bit):	4.132041621771752
Encrypted:	false
SSDEEP:	3:FiWWltlApdeXKeQwFMYLAfJrAazlYBVP/Sh/JzvPWVcRVEVg3WWD5x1:o1ApdeaEqYsMazlYBVsJDu2ziy5
MD5:	845CFA59D6B52BD2E8C24AC83A335C66
SHA1:	6882BB1CE71EB14CEF73413EFC591ACF84C63C75
SHA-256:	29645C274865D963D30413284B36CC13D7472E3CD2250152DEE468EC9DA3586F
SHA-512:	8E0E7E8CCDC8340F68DB31F519E1006FA7B99593A0C1A2425571DAF71807FBBD4527A211030162C9CE9E0584C8C418B5346C2888BEDC43950BF651FD1D40575E
Malicious:	false
Preview:	sdPC......................X..<EE..r/y..."pZLhTaJ23hN5uQxwzu0K2CYes/dvJuE93VbIVV/LnRA="..................................................................................47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=....................fdb35e9f-12f5-40d5-8d50-87a9333d43a4............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\018364f4-dcfe-4ee0-b0bc-c3beb518b98c.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24691
Entropy (8bit):	5.569204823152954
Encrypted:	false
SSDEEP:	768:ZjfCToWPuZf9w8F1+UoAYDCx9Tuqh0VfUC9xbog/OVHGhJXrw7KWpHtuU:ZjfCToWPuZf9wu1jaW4JE7Ztf
MD5:	93B46463783C4B6C4FD34F9833CB3925
SHA1:	12990227050E7356B6498C9E9CFAC55916FD93D5
SHA-256:	DDAAFB276556EE3AA8014F479C46165F14AF20F352B32726DE4979BCFE9E33EC
SHA-512:	0BACF92DD411CA340E79639A68FA2FBD5DB50AEE094FDDC3A6747E298C6034756E5373C089EAAC7BB093FB4BFA2E2968AC3602FC531D01074878FF6E10CFAB9F
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13369907531543492","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13369907531543492","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\3356e31f-2301-4933-a345-99d529edcff0.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\3c427b23-a4b4-4b3b-a02d-b1494b80ce70.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\4da48c63-3400-4d36-a242-81e55f244279.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\9dc8fea1-ede3-4ca2-8267-d3f8209cf06a.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7818
Entropy (8bit):	5.089531724834274
Encrypted:	false
SSDEEP:	192:stvM/Rs5x8CZihnkOsY8bV+FiA66Wb7aFIMYHhbLMJ:stvM/Rs5x8xhibGix6Wb7aTYa
MD5:	C8B273B6CEAA41A67369BDE30BF4349A
SHA1:	36DE0E5F8B8D8F4F38643A051C4F0F5ED25017DC
SHA-256:	06D544DD2FC3E2D570AA074ED9C3CC9A947FACB5C8F535B01C4BCEBC799934B1
SHA-512:	8D8C2725BC3229A396EE0D334EB2FF0D383D15FD474295DC7157236593D64742E42EF1B777E46AC55A91BE43BA21450CC409F5575CDFE22CF3A6753EDD41FA2B
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13340900082427237","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340900603634208","arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"default_apps_install_state":3,"domain_diversity":{"last_reporting_timestamp":"13340900082535948"},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version":""},"edge":{

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	348
Entropy (8bit):	5.185986049542841
Encrypted:	false
SSDEEP:	6:P2SQ+q2P923oH+TcwtnG2tMsIFUt82HwgZmw+2HwQVkwO923oH+TcwtnG2tMsLJ:P2SQ+v4Yebn9GFUt82Qg/+2QQV5LYebB
MD5:	B87868F09C0C0D4A931DAF5C1DCED0FA
SHA1:	BCF3E2BD451FB2F1311B63C8E01D133301E9E69D
SHA-256:	C31CE499F0D7ED7AB75B18E3F1C3328E801B48EA73AB0BAC69730BC8305E9550
SHA-512:	C0394C6F496E6ED3679C8F21A65BEFB0FECF99E492A3FF345AA01A4DFAD800C79D150A50457B9A3FFE4480A2E228FB2B59FAF5C8D0884E5F0B6837AB70D80EBB
Malicious:	false
Preview:	2024/09/04-03:12:11.672 1e7c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/MANIFEST-000001.2024/09/04-03:12:11.673 1e7c Recovering log #3.2024/09/04-03:12:11.673 1e7c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	348
Entropy (8bit):	5.185986049542841
Encrypted:	false
SSDEEP:	6:P2SQ+q2P923oH+TcwtnG2tMsIFUt82HwgZmw+2HwQVkwO923oH+TcwtnG2tMsLJ:P2SQ+v4Yebn9GFUt82Qg/+2QQV5LYebB
MD5:	B87868F09C0C0D4A931DAF5C1DCED0FA
SHA1:	BCF3E2BD451FB2F1311B63C8E01D133301E9E69D
SHA-256:	C31CE499F0D7ED7AB75B18E3F1C3328E801B48EA73AB0BAC69730BC8305E9550
SHA-512:	C0394C6F496E6ED3679C8F21A65BEFB0FECF99E492A3FF345AA01A4DFAD800C79D150A50457B9A3FFE4480A2E228FB2B59FAF5C8D0884E5F0B6837AB70D80EBB
Malicious:	false
Preview:	2024/09/04-03:12:11.672 1e7c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/MANIFEST-000001.2024/09/04-03:12:11.673 1e7c Recovering log #3.2024/09/04-03:12:11.673 1e7c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db\LOG.old~RF3782f.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	348
Entropy (8bit):	5.185986049542841
Encrypted:	false
SSDEEP:	6:P2SQ+q2P923oH+TcwtnG2tMsIFUt82HwgZmw+2HwQVkwO923oH+TcwtnG2tMsLJ:P2SQ+v4Yebn9GFUt82Qg/+2QQV5LYebB
MD5:	B87868F09C0C0D4A931DAF5C1DCED0FA
SHA1:	BCF3E2BD451FB2F1311B63C8E01D133301E9E69D
SHA-256:	C31CE499F0D7ED7AB75B18E3F1C3328E801B48EA73AB0BAC69730BC8305E9550
SHA-512:	C0394C6F496E6ED3679C8F21A65BEFB0FECF99E492A3FF345AA01A4DFAD800C79D150A50457B9A3FFE4480A2E228FB2B59FAF5C8D0884E5F0B6837AB70D80EBB
Malicious:	false
Preview:	2024/09/04-03:12:11.672 1e7c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/MANIFEST-000001.2024/09/04-03:12:11.673 1e7c Recovering log #3.2024/09/04-03:12:11.673 1e7c Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	380
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	6:qTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCT:qWWWWWWWWWWWWWWWWWWW
MD5:	9FE07A071FDA31327FA322B32FCA0B7E
SHA1:	A3E0BAE8853A163C9BB55F68616C795AAAF462E8
SHA-256:	E02333C0359406998E3FED40B69B61C9D28B2117CF9E6C0239E2E13EC13BA7C8
SHA-512:	9CCE621CD5B7CFBD899ABCBDD71235776FF9FF7DEA19C67F86E7F0603F7B09CA294CC16B672B742FA9B51387B2F0A501C3446872980BCA69ADE13F2B5677601D
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.167532826870356
Encrypted:	false
SSDEEP:	6:Pxq2P923oH+Tcwt8aPrqIFUt82DPBZmw+2cFzkwO923oH+Tcwt8amLJ:Pxv4YebL3FUt82F/+2cF5LYebQJ
MD5:	237CACC6AF9F2AC4B24CE961B2E01EE6
SHA1:	C7E8B0CDA43097A38DECB5658D6EC200E613691E
SHA-256:	CEA33A29358A4B3AC74FDF1BEC2A2E9C9993CB906526060BA2F023972F01B1B7
SHA-512:	C9235B1538624556446048C8728833E562A2780617AD2764F32A515592901A6AEA60285240E815FA406AE2F1E328D7F9417E31BA33C5A12C59CBCEAD6F0EB6D4
Malicious:	false
Preview:	2024/09/04-03:12:11.674 1eb0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/MANIFEST-000001.2024/09/04-03:12:11.677 1eb0 Recovering log #3.2024/09/04-03:12:11.678 1eb0 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.167532826870356
Encrypted:	false
SSDEEP:	6:Pxq2P923oH+Tcwt8aPrqIFUt82DPBZmw+2cFzkwO923oH+Tcwt8amLJ:Pxv4YebL3FUt82F/+2cF5LYebQJ
MD5:	237CACC6AF9F2AC4B24CE961B2E01EE6
SHA1:	C7E8B0CDA43097A38DECB5658D6EC200E613691E
SHA-256:	CEA33A29358A4B3AC74FDF1BEC2A2E9C9993CB906526060BA2F023972F01B1B7
SHA-512:	C9235B1538624556446048C8728833E562A2780617AD2764F32A515592901A6AEA60285240E815FA406AE2F1E328D7F9417E31BA33C5A12C59CBCEAD6F0EB6D4
Malicious:	false
Preview:	2024/09/04-03:12:11.674 1eb0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/MANIFEST-000001.2024/09/04-03:12:11.677 1eb0 Recovering log #3.2024/09/04-03:12:11.678 1eb0 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	380
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	6:qTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCT:qWWWWWWWWWWWWWWWWWWW
MD5:	9FE07A071FDA31327FA322B32FCA0B7E
SHA1:	A3E0BAE8853A163C9BB55F68616C795AAAF462E8
SHA-256:	E02333C0359406998E3FED40B69B61C9D28B2117CF9E6C0239E2E13EC13BA7C8
SHA-512:	9CCE621CD5B7CFBD899ABCBDD71235776FF9FF7DEA19C67F86E7F0603F7B09CA294CC16B672B742FA9B51387B2F0A501C3446872980BCA69ADE13F2B5677601D
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	328
Entropy (8bit):	5.160758150851191
Encrypted:	false
SSDEEP:	6:PLq2P923oH+Tcwt865IFUt82SbZmw+2SxkwO923oH+Tcwt86+ULJ:PLv4Yeb/WFUt822/+2K5LYeb/+SJ
MD5:	F433563B749AA7569FA09A53090A9DB1
SHA1:	45911F4A3A60DD33B7B8FB1E8BB8D69DA5200059
SHA-256:	EF3061BEB9CCE729D310F9F8F30A14B1B466D1455CB8DA7A61A3C31FAB7A42E2
SHA-512:	FE8E0605F2A20008F657DB9E0E3902882F79CEBF2B78F7760FBD0EF72B3A05E2024A2E0EF1E398C793EF84319CA3ABD77CAF78070B0746BEE3133AEB991457B2
Malicious:	false
Preview:	2024/09/04-03:12:11.687 1eb0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/MANIFEST-000001.2024/09/04-03:12:11.690 1eb0 Recovering log #3.2024/09/04-03:12:11.690 1eb0 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	328
Entropy (8bit):	5.160758150851191
Encrypted:	false
SSDEEP:	6:PLq2P923oH+Tcwt865IFUt82SbZmw+2SxkwO923oH+Tcwt86+ULJ:PLv4Yeb/WFUt822/+2K5LYeb/+SJ
MD5:	F433563B749AA7569FA09A53090A9DB1
SHA1:	45911F4A3A60DD33B7B8FB1E8BB8D69DA5200059
SHA-256:	EF3061BEB9CCE729D310F9F8F30A14B1B466D1455CB8DA7A61A3C31FAB7A42E2
SHA-512:	FE8E0605F2A20008F657DB9E0E3902882F79CEBF2B78F7760FBD0EF72B3A05E2024A2E0EF1E398C793EF84319CA3ABD77CAF78070B0746BEE3133AEB991457B2
Malicious:	false
Preview:	2024/09/04-03:12:11.687 1eb0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/MANIFEST-000001.2024/09/04-03:12:11.690 1eb0 Recovering log #3.2024/09/04-03:12:11.690 1eb0 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	1140
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	12:qWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW:
MD5:	914FD8DC5F9A741C6947E1AB12A9D113
SHA1:	6529EFE14E7B0BEA47D78B147243096408CDAAE4
SHA-256:	8BE3C96EE64B5D2768057EA1C4D1A70F40A0041585F3173806E2278E9300960B
SHA-512:	2862BF83C061414EFA2AC035FFC25BA9C4ED523B430FDEEED4974F55D4450A62766C2E799D0ACDB8269210078547048ACAABFD78EDE6AB91133E30F6B5EBFFBD
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5........

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	321
Entropy (8bit):	5.167490052671856
Encrypted:	false
SSDEEP:	6:P/TvM+q2P923oH+Tcwt8NIFUt82/TB1JZmw+2/TB1cMVkwO923oH+Tcwt8+eLJ:PY+v4YebpFUt82TJ/+2T9V5LYebqJ
MD5:	2087E03904E041597E0063F13C0F0F03
SHA1:	A08EBF1FDEA45E03FA9DDBBE6B8236055A4E2775
SHA-256:	26C8DB4CBB5F10FC04A4EE5FBF3EB1C052D031014DF60F5F3BB76A913E043893
SHA-512:	94F032FD99C09FB9147EB53A5D3E9E693F86BF12247C98DC7E31005FA9025C36B64C32209BE1D6C14E19890B2485EF8331184D5B8178D1D5E9FF8F466A0692A0
Malicious:	false
Preview:	2024/09/04-03:12:19.864 1ac Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/MANIFEST-000001.2024/09/04-03:12:19.865 1ac Recovering log #3.2024/09/04-03:12:19.865 1ac Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	321
Entropy (8bit):	5.167490052671856
Encrypted:	false
SSDEEP:	6:P/TvM+q2P923oH+Tcwt8NIFUt82/TB1JZmw+2/TB1cMVkwO923oH+Tcwt8+eLJ:PY+v4YebpFUt82TJ/+2T9V5LYebqJ
MD5:	2087E03904E041597E0063F13C0F0F03
SHA1:	A08EBF1FDEA45E03FA9DDBBE6B8236055A4E2775
SHA-256:	26C8DB4CBB5F10FC04A4EE5FBF3EB1C052D031014DF60F5F3BB76A913E043893
SHA-512:	94F032FD99C09FB9147EB53A5D3E9E693F86BF12247C98DC7E31005FA9025C36B64C32209BE1D6C14E19890B2485EF8331184D5B8178D1D5E9FF8F466A0692A0
Malicious:	false
Preview:	2024/09/04-03:12:19.864 1ac Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/MANIFEST-000001.2024/09/04-03:12:19.865 1ac Recovering log #3.2024/09/04-03:12:19.865 1ac Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG.old~RF37909.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	321
Entropy (8bit):	5.167490052671856
Encrypted:	false
SSDEEP:	6:P/TvM+q2P923oH+Tcwt8NIFUt82/TB1JZmw+2/TB1cMVkwO923oH+Tcwt8+eLJ:PY+v4YebpFUt82TJ/+2T9V5LYebqJ
MD5:	2087E03904E041597E0063F13C0F0F03
SHA1:	A08EBF1FDEA45E03FA9DDBBE6B8236055A4E2775
SHA-256:	26C8DB4CBB5F10FC04A4EE5FBF3EB1C052D031014DF60F5F3BB76A913E043893
SHA-512:	94F032FD99C09FB9147EB53A5D3E9E693F86BF12247C98DC7E31005FA9025C36B64C32209BE1D6C14E19890B2485EF8331184D5B8178D1D5E9FF8F466A0692A0
Malicious:	false
Preview:	2024/09/04-03:12:19.864 1ac Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/MANIFEST-000001.2024/09/04-03:12:19.865 1ac Recovering log #3.2024/09/04-03:12:19.865 1ac Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	336
Entropy (8bit):	5.076971236585015
Encrypted:	false
SSDEEP:	6:PatxVq2P923oH+Tcwt8a2jMGIFUt823gZmw+2tTIkwO923oH+Tcwt8a2jMmLJ:PiVv4Yeb8EFUt823g/+2tTI5LYeb8bJ
MD5:	682F765A4F53B0661ADA486A2E984282
SHA1:	3051D5DF121AA15A5A45B58EC6412185D53A1C43
SHA-256:	A629F23E9E00CEB96574D777F56AFFAA55C55A6F59C7005CD42C0FDD33C57F27
SHA-512:	43B6E3BD923CCA90648FCAE7AD862C125EBDE12B2D350028C899BAC50F1A28B18838F207851B7850FA95983584F14AAEF0A587FC56D27434423C0FB9D4D68796
Malicious:	false
Preview:	2024/09/04-03:12:20.016 2050 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb/MANIFEST-000001.2024/09/04-03:12:20.017 2050 Recovering log #3.2024/09/04-03:12:20.019 2050 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	336
Entropy (8bit):	5.076971236585015
Encrypted:	false
SSDEEP:	6:PatxVq2P923oH+Tcwt8a2jMGIFUt823gZmw+2tTIkwO923oH+Tcwt8a2jMmLJ:PiVv4Yeb8EFUt823g/+2tTI5LYeb8bJ
MD5:	682F765A4F53B0661ADA486A2E984282
SHA1:	3051D5DF121AA15A5A45B58EC6412185D53A1C43
SHA-256:	A629F23E9E00CEB96574D777F56AFFAA55C55A6F59C7005CD42C0FDD33C57F27
SHA-512:	43B6E3BD923CCA90648FCAE7AD862C125EBDE12B2D350028C899BAC50F1A28B18838F207851B7850FA95983584F14AAEF0A587FC56D27434423C0FB9D4D68796
Malicious:	false
Preview:	2024/09/04-03:12:20.016 2050 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb/MANIFEST-000001.2024/09/04-03:12:20.017 2050 Recovering log #3.2024/09/04-03:12:20.019 2050 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG.old~RF37986.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	336
Entropy (8bit):	5.076971236585015
Encrypted:	false
SSDEEP:	6:PatxVq2P923oH+Tcwt8a2jMGIFUt823gZmw+2tTIkwO923oH+Tcwt8a2jMmLJ:PiVv4Yeb8EFUt823g/+2tTI5LYeb8bJ
MD5:	682F765A4F53B0661ADA486A2E984282
SHA1:	3051D5DF121AA15A5A45B58EC6412185D53A1C43
SHA-256:	A629F23E9E00CEB96574D777F56AFFAA55C55A6F59C7005CD42C0FDD33C57F27
SHA-512:	43B6E3BD923CCA90648FCAE7AD862C125EBDE12B2D350028C899BAC50F1A28B18838F207851B7850FA95983584F14AAEF0A587FC56D27434423C0FB9D4D68796
Malicious:	false
Preview:	2024/09/04-03:12:20.016 2050 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb/MANIFEST-000001.2024/09/04-03:12:20.017 2050 Recovering log #3.2024/09/04-03:12:20.019 2050 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\5190b41c-99da-43bc-a84b-726bdedc905b.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\99ee705f-1520-4652-a0cb-5f5e23d65265.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	modified
Size (bytes):	61
Entropy (8bit):	3.926136109079379
Encrypted:	false
SSDEEP:	3:YLb9N+eAXRfHDH2LSL:YHpoeSL
MD5:	4DF4574BFBB7E0B0BC56C2C9B12B6C47
SHA1:	81EFCBD3E3DA8221444A21F45305AF6FA4B71907
SHA-256:	E1B77550222C2451772C958E44026ABE518A2C8766862F331765788DDD196377
SHA-512:	78B14F60F2D80400FE50360CF303A961685396B7697775D078825A29B717081442D357C2039AD0984D4B622976B0314EDE8F478CDE320DAEC118DA546CB0682A
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[],"version":5}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\9d508d8d-1ee5-46e0-b366-806e691567a3.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	61
Entropy (8bit):	3.926136109079379
Encrypted:	false
SSDEEP:	3:YLb9N+eAXRfHDH2LSL:YHpoeSL
MD5:	4DF4574BFBB7E0B0BC56C2C9B12B6C47
SHA1:	81EFCBD3E3DA8221444A21F45305AF6FA4B71907
SHA-256:	E1B77550222C2451772C958E44026ABE518A2C8766862F331765788DDD196377
SHA-512:	78B14F60F2D80400FE50360CF303A961685396B7697775D078825A29B717081442D357C2039AD0984D4B622976B0314EDE8F478CDE320DAEC118DA546CB0682A
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[],"version":5}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	61
Entropy (8bit):	3.926136109079379
Encrypted:	false
SSDEEP:	3:YLb9N+eAXRfHDH2LSL:YHpoeSL
MD5:	4DF4574BFBB7E0B0BC56C2C9B12B6C47
SHA1:	81EFCBD3E3DA8221444A21F45305AF6FA4B71907
SHA-256:	E1B77550222C2451772C958E44026ABE518A2C8766862F331765788DDD196377
SHA-512:	78B14F60F2D80400FE50360CF303A961685396B7697775D078825A29B717081442D357C2039AD0984D4B622976B0314EDE8F478CDE320DAEC118DA546CB0682A
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[],"version":5}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State~RF37a03.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	61
Entropy (8bit):	3.926136109079379
Encrypted:	false
SSDEEP:	3:YLb9N+eAXRfHDH2LSL:YHpoeSL
MD5:	4DF4574BFBB7E0B0BC56C2C9B12B6C47
SHA1:	81EFCBD3E3DA8221444A21F45305AF6FA4B71907
SHA-256:	E1B77550222C2451772C958E44026ABE518A2C8766862F331765788DDD196377
SHA-512:	78B14F60F2D80400FE50360CF303A961685396B7697775D078825A29B717081442D357C2039AD0984D4B622976B0314EDE8F478CDE320DAEC118DA546CB0682A
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[],"version":5}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports~RF35f67.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports~RF37a03.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\b2fbd134-e268-45db-9311-b6eaf7c036ce.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\e1a1dd9f-3005-4f56-8f10-1e9b0d3f508d.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Preferences (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7818
Entropy (8bit):	5.089531724834274
Encrypted:	false
SSDEEP:	192:stvM/Rs5x8CZihnkOsY8bV+FiA66Wb7aFIMYHhbLMJ:stvM/Rs5x8xhibGix6Wb7aTYa
MD5:	C8B273B6CEAA41A67369BDE30BF4349A
SHA1:	36DE0E5F8B8D8F4F38643A051C4F0F5ED25017DC
SHA-256:	06D544DD2FC3E2D570AA074ED9C3CC9A947FACB5C8F535B01C4BCEBC799934B1
SHA-512:	8D8C2725BC3229A396EE0D334EB2FF0D383D15FD474295DC7157236593D64742E42EF1B777E46AC55A91BE43BA21450CC409F5575CDFE22CF3A6753EDD41FA2B
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13340900082427237","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340900603634208","arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"default_apps_install_state":3,"domain_diversity":{"last_reporting_timestamp":"13340900082535948"},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version":""},"edge":{

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Preferences~RF37938.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7818
Entropy (8bit):	5.089531724834274
Encrypted:	false
SSDEEP:	192:stvM/Rs5x8CZihnkOsY8bV+FiA66Wb7aFIMYHhbLMJ:stvM/Rs5x8xhibGix6Wb7aTYa
MD5:	C8B273B6CEAA41A67369BDE30BF4349A
SHA1:	36DE0E5F8B8D8F4F38643A051C4F0F5ED25017DC
SHA-256:	06D544DD2FC3E2D570AA074ED9C3CC9A947FACB5C8F535B01C4BCEBC799934B1
SHA-512:	8D8C2725BC3229A396EE0D334EB2FF0D383D15FD474295DC7157236593D64742E42EF1B777E46AC55A91BE43BA21450CC409F5575CDFE22CF3A6753EDD41FA2B
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13340900082427237","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340900603634208","arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"default_apps_install_state":3,"domain_diversity":{"last_reporting_timestamp":"13340900082535948"},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version":""},"edge":{

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24691
Entropy (8bit):	5.569204823152954
Encrypted:	false
SSDEEP:	768:ZjfCToWPuZf9w8F1+UoAYDCx9Tuqh0VfUC9xbog/OVHGhJXrw7KWpHtuU:ZjfCToWPuZf9wu1jaW4JE7Ztf
MD5:	93B46463783C4B6C4FD34F9833CB3925
SHA1:	12990227050E7356B6498C9E9CFAC55916FD93D5
SHA-256:	DDAAFB276556EE3AA8014F479C46165F14AF20F352B32726DE4979BCFE9E33EC
SHA-512:	0BACF92DD411CA340E79639A68FA2FBD5DB50AEE094FDDC3A6747E298C6034756E5373C089EAAC7BB093FB4BFA2E2968AC3602FC531D01074878FF6E10CFAB9F
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13369907531543492","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13369907531543492","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	321
Entropy (8bit):	5.083416496572326
Encrypted:	false
SSDEEP:	6:PKx4q2P923oH+TcwtrQMxIFUt82KsCXZmw+2KJzkwO923oH+TcwtrQMFLJ:PK2v4YebCFUt82Kh/+2KJ5LYebtJ
MD5:	A3E3399B5B23DBB601793709149D9C80
SHA1:	3C97C5589C968AB60B84563B2680906776CC6408
SHA-256:	9BDE08AE7822A93841AA4C98DCDBAFE32B72869340CADF25DE922AA477B08CC1
SHA-512:	12B596AE18E5393F5AB9CBE4463DAC80F918EAD399C322822B59389619C1FE1FE269886CB94A4938F1CD486B0EE4C7A5443F8DFD5B53AB5878B5ECAC8B1790C4
Malicious:	false
Preview:	2024/09/04-03:12:12.738 ac0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage/MANIFEST-000001.2024/09/04-03:12:12.747 ac0 Recovering log #3.2024/09/04-03:12:12.770 ac0 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	321
Entropy (8bit):	5.083416496572326
Encrypted:	false
SSDEEP:	6:PKx4q2P923oH+TcwtrQMxIFUt82KsCXZmw+2KJzkwO923oH+TcwtrQMFLJ:PK2v4YebCFUt82Kh/+2KJ5LYebtJ
MD5:	A3E3399B5B23DBB601793709149D9C80
SHA1:	3C97C5589C968AB60B84563B2680906776CC6408
SHA-256:	9BDE08AE7822A93841AA4C98DCDBAFE32B72869340CADF25DE922AA477B08CC1
SHA-512:	12B596AE18E5393F5AB9CBE4463DAC80F918EAD399C322822B59389619C1FE1FE269886CB94A4938F1CD486B0EE4C7A5443F8DFD5B53AB5878B5ECAC8B1790C4
Malicious:	false
Preview:	2024/09/04-03:12:12.738 ac0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage/MANIFEST-000001.2024/09/04-03:12:12.747 ac0 Recovering log #3.2024/09/04-03:12:12.770 ac0 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	352
Entropy (8bit):	5.134402256861338
Encrypted:	false
SSDEEP:	6:P5DSMM+q2P923oH+Tcwt7Uh2ghZIFUt825DSZZmw+25DSMMVkwO923oH+Tcwt7UT:PdpM+v4YebIhHh2FUt82dm/+2dpMV5L0
MD5:	04E0BE5192819F09C2C120666D4C1C78
SHA1:	2CE69E28607F8D33B5392CF86A226537033B918C
SHA-256:	A00401FA85510C8BC395206603A5ECF42601A316F34E34DF649D37D925C34EE2
SHA-512:	77CC33BA29054728E6BFA58F6BE905EE05F90F28BE0207CBA8363D55B8987042FF05CDB1C486A29495AB42215E8581D0227F747929512577D7E539891B03021A
Malicious:	false
Preview:	2024/09/04-03:12:11.654 1dfc Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/MANIFEST-000001.2024/09/04-03:12:11.654 1dfc Recovering log #3.2024/09/04-03:12:11.654 1dfc Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	352
Entropy (8bit):	5.134402256861338
Encrypted:	false
SSDEEP:	6:P5DSMM+q2P923oH+Tcwt7Uh2ghZIFUt825DSZZmw+25DSMMVkwO923oH+Tcwt7UT:PdpM+v4YebIhHh2FUt82dm/+2dpMV5L0
MD5:	04E0BE5192819F09C2C120666D4C1C78
SHA1:	2CE69E28607F8D33B5392CF86A226537033B918C
SHA-256:	A00401FA85510C8BC395206603A5ECF42601A316F34E34DF649D37D925C34EE2
SHA-512:	77CC33BA29054728E6BFA58F6BE905EE05F90F28BE0207CBA8363D55B8987042FF05CDB1C486A29495AB42215E8581D0227F747929512577D7E539891B03021A
Malicious:	false
Preview:	2024/09/04-03:12:11.654 1dfc Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/MANIFEST-000001.2024/09/04-03:12:11.654 1dfc Recovering log #3.2024/09/04-03:12:11.654 1dfc Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG.old~RF3782f.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	352
Entropy (8bit):	5.134402256861338
Encrypted:	false
SSDEEP:	6:P5DSMM+q2P923oH+Tcwt7Uh2ghZIFUt825DSZZmw+25DSMMVkwO923oH+Tcwt7UT:PdpM+v4YebIhHh2FUt82dm/+2dpMV5L0
MD5:	04E0BE5192819F09C2C120666D4C1C78
SHA1:	2CE69E28607F8D33B5392CF86A226537033B918C
SHA-256:	A00401FA85510C8BC395206603A5ECF42601A316F34E34DF649D37D925C34EE2
SHA-512:	77CC33BA29054728E6BFA58F6BE905EE05F90F28BE0207CBA8363D55B8987042FF05CDB1C486A29495AB42215E8581D0227F747929512577D7E539891B03021A
Malicious:	false
Preview:	2024/09/04-03:12:11.654 1dfc Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/MANIFEST-000001.2024/09/04-03:12:11.654 1dfc Recovering log #3.2024/09/04-03:12:11.654 1dfc Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	431
Entropy (8bit):	5.185617772830998
Encrypted:	false
SSDEEP:	12:PKNv4YebvqBQFUt82K9b/+2K05LYebvqBvJ:SR4YebvZg8v9W+LYebvk
MD5:	AB10734B2001EC7EC0816244C17EBB66
SHA1:	27C669402FF54E25AAB50A6688BE1ED7D12D668E
SHA-256:	92D1A1AAE3A2502852E0C293E4AE7997AB200B521B8FC228476111E5BF30861F
SHA-512:	83AE59D894EB2739676AFABB44F8A02C72F403EFB81035C0E12FCF1D0BC3852B3150F76B57D151204BFDA5A4EE58BD1ADBF11D95D04AA140EA2C730E2FEB75D1
Malicious:	false
Preview:	2024/09/04-03:12:12.812 ac0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb/MANIFEST-000001.2024/09/04-03:12:12.813 ac0 Recovering log #3.2024/09/04-03:12:12.816 ac0 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	431
Entropy (8bit):	5.185617772830998
Encrypted:	false
SSDEEP:	12:PKNv4YebvqBQFUt82K9b/+2K05LYebvqBvJ:SR4YebvZg8v9W+LYebvk
MD5:	AB10734B2001EC7EC0816244C17EBB66
SHA1:	27C669402FF54E25AAB50A6688BE1ED7D12D668E
SHA-256:	92D1A1AAE3A2502852E0C293E4AE7997AB200B521B8FC228476111E5BF30861F
SHA-512:	83AE59D894EB2739676AFABB44F8A02C72F403EFB81035C0E12FCF1D0BC3852B3150F76B57D151204BFDA5A4EE58BD1ADBF11D95D04AA140EA2C730E2FEB75D1
Malicious:	false
Preview:	2024/09/04-03:12:12.812 ac0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb/MANIFEST-000001.2024/09/04-03:12:12.813 ac0 Recovering log #3.2024/09/04-03:12:12.816 ac0 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	61
Entropy (8bit):	3.926136109079379
Encrypted:	false
SSDEEP:	3:YLb9N+eAXRfHDH2LSL:YHpoeSL
MD5:	4DF4574BFBB7E0B0BC56C2C9B12B6C47
SHA1:	81EFCBD3E3DA8221444A21F45305AF6FA4B71907
SHA-256:	E1B77550222C2451772C958E44026ABE518A2C8766862F331765788DDD196377
SHA-512:	78B14F60F2D80400FE50360CF303A961685396B7697775D078825A29B717081442D357C2039AD0984D4B622976B0314EDE8F478CDE320DAEC118DA546CB0682A
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[],"version":5}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\SCT Auditing Pending Reports (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Trust Tokens

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 9, cookie 0x7, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	0.3886039372934488
Encrypted:	false
SSDEEP:	24:TLqEeWOT/kIAoDJ84l5lDlnDMlRlyKDtM6UwccWfp15fBIe:T2EeWOT/nDtX5nDOvyKDhU1cSB
MD5:	DEA619BA33775B1BAEEC7B32110CB3BD
SHA1:	949B8246021D004B2E772742D34B2FC8863E1AAA
SHA-256:	3669D76771207A121594B439280A67E3A6B1CBAE8CE67A42C8312D33BA18854B
SHA-512:	7B9741E0339B30D73FACD4670A9898147BE62B8F063A59736AFDDC83D3F03B61349828F2AE88F682D42C177AE37E18349FD41654AEBA50DDF10CD6DC70FA5879
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...}.....$.X..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\b7b0d3c3-21b4-470b-9d19-bcf0b4a8bdd1.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\bdb11b6e-5eba-4035-ac1e-6442f0f9d4c2.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	61
Entropy (8bit):	3.926136109079379
Encrypted:	false
SSDEEP:	3:YLb9N+eAXRfHDH2LSL:YHpoeSL
MD5:	4DF4574BFBB7E0B0BC56C2C9B12B6C47
SHA1:	81EFCBD3E3DA8221444A21F45305AF6FA4B71907
SHA-256:	E1B77550222C2451772C958E44026ABE518A2C8766862F331765788DDD196377
SHA-512:	78B14F60F2D80400FE50360CF303A961685396B7697775D078825A29B717081442D357C2039AD0984D4B622976B0314EDE8F478CDE320DAEC118DA546CB0682A
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[],"version":5}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	422
Entropy (8bit):	5.227018752357757
Encrypted:	false
SSDEEP:	12:PKwv4YebvqBZFUt82KT1/+2KgF5LYebvqBaJ:SC4Yebvyg8vcgXLYebvL
MD5:	224F60E839621668A288B25BCE86F27E
SHA1:	33E577E731507A936969B3F956DFF746E88301CA
SHA-256:	BD47B86A41F044789915372AB4F6FE8023860AFF1210F33444E26203D1D7B11C
SHA-512:	B816DC6460FF84C218C152719A6BA0BFF46F371F3E42428B71C7BA5197DCB8D5573BFED5E467F56D6BA14095427A0DDF56630E2EF18C34DAF09498D49E28C59B
Malicious:	false
Preview:	2024/09/04-03:12:12.747 2314 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage/MANIFEST-000001.2024/09/04-03:12:12.783 2314 Recovering log #3.2024/09/04-03:12:12.788 2314 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	422
Entropy (8bit):	5.227018752357757
Encrypted:	false
SSDEEP:	12:PKwv4YebvqBZFUt82KT1/+2KgF5LYebvqBaJ:SC4Yebvyg8vcgXLYebvL
MD5:	224F60E839621668A288B25BCE86F27E
SHA1:	33E577E731507A936969B3F956DFF746E88301CA
SHA-256:	BD47B86A41F044789915372AB4F6FE8023860AFF1210F33444E26203D1D7B11C
SHA-512:	B816DC6460FF84C218C152719A6BA0BFF46F371F3E42428B71C7BA5197DCB8D5573BFED5E467F56D6BA14095427A0DDF56630E2EF18C34DAF09498D49E28C59B
Malicious:	false
Preview:	2024/09/04-03:12:12.747 2314 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage/MANIFEST-000001.2024/09/04-03:12:12.783 2314 Recovering log #3.2024/09/04-03:12:12.788 2314 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	328
Entropy (8bit):	5.152840021913789
Encrypted:	false
SSDEEP:	6:Pv+q2P923oH+TcwtpIFUt82/tWZZmw+2OU9VkwO923oH+Tcwta/WLJ:P2v4YebmFUt82wZ/+2OUD5LYebaUJ
MD5:	A5BB76F14ABC7A4752A96A1965FC2431
SHA1:	067324E0DD2F22F46BA8CC241EC54D727E681A5E
SHA-256:	2E3058429E74D5E0F102A37113E84E747487F952809B6C42CB81F333F867790C
SHA-512:	41395F73DDDA91CEC38EF14208AB868A76235908018642F7EE309AC923D97A2F0607ACEBE49DAEA1D1FEC3432619C0B974683077AF732B94A81F2E13FBEA91BF
Malicious:	false
Preview:	2024/09/04-03:12:11.610 2128 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/MANIFEST-000001.2024/09/04-03:12:11.611 2128 Recovering log #3.2024/09/04-03:12:11.612 2128 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	328
Entropy (8bit):	5.152840021913789
Encrypted:	false
SSDEEP:	6:Pv+q2P923oH+TcwtpIFUt82/tWZZmw+2OU9VkwO923oH+Tcwta/WLJ:P2v4YebmFUt82wZ/+2OUD5LYebaUJ
MD5:	A5BB76F14ABC7A4752A96A1965FC2431
SHA1:	067324E0DD2F22F46BA8CC241EC54D727E681A5E
SHA-256:	2E3058429E74D5E0F102A37113E84E747487F952809B6C42CB81F333F867790C
SHA-512:	41395F73DDDA91CEC38EF14208AB868A76235908018642F7EE309AC923D97A2F0607ACEBE49DAEA1D1FEC3432619C0B974683077AF732B94A81F2E13FBEA91BF
Malicious:	false
Preview:	2024/09/04-03:12:11.610 2128 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/MANIFEST-000001.2024/09/04-03:12:11.611 2128 Recovering log #3.2024/09/04-03:12:11.612 2128 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG.old~RF3781f.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	328
Entropy (8bit):	5.152840021913789
Encrypted:	false
SSDEEP:	6:Pv+q2P923oH+TcwtpIFUt82/tWZZmw+2OU9VkwO923oH+Tcwta/WLJ:P2v4YebmFUt82wZ/+2OUD5LYebaUJ
MD5:	A5BB76F14ABC7A4752A96A1965FC2431
SHA1:	067324E0DD2F22F46BA8CC241EC54D727E681A5E
SHA-256:	2E3058429E74D5E0F102A37113E84E747487F952809B6C42CB81F333F867790C
SHA-512:	41395F73DDDA91CEC38EF14208AB868A76235908018642F7EE309AC923D97A2F0607ACEBE49DAEA1D1FEC3432619C0B974683077AF732B94A81F2E13FBEA91BF
Malicious:	false
Preview:	2024/09/04-03:12:11.610 2128 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/MANIFEST-000001.2024/09/04-03:12:11.611 2128 Recovering log #3.2024/09/04-03:12:11.612 2128 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 10, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 10
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121311442920892
Encrypted:	false
SSDEEP:	384:b2qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:Kq+n0E9ELyKOMq+8y9/Ow
MD5:	54051EFED19B07096CD81BBE7F246FCC
SHA1:	18EAE3DCAD372D2BCDA6A3E4951944536BA497AB
SHA-256:	A9327205D50B1DF81A1735705F7341D2E3D6DD31978A34BCCC22073EA2A1A2F7
SHA-512:	DD8E8E25DC168994A29CF76342883C5EA9D0044A6A3A1BC8C4C0342889A01E9E7D08BDDE8F1B17CABCD495E2B4FE1FF635A9BD8479875315B3C9E1707DEED511
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\e211cbe5-f670-4cd4-942f-eabcf3854b23.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, writer version 2, read version 2, file counter 8, database pages 11, cookie 0x7, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	45056
Entropy (8bit):	0.4108834313259155
Encrypted:	false
SSDEEP:	24:TSWUYP5/ZrK/AxH1Aj5sAFWZmasamfDsCBjy8e+ZcI5fc:TnUYVAKAFXX+CcEc
MD5:	8593795778EA3EC8221366AA2FBBA867
SHA1:	2F307D4925183EA13E7BE637CB93ECAF2BA9810A
SHA-256:	F3C17873660988454A5A403D047FCE88379D1FE8917A89C98E6EB940F8929C03
SHA-512:	CC86DD61ACEDA6F2927C4C23CBD6D426F2C8CD1DF65E342C76D07153ACBF801F9B297F8EF182097CBABBDE6A49C90AF0E7A38E49AB53DF3FD2EC2D5BC675099A
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..................?.P................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-shm

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.049731726990245535
Encrypted:	false
SSDEEP:	6:Gd0JAmu8jH0JAmu8rtCL9XCChslotGLNl0ml/XoQDeX:zJXsJXQpEjVl/XoQ
MD5:	C54B3D1870E84B11D259971CBC7B34F7
SHA1:	5F3D7D108711BA075CC8DFD4A079363B4F36DADB
SHA-256:	AC3A97348BF70C13B6BA0618708EE0F39FCA5644BAC0D2CD12CD9B5647D18F15
SHA-512:	4A0033E46E0309DC121922D795DC011FF830BA85FA02681A80C1FC1F145820526C328980034B21F20DFE4F83FA15F8D9D7FBB6F85024A614021E73AD24CFEFAD
Malicious:	false
Preview:	..-.....................:Db.W.v..4..}..tT...l...-.....................:Db.W.v..4..}..tT...l.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.1292851172574
Encrypted:	false
SSDEEP:	6:PjcIq2P923oH+TcwtfrK+IFUt82jpZmw+2jjkwO923oH+TcwtfrUeLJ:PjcIv4Yeb23FUt82jp/+2jj5LYeb3J
MD5:	A58D39A5A5384D9723A24ED1BBFA648F
SHA1:	63E85529153118A5379665844541480938922CBE
SHA-256:	FCA9D379DDC68445FD7286F9DFD22BA778EC06B8DBA61F9C0659762847B3F86B
SHA-512:	CD0C6BE1206972991402CD4DDCAA8647B1752A9DE3203BDA8C5419B7FC24E0723E14D1E258276FAFBAF687ACB36565D378677D5F2E18DE20B047F7588AC91ABE
Malicious:	false
Preview:	2024/09/04-03:12:11.911 1eb0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/MANIFEST-000001.2024/09/04-03:12:11.912 1eb0 Recovering log #3.2024/09/04-03:12:11.912 1eb0 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.1292851172574
Encrypted:	false
SSDEEP:	6:PjcIq2P923oH+TcwtfrK+IFUt82jpZmw+2jjkwO923oH+TcwtfrUeLJ:PjcIv4Yeb23FUt82jp/+2jj5LYeb3J
MD5:	A58D39A5A5384D9723A24ED1BBFA648F
SHA1:	63E85529153118A5379665844541480938922CBE
SHA-256:	FCA9D379DDC68445FD7286F9DFD22BA778EC06B8DBA61F9C0659762847B3F86B
SHA-512:	CD0C6BE1206972991402CD4DDCAA8647B1752A9DE3203BDA8C5419B7FC24E0723E14D1E258276FAFBAF687ACB36565D378677D5F2E18DE20B047F7588AC91ABE
Malicious:	false
Preview:	2024/09/04-03:12:11.911 1eb0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/MANIFEST-000001.2024/09/04-03:12:11.912 1eb0 Recovering log #3.2024/09/04-03:12:11.912 1eb0 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG.old~RF37909.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.1292851172574
Encrypted:	false
SSDEEP:	6:PjcIq2P923oH+TcwtfrK+IFUt82jpZmw+2jjkwO923oH+TcwtfrUeLJ:PjcIv4Yeb23FUt82jp/+2jj5LYeb3J
MD5:	A58D39A5A5384D9723A24ED1BBFA648F
SHA1:	63E85529153118A5379665844541480938922CBE
SHA-256:	FCA9D379DDC68445FD7286F9DFD22BA778EC06B8DBA61F9C0659762847B3F86B
SHA-512:	CD0C6BE1206972991402CD4DDCAA8647B1752A9DE3203BDA8C5419B7FC24E0723E14D1E258276FAFBAF687ACB36565D378677D5F2E18DE20B047F7588AC91ABE
Malicious:	false
Preview:	2024/09/04-03:12:11.911 1eb0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/MANIFEST-000001.2024/09/04-03:12:11.912 1eb0 Recovering log #3.2024/09/04-03:12:11.912 1eb0 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	787
Entropy (8bit):	4.059252238767438
Encrypted:	false
SSDEEP:	12:G0nYUtTNop//z3p/Uz0RuWlJhC+lvBavRtin01zvZDEtlkyBrgxvB1ys:G0nYUtypD3RUovhC+lvBOL+t3IvB8s
MD5:	D8D8899761F621B63AD5ED6DF46D22FE
SHA1:	23E6A39058AB3C1DEADC0AF2E0FFD0D84BB7F1BE
SHA-256:	A5E0A78EE981FB767509F26021E1FA3C506F4E86860946CAC1DC4107EB3B3813
SHA-512:	4F89F556138C0CF24D3D890717EB82067C5269063C84229E93F203A22028782902FA48FB0154F53E06339F2FDBE35A985CE728235EA429D8D157090D25F15A4E
Malicious:	false
Preview:	.h.6.................__global... .t...................__global... .9..b.................33_..........................33_........v.................21_.....vuNX.................21_.....<...................20_.....,.1..................19_.....QL.s.................18_.....<.J\|.................37_...... .A.................38_..........................39_........].................20_.....Owa..................20_.....`..N.................19_.....D8.X.................18_......`...................37_..........................38_......\e..................39_.....dz.\|.................9_.....'\c..................9_.......f-.................__global... .\|.&R.................__global... ./....................__global... ..T...................__global... ...G..................__global... .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	342
Entropy (8bit):	5.107113259468111
Encrypted:	false
SSDEEP:	6:PyAq2P923oH+TcwtfrzAdIFUt8215vZZmw+215vzkwO923oH+TcwtfrzILJ:Pzv4Yeb9FUt82XZ/+2Xz5LYeb2J
MD5:	9EE7017266F1747A849D519800EE20EC
SHA1:	CC80ABAC2E988FE3575F4CBB57EA57F292695DC8
SHA-256:	FD58636521CAD99E93DB6D62F96B1FBE16066C561E7663E7854B988E6965E03E
SHA-512:	398ADA174B96690B9657CD2F7A7500B15CE9F02A73E9577950D36C483D8AE58D3495D86A4C88D744AF4B500BD7A98BFC36EF7FD09F8CBDD0A23FD14C6A875DFE
Malicious:	false
Preview:	2024/09/04-03:12:11.900 1eb0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/MANIFEST-000001.2024/09/04-03:12:11.901 1eb0 Recovering log #3.2024/09/04-03:12:11.901 1eb0 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	342
Entropy (8bit):	5.107113259468111
Encrypted:	false
SSDEEP:	6:PyAq2P923oH+TcwtfrzAdIFUt8215vZZmw+215vzkwO923oH+TcwtfrzILJ:Pzv4Yeb9FUt82XZ/+2Xz5LYeb2J
MD5:	9EE7017266F1747A849D519800EE20EC
SHA1:	CC80ABAC2E988FE3575F4CBB57EA57F292695DC8
SHA-256:	FD58636521CAD99E93DB6D62F96B1FBE16066C561E7663E7854B988E6965E03E
SHA-512:	398ADA174B96690B9657CD2F7A7500B15CE9F02A73E9577950D36C483D8AE58D3495D86A4C88D744AF4B500BD7A98BFC36EF7FD09F8CBDD0A23FD14C6A875DFE
Malicious:	false
Preview:	2024/09/04-03:12:11.900 1eb0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/MANIFEST-000001.2024/09/04-03:12:11.901 1eb0 Recovering log #3.2024/09/04-03:12:11.901 1eb0 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG.old~RF37909.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	342
Entropy (8bit):	5.107113259468111
Encrypted:	false
SSDEEP:	6:PyAq2P923oH+TcwtfrzAdIFUt8215vZZmw+215vzkwO923oH+TcwtfrzILJ:Pzv4Yeb9FUt82XZ/+2Xz5LYeb2J
MD5:	9EE7017266F1747A849D519800EE20EC
SHA1:	CC80ABAC2E988FE3575F4CBB57EA57F292695DC8
SHA-256:	FD58636521CAD99E93DB6D62F96B1FBE16066C561E7663E7854B988E6965E03E
SHA-512:	398ADA174B96690B9657CD2F7A7500B15CE9F02A73E9577950D36C483D8AE58D3495D86A4C88D744AF4B500BD7A98BFC36EF7FD09F8CBDD0A23FD14C6A875DFE
Malicious:	false
Preview:	2024/09/04-03:12:11.900 1eb0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/MANIFEST-000001.2024/09/04-03:12:11.901 1eb0 Recovering log #3.2024/09/04-03:12:11.901 1eb0 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Last Browser

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	120
Entropy (8bit):	3.32524464792714
Encrypted:	false
SSDEEP:	3:tbloIlrJFlXnpQoWcNylRjlgbYnPdJiG6R7lZAUAl:tbdlrYoWcV0n1IGi7kBl
MD5:	A397E5983D4A1619E36143B4D804B870
SHA1:	AA135A8CC2469CFD1EF2D7955F027D95BE5DFBD4
SHA-256:	9C70F766D3B84FC2BB298EFA37CC9191F28BEC336329CC11468CFADBC3B137F4
SHA-512:	4159EA654152D2810C95648694DD71957C84EA825FCCA87B36F7E3282A72B30EF741805C610C5FA847CA186E34BDE9C289AAA7B6931C5B257F1D11255CD2A816
Malicious:	false
Preview:	C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Last Version

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	13
Entropy (8bit):	2.7192945256669794
Encrypted:	false
SSDEEP:	3:NYLFRQI:ap2I
MD5:	BF16C04B916ACE92DB941EBB1AF3CB18
SHA1:	FA8DAEAE881F91F61EE0EE21BE5156255429AA8A
SHA-256:	7FC23C9028A316EC0AC25B09B5B0D61A1D21E58DFCF84C2A5F5B529129729098
SHA-512:	F0B7DF5517596B38D57C57B5777E008D6229AB5B1841BBE74602C77EEA2252BF644B8650C7642BD466213F62E15CC7AB5A95B28E26D3907260ED1B96A74B65FB
Malicious:	false
Preview:	117.0.2045.47

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.09072033289002
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMBwuF9hDO6vP6O+ztbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynEV6atbz8hu3VlXr4CRo1
MD5:	07D6936E1A20F9EBF21AC2932E0BED41
SHA1:	B68349C21F0DC298A75E1CCE0FCA775DB0629DE4
SHA-256:	394D2F2B1D8C4BD1BDDD41CA0CF4D631B3FAAC29C83D615833F5EC8D23A4C42E
SHA-512:	9AFDE4832DF57753EB438AE3D182A410B294424854A4E52FD1088342C912C8163CE496D3200A0873906F94CFE4E3F9DEE3D20559B9F0900450BCD7C06072267A
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF3591d.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.09072033289002
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMBwuF9hDO6vP6O+ztbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynEV6atbz8hu3VlXr4CRo1
MD5:	07D6936E1A20F9EBF21AC2932E0BED41
SHA1:	B68349C21F0DC298A75E1CCE0FCA775DB0629DE4
SHA-256:	394D2F2B1D8C4BD1BDDD41CA0CF4D631B3FAAC29C83D615833F5EC8D23A4C42E
SHA-512:	9AFDE4832DF57753EB438AE3D182A410B294424854A4E52FD1088342C912C8163CE496D3200A0873906F94CFE4E3F9DEE3D20559B9F0900450BCD7C06072267A
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF35a75.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.09072033289002
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMBwuF9hDO6vP6O+ztbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynEV6atbz8hu3VlXr4CRo1
MD5:	07D6936E1A20F9EBF21AC2932E0BED41
SHA1:	B68349C21F0DC298A75E1CCE0FCA775DB0629DE4
SHA-256:	394D2F2B1D8C4BD1BDDD41CA0CF4D631B3FAAC29C83D615833F5EC8D23A4C42E
SHA-512:	9AFDE4832DF57753EB438AE3D182A410B294424854A4E52FD1088342C912C8163CE496D3200A0873906F94CFE4E3F9DEE3D20559B9F0900450BCD7C06072267A
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF35cd7.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.09072033289002
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMBwuF9hDO6vP6O+ztbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynEV6atbz8hu3VlXr4CRo1
MD5:	07D6936E1A20F9EBF21AC2932E0BED41
SHA1:	B68349C21F0DC298A75E1CCE0FCA775DB0629DE4
SHA-256:	394D2F2B1D8C4BD1BDDD41CA0CF4D631B3FAAC29C83D615833F5EC8D23A4C42E
SHA-512:	9AFDE4832DF57753EB438AE3D182A410B294424854A4E52FD1088342C912C8163CE496D3200A0873906F94CFE4E3F9DEE3D20559B9F0900450BCD7C06072267A
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF3788c.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.09072033289002
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMBwuF9hDO6vP6O+ztbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynEV6atbz8hu3VlXr4CRo1
MD5:	07D6936E1A20F9EBF21AC2932E0BED41
SHA1:	B68349C21F0DC298A75E1CCE0FCA775DB0629DE4
SHA-256:	394D2F2B1D8C4BD1BDDD41CA0CF4D631B3FAAC29C83D615833F5EC8D23A4C42E
SHA-512:	9AFDE4832DF57753EB438AE3D182A410B294424854A4E52FD1088342C912C8163CE496D3200A0873906F94CFE4E3F9DEE3D20559B9F0900450BCD7C06072267A
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF37929.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.09072033289002
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMBwuF9hDO6vP6O+ztbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynEV6atbz8hu3VlXr4CRo1
MD5:	07D6936E1A20F9EBF21AC2932E0BED41
SHA1:	B68349C21F0DC298A75E1CCE0FCA775DB0629DE4
SHA-256:	394D2F2B1D8C4BD1BDDD41CA0CF4D631B3FAAC29C83D615833F5EC8D23A4C42E
SHA-512:	9AFDE4832DF57753EB438AE3D182A410B294424854A4E52FD1088342C912C8163CE496D3200A0873906F94CFE4E3F9DEE3D20559B9F0900450BCD7C06072267A
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF37957.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.09072033289002
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMBwuF9hDO6vP6O+ztbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynEV6atbz8hu3VlXr4CRo1
MD5:	07D6936E1A20F9EBF21AC2932E0BED41
SHA1:	B68349C21F0DC298A75E1CCE0FCA775DB0629DE4
SHA-256:	394D2F2B1D8C4BD1BDDD41CA0CF4D631B3FAAC29C83D615833F5EC8D23A4C42E
SHA-512:	9AFDE4832DF57753EB438AE3D182A410B294424854A4E52FD1088342C912C8163CE496D3200A0873906F94CFE4E3F9DEE3D20559B9F0900450BCD7C06072267A
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\ShaderCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	modified
Size (bytes):	270336
Entropy (8bit):	0.0018238520723782249
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zET:/M/xT02z8
MD5:	AC81EF9540AC3DDCC4546B82AC3801BD
SHA1:	1AC27855FABFA8AF62752DA91E2A6EADC815CBBC
SHA-256:	4A2C8BA05BE86A2182B9BCC9AEC916588CC9502F4F505CD79991AF8326EC11E4
SHA-512:	D27635D446F0AEA20E138F96BEDEDF118CCF0BC8560CB2E11AB0AACE9D320E989164E2971DAB20571A9B6D9A1B4A52CAAF78084D2141372D77516F52ABD222AB
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Variations

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	85
Entropy (8bit):	4.3488360343066725
Encrypted:	false
SSDEEP:	3:YQ3JYq9xSs0dMEJAELJ25AmIpozQw:YQ3Kq9X0dMgAEiLI2
MD5:	265DB1C9337422F9AF69EF2B4E1C7205
SHA1:	3E38976BB5CF035C75C9BC185F72A80E70F41C2E
SHA-256:	7CA5A3CCC077698CA62AC8157676814B3D8E93586364D0318987E37B4F8590BC
SHA-512:	3CC9B76D8D4B6EDB4C41677BE3483AC37785F3BBFEA4489F3855433EBF84EA25FC48EFEE9B74CAB268DC9CB7FB4789A81C94E75C7BF723721DE28AEF53D8B529
Malicious:	false
Preview:	{"user_experience_metrics.stability.exited_cleanly":true,"variations_crash_streak":2}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\b1ca2547-faae-4228-8321-ff4ca1714569.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44672
Entropy (8bit):	6.096048410978364
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4xkBUwuuhDO6vP6OaA6m4akSdcGoup1Xl3jVzXr4CCAg:z/Ps+wsI7yOEi66echu3VlXr4CRo1
MD5:	329CF2A13A318D0B60359EB545E32493
SHA1:	9FC35A114A92223B283F242C4BCC6350279C2F0A
SHA-256:	CCB8D50214D84AD828D3E2E7CEF2F08054DA28D5B75981B8849380845DE853C7
SHA-512:	8AC2C06BF18E652424EB228CDBAC67AB96E9E8F8C48F5311F23D9A69DCF6AB35C3B9ABA2625BA52515324226D79653402927F1091AE4F98B3C6582BCE0AB7121
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\d9ed7811-a1cf-476d-9e6f-df518fa97b8f.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44673
Entropy (8bit):	6.096048301961058
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4xkBUFuuhDO6vP6OaANm4akSdcGoup1Xl3jVzXr4CCAg:z/Ps+wsI7yOEH66Pchu3VlXr4CRo1
MD5:	F5A55437F84FA8AB50D5B65A87BA31EE
SHA1:	D83F7AD03E160D3661A4C08A931321CF0365610B
SHA-256:	5F0FA1492DEA61514F52DA8E4F7DD69C8DAE7151023A0C846034C85D052D4DEE
SHA-512:	1964E6B86AD0714DF437194794E4CAB4765E3669972C84605B9325322E07D1CE5493B286C3A2D218005FEF3EB65D7397AFCB9BB823C257C1387758C64846321C
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	2278
Entropy (8bit):	3.8482457393112863
Encrypted:	false
SSDEEP:	48:uiTrlKxrgxNBxl9Il8uxFdrl7husC2QHQuOXhJEAqPkgGMXLYV/d1rc:mE1YfhVvC2QHQ/xJEAqPkgHbGI
MD5:	C03B319900F4652E769A106BC49B340D
SHA1:	148D3DA1B90989E6CA818E203038B16DED784D16
SHA-256:	25DF129C3A2321C64482D1FAD56CDCF393D21022ECD854D8124F69464ED99B5D
SHA-512:	8F1AA3C821E1B6D7D46EE2C1C27012C4DBAB7005E086D00F924D24B6EB3C923454B680E9623175C38B2F114F46734FDB6A4B4D50F6F46C420674D101D27CC409
Malicious:	false
Preview:	{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".W.i.p.w.W.M.+.N.H.l.b.C.D.m.s.Z.p.8.S.O.s.j.h.t.F.B.s.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.C.5.6.G.6.L.+.2.g.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.O.n.J.v.k.w.

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\cf7513a936f7effbb38627e56f8d1fce10eb12cc.tbres

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4622
Entropy (8bit):	4.0000245084106
Encrypted:	false
SSDEEP:	96:JYFVynA0fPrmIZ4iVb1BCJYOyhGPM54anaFL53w:JhnLPrmIZ9VbGyhXWanaFL53w
MD5:	EEF7C7C33124FAEB6CB4D47C79C80C35
SHA1:	592560B7F25DF35110C7D9E51C6A154B8FAB9326
SHA-256:	A6BEC91730845EA5D96DB7ED7403DA4041A1291504BE6D1E31979258C2A24B26
SHA-512:	B2CF867F03F4EC0A5EFD24FFDFD76124ED9A9D8EC531F983C41923698900BDEB2EC808D799E932EC96A56481A39BCBB32765975E38C3A184525CB7C594C9D3C8
Malicious:	false
Preview:	{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".z.3.U.T.q.T.b.3.7./.u.z.h.i.f.l.b.4.0.f.z.h.D.r.E.s.w.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".F.f.K.r.A.Z.r.+.2.g.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.w.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.O.n.J.v.k.w.

C:\Users\user\AppData\Local\Temp\cv_debug.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1995
Entropy (8bit):	5.403736083137852
Encrypted:	false
SSDEEP:	48:Yzj57SnaJ57H57Uv5W1Sj5W175zuR5z+5zn071eDJk5c1903bj5jJp0gcU854Rrk:8e2Fa116uCntc5toYi8M
MD5:	1D0682EF877BAAD6BBF53428661DC2CF
SHA1:	FEDEB9CB863D8FA70A02CC71F1749D3B652BF2AF
SHA-256:	988C7F4511DFDACE811828553C7BB0470E55524C6181904534284BB8ECD8B542
SHA-512:	A8954E78A522828299C549EA491F4A7CC6EDCD8858BABE22EF1C0F4A8BF63EFFAD3ABEE4C7D71919CDFE8726A65182EFA651469088692883B983A95975FAA307
Malicious:	false
Preview:	{"logTime": "1004/133448", "correlationVector":"vYS73lRT+EoO2Owh9jsc+Y","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1004/133448", "correlationVector":"n/KhuHPhHmYXokB31+JZz7","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1004/133448", "correlationVector":"fclQx26bUZO07waFEDe6Fn","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1004/133448", "correlationVector":"0757l0tkKt37vNrdCKAm8w","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1004/133449", "correlationVector":"uTRRkmbbqkgK/wPBCS4fct","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1004/133449", "correlationVector":"2DrXipL1ngF91RN7IemK0e","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1004/134324", "correlationVector":"d0GyjEgnW85fvDIojHVIXI","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1004/134324", "correlationVector":"PvfzGWRutB/kmuXUK+c8XA","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1004/134324", "correlationVector":"29CB75FBC4C942E0817A1F7A0E2CF647

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\875a60a09683c344.customDestinations-ms (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	3888
Entropy (8bit):	3.517802139356876
Encrypted:	false
SSDEEP:	48:EEJidOLN+QsJ9rKzBdLXuHPkDpa2AWWedOLYQsJ9rKzngdLXuHPk+21:Fv3uvkDtXonIuvkz
MD5:	0EBA16FA7CC18D12F14740BFE399A81F
SHA1:	9D50CA405A1FF868AD129270D1DEFA0752AA5056
SHA-256:	8D535CBC3279F454BDED7281B2899B69B0570C0F836AB368C69220CAB87595C8
SHA-512:	F652743228D80E1FEDF4E086205E6AD9CCC19F1EFAB68BF244D6583D57B9774CB093C21A0A274E291840F41B33D659E0B0256711F02DCB94CD1C07F5ADAC95B7
Malicious:	false
Preview:	...................................FL..................F.@.. .....\|.K..........?......(>@.....................1....P.O. .:i.....+00.../C:\.....................1.....DW.r..PROGRA~2.........O.IDW.r....................V.........P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....\.1.....DW.r..MICROS~1..D......(Ux.$Y{9..........................R.0.M.i.c.r.o.s.o.f.t.....N.1.....CWaa0.Edge..:.......S8.DWUl...........................s..E.d.g.e.....`.1.....CWaa0.APPLIC~1..H.......S8.$Y{9..............................A.p.p.l.i.c.a.t.i.o.n.....`.2.(>@.=W2b .msedge.exe..F.......S8.$Y{9....u.......................q.m.s.e.d.g.e...e.x.e.......k...............-.......j.............J<.....C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe..<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.........%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe...............................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AW2B8AG5PQLXV9PVSHQR.temp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	3888
Entropy (8bit):	3.5148347414622236
Encrypted:	false
SSDEEP:	48:EEWWedOLYQsJ9rKzBdLXuHPkDpa2AWWedOLYQsJ9rKzngdLXuHPk+21:4o3uvkDtXonIuvkz
MD5:	DB94080D49D1AB5D3D909FA932B91A58
SHA1:	9FDF94B2A5261FB53D0BB57981236409C1628F7B
SHA-256:	1470D2778D3CFAE8C3D4D6C2AE9C1C4350A365F43EAA788AAE2446530CBCC260
SHA-512:	103F8D13E23D789C5AF23039D21536506721707AA7B50B3E340FD7F01F70965F8D6082A30CFF56A14047DD2C873ABFDD1D6D6FDB7B428A5D0A858DCE58B56CB0
Malicious:	false
Preview:	...................................FL..................F.@.. .....\|.K..........?......(>@.....................1....P.O. .:i.....+00.../C:\.....................1.....$Yx9..PROGRA~2.........O.I$Yx9....................V.......M.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....\.1.....DW.r..MICROS~1..D......(Ux.$Y{9..........................R.0.M.i.c.r.o.s.o.f.t.....N.1.....CWaa0.Edge..:.......S8.$Y.9...........................s..E.d.g.e.....`.1.....CWaa0.APPLIC~1..H.......S8.$Y{9..............................A.p.p.l.i.c.a.t.i.o.n.....`.2.(>@.=W2b .msedge.exe..F.......S8.$Y{9....u.......................q.m.s.e.d.g.e...e.x.e.......k...............-.......j.............J<.....C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe..<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.........%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe...............................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZR8MD99WMVOK45OJI60H.temp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	3888
Entropy (8bit):	3.517802139356876
Encrypted:	false
SSDEEP:	48:EEJidOLN+QsJ9rKzBdLXuHPkDpa2AWWedOLYQsJ9rKzngdLXuHPk+21:Fv3uvkDtXonIuvkz
MD5:	0EBA16FA7CC18D12F14740BFE399A81F
SHA1:	9D50CA405A1FF868AD129270D1DEFA0752AA5056
SHA-256:	8D535CBC3279F454BDED7281B2899B69B0570C0F836AB368C69220CAB87595C8
SHA-512:	F652743228D80E1FEDF4E086205E6AD9CCC19F1EFAB68BF244D6583D57B9774CB093C21A0A274E291840F41B33D659E0B0256711F02DCB94CD1C07F5ADAC95B7
Malicious:	false
Preview:	...................................FL..................F.@.. .....\|.K..........?......(>@.....................1....P.O. .:i.....+00.../C:\.....................1.....DW.r..PROGRA~2.........O.IDW.r....................V.........P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....\.1.....DW.r..MICROS~1..D......(Ux.$Y{9..........................R.0.M.i.c.r.o.s.o.f.t.....N.1.....CWaa0.Edge..:.......S8.DWUl...........................s..E.d.g.e.....`.1.....CWaa0.APPLIC~1..H.......S8.$Y{9..............................A.p.p.l.i.c.a.t.i.o.n.....`.2.(>@.=W2b .msedge.exe..F.......S8.$Y{9....u.......................q.m.s.e.d.g.e...e.x.e.......k...............-.......j.............J<.....C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe..<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.........%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe...............................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	3888
Entropy (8bit):	3.5148347414622236
Encrypted:	false
SSDEEP:	48:EEWWedOLYQsJ9rKzBdLXuHPkDpa2AWWedOLYQsJ9rKzngdLXuHPk+21:4o3uvkDtXonIuvkz
MD5:	DB94080D49D1AB5D3D909FA932B91A58
SHA1:	9FDF94B2A5261FB53D0BB57981236409C1628F7B
SHA-256:	1470D2778D3CFAE8C3D4D6C2AE9C1C4350A365F43EAA788AAE2446530CBCC260
SHA-512:	103F8D13E23D789C5AF23039D21536506721707AA7B50B3E340FD7F01F70965F8D6082A30CFF56A14047DD2C873ABFDD1D6D6FDB7B428A5D0A858DCE58B56CB0
Malicious:	false
Preview:	...................................FL..................F.@.. .....\|.K..........?......(>@.....................1....P.O. .:i.....+00.../C:\.....................1.....$Yx9..PROGRA~2.........O.I$Yx9....................V.......M.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....\.1.....DW.r..MICROS~1..D......(Ux.$Y{9..........................R.0.M.i.c.r.o.s.o.f.t.....N.1.....CWaa0.Edge..:.......S8.$Y.9...........................s..E.d.g.e.....`.1.....CWaa0.APPLIC~1..H.......S8.$Y{9..............................A.p.p.l.i.c.a.t.i.o.n.....`.2.(>@.=W2b .msedge.exe..F.......S8.$Y{9....u.......................q.m.s.e.d.g.e...e.x.e.......k...............-.......j.............J<.....C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe..<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.........%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe...............................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.579769611916174
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	917'504 bytes
MD5:	a7b043cd523abc9ddb4756a6c633b5ca
SHA1:	fc3e8ed8f07dac430b1444b9f9da93b2a14c2383
SHA256:	0c7c457fccc4d44e2a4b827e7c85e0c8af5ad3b5569fc30f775acc3b7662af4a
SHA512:	8789e85f9916e324961b883d4e1c1c1b0bc1f3704dc6b83d44791d6423e8ed0e6d39f00371c5c375163dc4ecbee90f266f6951bae4cec48e04d401a961bb50ac
SSDEEP:	12288:OqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgacTR:OqDEvCTbMWu7rQYlBQcBiT6rprG8asR
TLSH:	06159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66D80202 [Wed Sep 4 06:45:22 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F4E04CB0053h
jmp 00007F4E04CAF95Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F4E04CAFB3Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F4E04CAFB0Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F4E04CB26FDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F4E04CB2748h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F4E04CB2731h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x95c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x95c8	0x9600	d6cdaa5b89042b78cf646e714b7240bf	False	0.2870052083333333	data	5.165267404499032	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x890	data			1.0050182481751824
RT_GROUP_ICON	0xdd048	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd0c0	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd0d4	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd0e8	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd0fc	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd1d8	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 4, 2024 09:11:50.231890917 CEST	49674	443	192.168.2.5	23.1.237.91
Sep 4, 2024 09:11:50.231894016 CEST	49675	443	192.168.2.5	23.1.237.91
Sep 4, 2024 09:11:50.325579882 CEST	49673	443	192.168.2.5	23.1.237.91
Sep 4, 2024 09:11:59.894691944 CEST	49674	443	192.168.2.5	23.1.237.91
Sep 4, 2024 09:11:59.984240055 CEST	49675	443	192.168.2.5	23.1.237.91
Sep 4, 2024 09:11:59.984247923 CEST	49673	443	192.168.2.5	23.1.237.91
Sep 4, 2024 09:12:00.089862108 CEST	49721	443	192.168.2.5	13.107.253.72
Sep 4, 2024 09:12:00.089881897 CEST	443	49721	13.107.253.72	192.168.2.5
Sep 4, 2024 09:12:00.089940071 CEST	49721	443	192.168.2.5	13.107.253.72
Sep 4, 2024 09:12:00.090040922 CEST	49722	443	192.168.2.5	13.107.253.72
Sep 4, 2024 09:12:00.090048075 CEST	443	49722	13.107.253.72	192.168.2.5
Sep 4, 2024 09:12:00.090094090 CEST	49722	443	192.168.2.5	13.107.253.72
Sep 4, 2024 09:12:00.090255022 CEST	49721	443	192.168.2.5	13.107.253.72
Sep 4, 2024 09:12:00.090265989 CEST	443	49721	13.107.253.72	192.168.2.5
Sep 4, 2024 09:12:00.090380907 CEST	49722	443	192.168.2.5	13.107.253.72
Sep 4, 2024 09:12:00.090390921 CEST	443	49722	13.107.253.72	192.168.2.5
Sep 4, 2024 09:12:00.745726109 CEST	443	49722	13.107.253.72	192.168.2.5
Sep 4, 2024 09:12:00.745980978 CEST	49722	443	192.168.2.5	13.107.253.72
Sep 4, 2024 09:12:00.746002913 CEST	443	49722	13.107.253.72	192.168.2.5
Sep 4, 2024 09:12:00.747024059 CEST	443	49722	13.107.253.72	192.168.2.5
Sep 4, 2024 09:12:00.747078896 CEST	49722	443	192.168.2.5	13.107.253.72
Sep 4, 2024 09:12:00.748332024 CEST	49722	443	192.168.2.5	13.107.253.72
Sep 4, 2024 09:12:00.748394012 CEST	443	49722	13.107.253.72	192.168.2.5
Sep 4, 2024 09:12:00.748526096 CEST	49722	443	192.168.2.5	13.107.253.72
Sep 4, 2024 09:12:00.767838001 CEST	443	49721	13.107.253.72	192.168.2.5
Sep 4, 2024 09:12:00.768039942 CEST	49721	443	192.168.2.5	13.107.253.72
Sep 4, 2024 09:12:00.768049002 CEST	443	49721	13.107.253.72	192.168.2.5
Sep 4, 2024 09:12:00.769253969 CEST	443	49721	13.107.253.72	192.168.2.5
Sep 4, 2024 09:12:00.769319057 CEST	49721	443	192.168.2.5	13.107.253.72
Sep 4, 2024 09:12:00.769715071 CEST	49721	443	192.168.2.5	13.107.253.72
Sep 4, 2024 09:12:00.769776106 CEST	443	49721	13.107.253.72	192.168.2.5
Sep 4, 2024 09:12:00.769856930 CEST	49721	443	192.168.2.5	13.107.253.72
Sep 4, 2024 09:12:00.769862890 CEST	443	49721	13.107.253.72	192.168.2.5
Sep 4, 2024 09:12:00.792498112 CEST	443	49722	13.107.253.72	192.168.2.5
Sep 4, 2024 09:12:00.814311981 CEST	49721	443	192.168.2.5	13.107.253.72
Sep 4, 2024 09:12:00.861965895 CEST	49722	443	192.168.2.5	13.107.253.72
Sep 4, 2024 09:12:00.861972094 CEST	443	49722	13.107.253.72	192.168.2.5
Sep 4, 2024 09:12:00.870160103 CEST	443	49722	13.107.253.72	192.168.2.5
Sep 4, 2024 09:12:00.870170116 CEST	443	49722	13.107.253.72	192.168.2.5
Sep 4, 2024 09:12:00.870203018 CEST	443	49722	13.107.253.72	192.168.2.5
Sep 4, 2024 09:12:00.870218039 CEST	49722	443	192.168.2.5	13.107.253.72
Sep 4, 2024 09:12:00.870223045 CEST	443	49722	13.107.253.72	192.168.2.5
Sep 4, 2024 09:12:00.870232105 CEST	443	49722	13.107.253.72	192.168.2.5
Sep 4, 2024 09:12:00.870244980 CEST	443	49722	13.107.253.72	192.168.2.5
Sep 4, 2024 09:12:00.870260000 CEST	49722	443	192.168.2.5	13.107.253.72
Sep 4, 2024 09:12:00.870270967 CEST	49722	443	192.168.2.5	13.107.253.72
Sep 4, 2024 09:12:00.870275021 CEST	443	49722	13.107.253.72	192.168.2.5
Sep 4, 2024 09:12:00.870296955 CEST	49722	443	192.168.2.5	13.107.253.72
Sep 4, 2024 09:12:00.883177042 CEST	443	49721	13.107.253.72	192.168.2.5
Sep 4, 2024 09:12:00.883207083 CEST	443	49721	13.107.253.72	192.168.2.5
Sep 4, 2024 09:12:00.883215904 CEST	443	49721	13.107.253.72	192.168.2.5
Sep 4, 2024 09:12:00.883232117 CEST	443	49721	13.107.253.72	192.168.2.5
Sep 4, 2024 09:12:00.883275986 CEST	443	49721	13.107.253.72	192.168.2.5
Sep 4, 2024 09:12:00.883276939 CEST	49721	443	192.168.2.5	13.107.253.72
Sep 4, 2024 09:12:00.883373976 CEST	49721	443	192.168.2.5	13.107.253.72
Sep 4, 2024 09:12:00.884804010 CEST	49721	443	192.168.2.5	13.107.253.72
Sep 4, 2024 09:12:00.884819031 CEST	443	49721	13.107.253.72	192.168.2.5
Sep 4, 2024 09:12:00.951462030 CEST	443	49722	13.107.253.72	192.168.2.5
Sep 4, 2024 09:12:00.951502085 CEST	443	49722	13.107.253.72	192.168.2.5
Sep 4, 2024 09:12:00.951513052 CEST	443	49722	13.107.253.72	192.168.2.5
Sep 4, 2024 09:12:00.951524019 CEST	49722	443	192.168.2.5	13.107.253.72
Sep 4, 2024 09:12:00.951534986 CEST	443	49722	13.107.253.72	192.168.2.5
Sep 4, 2024 09:12:00.951560974 CEST	49722	443	192.168.2.5	13.107.253.72
Sep 4, 2024 09:12:00.951565027 CEST	443	49722	13.107.253.72	192.168.2.5
Sep 4, 2024 09:12:00.951586962 CEST	49722	443	192.168.2.5	13.107.253.72
Sep 4, 2024 09:12:00.957134008 CEST	443	49722	13.107.253.72	192.168.2.5
Sep 4, 2024 09:12:00.957140923 CEST	443	49722	13.107.253.72	192.168.2.5
Sep 4, 2024 09:12:00.957150936 CEST	443	49722	13.107.253.72	192.168.2.5
Sep 4, 2024 09:12:00.957171917 CEST	443	49722	13.107.253.72	192.168.2.5
Sep 4, 2024 09:12:00.957204103 CEST	49722	443	192.168.2.5	13.107.253.72
Sep 4, 2024 09:12:00.957215071 CEST	443	49722	13.107.253.72	192.168.2.5
Sep 4, 2024 09:12:00.957245111 CEST	49722	443	192.168.2.5	13.107.253.72
Sep 4, 2024 09:12:01.037802935 CEST	443	49722	13.107.253.72	192.168.2.5
Sep 4, 2024 09:12:01.037837982 CEST	443	49722	13.107.253.72	192.168.2.5
Sep 4, 2024 09:12:01.037847042 CEST	443	49722	13.107.253.72	192.168.2.5
Sep 4, 2024 09:12:01.037854910 CEST	49722	443	192.168.2.5	13.107.253.72
Sep 4, 2024 09:12:01.037868977 CEST	443	49722	13.107.253.72	192.168.2.5
Sep 4, 2024 09:12:01.037888050 CEST	49722	443	192.168.2.5	13.107.253.72
Sep 4, 2024 09:12:01.037892103 CEST	443	49722	13.107.253.72	192.168.2.5
Sep 4, 2024 09:12:01.037906885 CEST	49722	443	192.168.2.5	13.107.253.72
Sep 4, 2024 09:12:01.038213015 CEST	443	49722	13.107.253.72	192.168.2.5
Sep 4, 2024 09:12:01.038259983 CEST	49722	443	192.168.2.5	13.107.253.72
Sep 4, 2024 09:12:01.038268089 CEST	443	49722	13.107.253.72	192.168.2.5
Sep 4, 2024 09:12:01.038294077 CEST	443	49722	13.107.253.72	192.168.2.5
Sep 4, 2024 09:12:01.038342953 CEST	49722	443	192.168.2.5	13.107.253.72
Sep 4, 2024 09:12:01.073952913 CEST	49722	443	192.168.2.5	13.107.253.72
Sep 4, 2024 09:12:01.073965073 CEST	443	49722	13.107.253.72	192.168.2.5
Sep 4, 2024 09:12:01.567233086 CEST	443	49703	23.1.237.91	192.168.2.5
Sep 4, 2024 09:12:01.567318916 CEST	49703	443	192.168.2.5	23.1.237.91
Sep 4, 2024 09:12:02.121671915 CEST	49728	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:02.121730089 CEST	443	49728	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:02.121786118 CEST	49728	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:02.122122049 CEST	49729	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:02.122162104 CEST	443	49729	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:02.122392893 CEST	49729	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:02.122436047 CEST	49730	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:02.122443914 CEST	443	49730	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:02.122488976 CEST	49730	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:02.122756958 CEST	49728	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:02.122771978 CEST	443	49728	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:02.123047113 CEST	49731	443	192.168.2.5	162.159.61.3
Sep 4, 2024 09:12:02.123053074 CEST	443	49731	162.159.61.3	192.168.2.5
Sep 4, 2024 09:12:02.123101950 CEST	49731	443	192.168.2.5	162.159.61.3
Sep 4, 2024 09:12:02.123210907 CEST	49729	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:02.123228073 CEST	443	49729	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:02.123352051 CEST	49730	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:02.123363018 CEST	443	49730	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:02.123457909 CEST	49731	443	192.168.2.5	162.159.61.3
Sep 4, 2024 09:12:02.123470068 CEST	443	49731	162.159.61.3	192.168.2.5
Sep 4, 2024 09:12:02.182869911 CEST	49732	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:02.182888031 CEST	443	49732	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:02.183027029 CEST	49732	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:02.183816910 CEST	49732	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:02.183829069 CEST	443	49732	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:02.399444103 CEST	49733	443	192.168.2.5	184.28.90.27
Sep 4, 2024 09:12:02.399462938 CEST	443	49733	184.28.90.27	192.168.2.5
Sep 4, 2024 09:12:02.399710894 CEST	49733	443	192.168.2.5	184.28.90.27
Sep 4, 2024 09:12:02.401369095 CEST	49733	443	192.168.2.5	184.28.90.27
Sep 4, 2024 09:12:02.401381969 CEST	443	49733	184.28.90.27	192.168.2.5
Sep 4, 2024 09:12:02.681417942 CEST	443	49729	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:02.681643009 CEST	443	49728	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:02.681699991 CEST	49729	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:02.681720018 CEST	443	49729	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:02.681915998 CEST	443	49731	162.159.61.3	192.168.2.5
Sep 4, 2024 09:12:02.681952000 CEST	49728	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:02.681972027 CEST	443	49728	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:02.682320118 CEST	49731	443	192.168.2.5	162.159.61.3
Sep 4, 2024 09:12:02.682327986 CEST	443	49731	162.159.61.3	192.168.2.5
Sep 4, 2024 09:12:02.682483912 CEST	443	49730	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:02.682540894 CEST	443	49732	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:02.682703972 CEST	443	49729	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:02.682728052 CEST	49730	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:02.682737112 CEST	443	49730	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:02.682756901 CEST	49729	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:02.682887077 CEST	443	49728	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:02.682910919 CEST	49732	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:02.682919979 CEST	443	49732	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:02.682949066 CEST	49728	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:02.683191061 CEST	443	49731	162.159.61.3	192.168.2.5
Sep 4, 2024 09:12:02.683284044 CEST	49731	443	192.168.2.5	162.159.61.3
Sep 4, 2024 09:12:02.683609009 CEST	443	49730	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:02.683744907 CEST	49730	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:02.683944941 CEST	443	49732	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:02.684022903 CEST	49732	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:02.684323072 CEST	49729	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:02.684382915 CEST	443	49729	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:02.686027050 CEST	49728	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:02.686095953 CEST	443	49728	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:02.687834024 CEST	49731	443	192.168.2.5	162.159.61.3
Sep 4, 2024 09:12:02.687834024 CEST	49729	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:02.687846899 CEST	443	49729	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:02.687942982 CEST	443	49731	162.159.61.3	192.168.2.5
Sep 4, 2024 09:12:02.688028097 CEST	49730	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:02.688128948 CEST	443	49730	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:02.688159943 CEST	49728	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:02.688168049 CEST	443	49728	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:02.688193083 CEST	49732	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:02.688254118 CEST	443	49732	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:02.688538074 CEST	49730	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:02.688538074 CEST	49731	443	192.168.2.5	162.159.61.3
Sep 4, 2024 09:12:02.688546896 CEST	443	49730	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:02.688563108 CEST	443	49731	162.159.61.3	192.168.2.5
Sep 4, 2024 09:12:02.688815117 CEST	49732	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:02.688827991 CEST	443	49732	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:02.736768007 CEST	49729	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:02.736768007 CEST	49731	443	192.168.2.5	162.159.61.3
Sep 4, 2024 09:12:02.736797094 CEST	49730	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:02.736797094 CEST	49732	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:02.736799955 CEST	49728	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:02.795238972 CEST	443	49732	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:02.795304060 CEST	443	49732	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:02.795583010 CEST	49732	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:02.795583010 CEST	49732	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:02.803791046 CEST	443	49729	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:02.803859949 CEST	443	49729	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:02.803926945 CEST	49729	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:02.804562092 CEST	49729	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:02.804580927 CEST	443	49729	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:02.807491064 CEST	443	49728	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:02.807552099 CEST	443	49728	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:02.807687998 CEST	49728	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:02.808182001 CEST	49728	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:02.808193922 CEST	443	49728	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:02.809684992 CEST	443	49731	162.159.61.3	192.168.2.5
Sep 4, 2024 09:12:02.809751987 CEST	443	49731	162.159.61.3	192.168.2.5
Sep 4, 2024 09:12:02.810008049 CEST	49731	443	192.168.2.5	162.159.61.3
Sep 4, 2024 09:12:02.810034990 CEST	49731	443	192.168.2.5	162.159.61.3
Sep 4, 2024 09:12:02.810041904 CEST	443	49731	162.159.61.3	192.168.2.5
Sep 4, 2024 09:12:02.818451881 CEST	443	49730	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:02.818511963 CEST	443	49730	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:02.818583965 CEST	49730	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:02.822885036 CEST	49730	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:02.822900057 CEST	443	49730	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:03.054330111 CEST	443	49733	184.28.90.27	192.168.2.5
Sep 4, 2024 09:12:03.054411888 CEST	49733	443	192.168.2.5	184.28.90.27
Sep 4, 2024 09:12:03.057666063 CEST	49733	443	192.168.2.5	184.28.90.27
Sep 4, 2024 09:12:03.057671070 CEST	443	49733	184.28.90.27	192.168.2.5
Sep 4, 2024 09:12:03.057889938 CEST	443	49733	184.28.90.27	192.168.2.5
Sep 4, 2024 09:12:03.098316908 CEST	49732	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:03.098334074 CEST	443	49732	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:03.099520922 CEST	49733	443	192.168.2.5	184.28.90.27
Sep 4, 2024 09:12:03.140508890 CEST	443	49733	184.28.90.27	192.168.2.5
Sep 4, 2024 09:12:03.334172010 CEST	443	49733	184.28.90.27	192.168.2.5
Sep 4, 2024 09:12:03.334219933 CEST	443	49733	184.28.90.27	192.168.2.5
Sep 4, 2024 09:12:03.334316015 CEST	49733	443	192.168.2.5	184.28.90.27
Sep 4, 2024 09:12:03.334566116 CEST	49733	443	192.168.2.5	184.28.90.27
Sep 4, 2024 09:12:03.334573984 CEST	443	49733	184.28.90.27	192.168.2.5
Sep 4, 2024 09:12:03.334602118 CEST	49733	443	192.168.2.5	184.28.90.27
Sep 4, 2024 09:12:03.334605932 CEST	443	49733	184.28.90.27	192.168.2.5
Sep 4, 2024 09:12:03.369364977 CEST	49734	443	192.168.2.5	184.28.90.27
Sep 4, 2024 09:12:03.369389057 CEST	443	49734	184.28.90.27	192.168.2.5
Sep 4, 2024 09:12:03.369499922 CEST	49734	443	192.168.2.5	184.28.90.27
Sep 4, 2024 09:12:03.369910002 CEST	49734	443	192.168.2.5	184.28.90.27
Sep 4, 2024 09:12:03.369925022 CEST	443	49734	184.28.90.27	192.168.2.5
Sep 4, 2024 09:12:03.542742968 CEST	49735	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:03.542788982 CEST	443	49735	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:03.542854071 CEST	49735	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:03.543100119 CEST	49736	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:03.543113947 CEST	443	49736	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:03.546317101 CEST	49735	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:03.546331882 CEST	443	49735	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:03.546674013 CEST	49736	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:03.546962976 CEST	49736	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:03.546974897 CEST	443	49736	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:04.005425930 CEST	443	49736	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:04.005959034 CEST	49736	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:04.005980968 CEST	443	49736	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:04.006354094 CEST	443	49736	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:04.006720066 CEST	49736	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:04.006783009 CEST	443	49736	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:04.007371902 CEST	443	49735	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:04.007631063 CEST	49735	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:04.007646084 CEST	443	49735	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:04.007968903 CEST	443	49735	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:04.008330107 CEST	49735	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:04.008349895 CEST	443	49734	184.28.90.27	192.168.2.5
Sep 4, 2024 09:12:04.008389950 CEST	443	49735	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:04.008409977 CEST	49734	443	192.168.2.5	184.28.90.27
Sep 4, 2024 09:12:04.010303974 CEST	49734	443	192.168.2.5	184.28.90.27
Sep 4, 2024 09:12:04.010309935 CEST	443	49734	184.28.90.27	192.168.2.5
Sep 4, 2024 09:12:04.010557890 CEST	443	49734	184.28.90.27	192.168.2.5
Sep 4, 2024 09:12:04.011766911 CEST	49734	443	192.168.2.5	184.28.90.27
Sep 4, 2024 09:12:04.052501917 CEST	443	49734	184.28.90.27	192.168.2.5
Sep 4, 2024 09:12:04.059077024 CEST	49735	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:04.059077024 CEST	49736	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:04.283535004 CEST	443	49734	184.28.90.27	192.168.2.5
Sep 4, 2024 09:12:04.283591986 CEST	443	49734	184.28.90.27	192.168.2.5
Sep 4, 2024 09:12:04.283744097 CEST	49734	443	192.168.2.5	184.28.90.27
Sep 4, 2024 09:12:04.343257904 CEST	49737	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:04.343291044 CEST	443	49737	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:04.343377113 CEST	49737	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:04.343592882 CEST	49737	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:04.343609095 CEST	443	49737	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:04.482343912 CEST	49738	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:04.482366085 CEST	443	49738	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:04.482429028 CEST	49738	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:04.483566999 CEST	49738	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:04.483582020 CEST	443	49738	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:04.484582901 CEST	49734	443	192.168.2.5	184.28.90.27
Sep 4, 2024 09:12:04.484602928 CEST	443	49734	184.28.90.27	192.168.2.5
Sep 4, 2024 09:12:04.484615088 CEST	49734	443	192.168.2.5	184.28.90.27
Sep 4, 2024 09:12:04.484620094 CEST	443	49734	184.28.90.27	192.168.2.5
Sep 4, 2024 09:12:04.793359041 CEST	49739	443	192.168.2.5	142.251.40.132
Sep 4, 2024 09:12:04.793390036 CEST	443	49739	142.251.40.132	192.168.2.5
Sep 4, 2024 09:12:04.793584108 CEST	49739	443	192.168.2.5	142.251.40.132
Sep 4, 2024 09:12:04.793752909 CEST	49739	443	192.168.2.5	142.251.40.132
Sep 4, 2024 09:12:04.793765068 CEST	443	49739	142.251.40.132	192.168.2.5
Sep 4, 2024 09:12:04.812306881 CEST	443	49737	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:04.812508106 CEST	49737	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:04.812521935 CEST	443	49737	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:04.812872887 CEST	443	49737	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:04.812931061 CEST	49737	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:04.813541889 CEST	443	49737	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:04.813591003 CEST	49737	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:04.814768076 CEST	49737	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:04.814826965 CEST	443	49737	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:04.815083027 CEST	49737	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:04.815089941 CEST	443	49737	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:04.863131046 CEST	49737	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:04.923686028 CEST	443	49737	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:04.923847914 CEST	443	49737	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:04.923897028 CEST	49737	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:04.924926996 CEST	49737	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:04.924940109 CEST	443	49737	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:04.951560020 CEST	443	49738	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:04.951811075 CEST	49738	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:04.951822996 CEST	443	49738	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:04.952193975 CEST	443	49738	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:04.952255011 CEST	49738	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:04.952888012 CEST	443	49738	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:04.952934980 CEST	49738	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:04.953095913 CEST	49738	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:04.953166008 CEST	443	49738	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:04.953322887 CEST	49738	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:04.953330040 CEST	443	49738	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:05.003535986 CEST	49738	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:05.066473007 CEST	443	49738	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:05.066555977 CEST	443	49738	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:05.066610098 CEST	49738	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:05.067186117 CEST	49738	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:05.067197084 CEST	443	49738	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:05.238745928 CEST	49740	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:05.238769054 CEST	443	49740	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:05.238892078 CEST	49740	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:05.239084005 CEST	49740	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:05.239097118 CEST	443	49740	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:05.258522987 CEST	443	49739	142.251.40.132	192.168.2.5
Sep 4, 2024 09:12:05.258729935 CEST	49739	443	192.168.2.5	142.251.40.132
Sep 4, 2024 09:12:05.258748055 CEST	443	49739	142.251.40.132	192.168.2.5
Sep 4, 2024 09:12:05.259598970 CEST	443	49739	142.251.40.132	192.168.2.5
Sep 4, 2024 09:12:05.259677887 CEST	49739	443	192.168.2.5	142.251.40.132
Sep 4, 2024 09:12:05.260771990 CEST	49739	443	192.168.2.5	142.251.40.132
Sep 4, 2024 09:12:05.260828018 CEST	443	49739	142.251.40.132	192.168.2.5
Sep 4, 2024 09:12:05.261142015 CEST	49739	443	192.168.2.5	142.251.40.132
Sep 4, 2024 09:12:05.261147976 CEST	443	49739	142.251.40.132	192.168.2.5
Sep 4, 2024 09:12:05.302054882 CEST	49739	443	192.168.2.5	142.251.40.132
Sep 4, 2024 09:12:05.356687069 CEST	443	49739	142.251.40.132	192.168.2.5
Sep 4, 2024 09:12:05.356733084 CEST	443	49739	142.251.40.132	192.168.2.5
Sep 4, 2024 09:12:05.356765985 CEST	443	49739	142.251.40.132	192.168.2.5
Sep 4, 2024 09:12:05.356791019 CEST	49739	443	192.168.2.5	142.251.40.132
Sep 4, 2024 09:12:05.356801033 CEST	443	49739	142.251.40.132	192.168.2.5
Sep 4, 2024 09:12:05.356899023 CEST	49739	443	192.168.2.5	142.251.40.132
Sep 4, 2024 09:12:05.356908083 CEST	443	49739	142.251.40.132	192.168.2.5
Sep 4, 2024 09:12:05.357505083 CEST	443	49739	142.251.40.132	192.168.2.5
Sep 4, 2024 09:12:05.357553959 CEST	49739	443	192.168.2.5	142.251.40.132
Sep 4, 2024 09:12:05.358350992 CEST	49739	443	192.168.2.5	142.251.40.132
Sep 4, 2024 09:12:05.358362913 CEST	443	49739	142.251.40.132	192.168.2.5
Sep 4, 2024 09:12:05.379196882 CEST	49741	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:05.379235983 CEST	443	49741	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:05.379311085 CEST	49741	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:05.379481077 CEST	49741	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:05.379497051 CEST	443	49741	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:05.708599091 CEST	443	49740	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:05.708888054 CEST	49740	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:05.708904028 CEST	443	49740	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:05.709252119 CEST	443	49740	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:05.709316015 CEST	49740	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:05.709918976 CEST	443	49740	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:05.710057020 CEST	49740	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:05.710174084 CEST	49740	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:05.710232019 CEST	443	49740	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:05.752305984 CEST	49740	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:05.752315044 CEST	443	49740	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:05.799032927 CEST	49740	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:05.839804888 CEST	443	49741	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:05.840554953 CEST	49741	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:05.840573072 CEST	443	49741	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:05.840888977 CEST	443	49741	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:05.841159105 CEST	49741	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:05.841500998 CEST	443	49741	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:05.841593981 CEST	49741	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:05.842113018 CEST	49741	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:05.842170954 CEST	443	49741	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:05.892826080 CEST	49741	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:05.892833948 CEST	443	49741	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:05.939707041 CEST	49741	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:10.476155996 CEST	49742	443	192.168.2.5	40.68.123.157
Sep 4, 2024 09:12:10.476174116 CEST	443	49742	40.68.123.157	192.168.2.5
Sep 4, 2024 09:12:10.476265907 CEST	49742	443	192.168.2.5	40.68.123.157
Sep 4, 2024 09:12:10.477171898 CEST	49742	443	192.168.2.5	40.68.123.157
Sep 4, 2024 09:12:10.477184057 CEST	443	49742	40.68.123.157	192.168.2.5
Sep 4, 2024 09:12:11.265178919 CEST	443	49742	40.68.123.157	192.168.2.5
Sep 4, 2024 09:12:11.265297890 CEST	49742	443	192.168.2.5	40.68.123.157
Sep 4, 2024 09:12:11.294260025 CEST	49742	443	192.168.2.5	40.68.123.157
Sep 4, 2024 09:12:11.294275999 CEST	443	49742	40.68.123.157	192.168.2.5
Sep 4, 2024 09:12:11.294521093 CEST	443	49742	40.68.123.157	192.168.2.5
Sep 4, 2024 09:12:11.338984013 CEST	49742	443	192.168.2.5	40.68.123.157
Sep 4, 2024 09:12:12.036639929 CEST	49742	443	192.168.2.5	40.68.123.157
Sep 4, 2024 09:12:12.084497929 CEST	443	49742	40.68.123.157	192.168.2.5
Sep 4, 2024 09:12:12.294800997 CEST	443	49742	40.68.123.157	192.168.2.5
Sep 4, 2024 09:12:12.294821024 CEST	443	49742	40.68.123.157	192.168.2.5
Sep 4, 2024 09:12:12.294823885 CEST	443	49742	40.68.123.157	192.168.2.5
Sep 4, 2024 09:12:12.294895887 CEST	443	49742	40.68.123.157	192.168.2.5
Sep 4, 2024 09:12:12.294930935 CEST	443	49742	40.68.123.157	192.168.2.5
Sep 4, 2024 09:12:12.294982910 CEST	49742	443	192.168.2.5	40.68.123.157
Sep 4, 2024 09:12:12.294995070 CEST	443	49742	40.68.123.157	192.168.2.5
Sep 4, 2024 09:12:12.295146942 CEST	49742	443	192.168.2.5	40.68.123.157
Sep 4, 2024 09:12:12.295146942 CEST	49742	443	192.168.2.5	40.68.123.157
Sep 4, 2024 09:12:12.295715094 CEST	443	49742	40.68.123.157	192.168.2.5
Sep 4, 2024 09:12:12.295794964 CEST	49742	443	192.168.2.5	40.68.123.157
Sep 4, 2024 09:12:12.295799971 CEST	443	49742	40.68.123.157	192.168.2.5
Sep 4, 2024 09:12:12.296331882 CEST	443	49742	40.68.123.157	192.168.2.5
Sep 4, 2024 09:12:12.298366070 CEST	49742	443	192.168.2.5	40.68.123.157
Sep 4, 2024 09:12:13.167404890 CEST	49742	443	192.168.2.5	40.68.123.157
Sep 4, 2024 09:12:13.167428017 CEST	443	49742	40.68.123.157	192.168.2.5
Sep 4, 2024 09:12:13.167438984 CEST	49742	443	192.168.2.5	40.68.123.157
Sep 4, 2024 09:12:13.167443991 CEST	443	49742	40.68.123.157	192.168.2.5
Sep 4, 2024 09:12:18.916960001 CEST	443	49736	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:18.917031050 CEST	443	49736	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:18.917222023 CEST	49736	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:18.917798996 CEST	443	49735	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:18.917870045 CEST	443	49735	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:18.917911053 CEST	49735	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:50.767352104 CEST	49740	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:50.767436028 CEST	443	49740	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:50.769958973 CEST	49749	443	192.168.2.5	40.68.123.157
Sep 4, 2024 09:12:50.769994974 CEST	443	49749	40.68.123.157	192.168.2.5
Sep 4, 2024 09:12:50.770080090 CEST	49749	443	192.168.2.5	40.68.123.157
Sep 4, 2024 09:12:50.770608902 CEST	49749	443	192.168.2.5	40.68.123.157
Sep 4, 2024 09:12:50.770621061 CEST	443	49749	40.68.123.157	192.168.2.5
Sep 4, 2024 09:12:50.907965899 CEST	49741	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:50.907989979 CEST	443	49741	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:51.575273037 CEST	443	49749	40.68.123.157	192.168.2.5
Sep 4, 2024 09:12:51.575365067 CEST	49749	443	192.168.2.5	40.68.123.157
Sep 4, 2024 09:12:51.578996897 CEST	49749	443	192.168.2.5	40.68.123.157
Sep 4, 2024 09:12:51.579004049 CEST	443	49749	40.68.123.157	192.168.2.5
Sep 4, 2024 09:12:51.579205990 CEST	443	49749	40.68.123.157	192.168.2.5
Sep 4, 2024 09:12:51.587105989 CEST	49749	443	192.168.2.5	40.68.123.157
Sep 4, 2024 09:12:51.632503033 CEST	443	49749	40.68.123.157	192.168.2.5
Sep 4, 2024 09:12:51.915496111 CEST	443	49749	40.68.123.157	192.168.2.5
Sep 4, 2024 09:12:51.915519953 CEST	443	49749	40.68.123.157	192.168.2.5
Sep 4, 2024 09:12:51.915535927 CEST	443	49749	40.68.123.157	192.168.2.5
Sep 4, 2024 09:12:51.915606022 CEST	49749	443	192.168.2.5	40.68.123.157
Sep 4, 2024 09:12:51.915618896 CEST	443	49749	40.68.123.157	192.168.2.5
Sep 4, 2024 09:12:51.915666103 CEST	49749	443	192.168.2.5	40.68.123.157
Sep 4, 2024 09:12:51.916584969 CEST	443	49749	40.68.123.157	192.168.2.5
Sep 4, 2024 09:12:51.916629076 CEST	443	49749	40.68.123.157	192.168.2.5
Sep 4, 2024 09:12:51.916644096 CEST	49749	443	192.168.2.5	40.68.123.157
Sep 4, 2024 09:12:51.916651011 CEST	443	49749	40.68.123.157	192.168.2.5
Sep 4, 2024 09:12:51.916681051 CEST	49749	443	192.168.2.5	40.68.123.157
Sep 4, 2024 09:12:51.917087078 CEST	443	49749	40.68.123.157	192.168.2.5
Sep 4, 2024 09:12:51.917133093 CEST	49749	443	192.168.2.5	40.68.123.157
Sep 4, 2024 09:12:51.956892014 CEST	49749	443	192.168.2.5	40.68.123.157
Sep 4, 2024 09:12:51.956901073 CEST	443	49749	40.68.123.157	192.168.2.5
Sep 4, 2024 09:12:51.956918001 CEST	49749	443	192.168.2.5	40.68.123.157
Sep 4, 2024 09:12:51.956923008 CEST	443	49749	40.68.123.157	192.168.2.5
Sep 4, 2024 09:12:55.140300035 CEST	49750	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:55.140340090 CEST	443	49750	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:55.140420914 CEST	49750	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:55.140583992 CEST	49751	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:55.140619993 CEST	443	49751	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:55.140671015 CEST	49751	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:55.140805960 CEST	49750	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:55.140818119 CEST	443	49750	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:55.140944958 CEST	49751	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:55.140965939 CEST	443	49751	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:55.718374968 CEST	443	49750	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:55.718621969 CEST	49750	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:55.718647957 CEST	443	49750	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:55.719149113 CEST	443	49750	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:55.719400883 CEST	49750	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:55.719470024 CEST	443	49750	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:55.720304966 CEST	443	49751	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:55.720529079 CEST	49751	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:55.720560074 CEST	443	49751	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:55.720848083 CEST	443	49751	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:55.721112013 CEST	49751	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:55.721168995 CEST	443	49751	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:55.767577887 CEST	49751	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:55.767740011 CEST	49750	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:58.523299932 CEST	49753	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:58.523341894 CEST	443	49753	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:58.523394108 CEST	49753	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:58.523591995 CEST	49754	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:58.523598909 CEST	443	49754	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:58.523675919 CEST	49754	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:58.523772955 CEST	49753	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:58.523787022 CEST	443	49753	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:58.523916960 CEST	49754	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:58.523927927 CEST	443	49754	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:59.096102953 CEST	443	49754	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:59.096255064 CEST	443	49753	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:59.097106934 CEST	49753	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:59.097135067 CEST	443	49753	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:59.097225904 CEST	49754	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:59.097235918 CEST	443	49754	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:59.097439051 CEST	443	49753	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:59.097558975 CEST	443	49754	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:59.098118067 CEST	49754	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:59.098177910 CEST	443	49754	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:59.098449945 CEST	49753	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:59.098507881 CEST	443	49753	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:59.143651962 CEST	49753	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:59.143651962 CEST	49754	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:59.200207949 CEST	49755	443	192.168.2.5	23.219.161.132
Sep 4, 2024 09:12:59.200253010 CEST	443	49755	23.219.161.132	192.168.2.5
Sep 4, 2024 09:12:59.200323105 CEST	49755	443	192.168.2.5	23.219.161.132
Sep 4, 2024 09:12:59.200495958 CEST	49755	443	192.168.2.5	23.219.161.132
Sep 4, 2024 09:12:59.200506926 CEST	443	49755	23.219.161.132	192.168.2.5
Sep 4, 2024 09:12:59.682250977 CEST	443	49755	23.219.161.132	192.168.2.5
Sep 4, 2024 09:12:59.682569027 CEST	49755	443	192.168.2.5	23.219.161.132
Sep 4, 2024 09:12:59.682600021 CEST	443	49755	23.219.161.132	192.168.2.5
Sep 4, 2024 09:12:59.683962107 CEST	443	49755	23.219.161.132	192.168.2.5
Sep 4, 2024 09:12:59.684254885 CEST	49755	443	192.168.2.5	23.219.161.132
Sep 4, 2024 09:12:59.684391975 CEST	49755	443	192.168.2.5	23.219.161.132
Sep 4, 2024 09:12:59.684422016 CEST	443	49755	23.219.161.132	192.168.2.5
Sep 4, 2024 09:12:59.736872911 CEST	49755	443	192.168.2.5	23.219.161.132
Sep 4, 2024 09:12:59.828963041 CEST	443	49755	23.219.161.132	192.168.2.5
Sep 4, 2024 09:12:59.829047918 CEST	443	49755	23.219.161.132	192.168.2.5
Sep 4, 2024 09:12:59.829190016 CEST	49755	443	192.168.2.5	23.219.161.132
Sep 4, 2024 09:12:59.829533100 CEST	49755	443	192.168.2.5	23.219.161.132
Sep 4, 2024 09:12:59.829554081 CEST	443	49755	23.219.161.132	192.168.2.5
Sep 4, 2024 09:13:03.924034119 CEST	49735	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:13:03.924034119 CEST	49736	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:13:03.924061060 CEST	443	49735	172.64.41.3	192.168.2.5
Sep 4, 2024 09:13:03.924072027 CEST	443	49736	172.64.41.3	192.168.2.5
Sep 4, 2024 09:13:10.629301071 CEST	443	49750	172.64.41.3	192.168.2.5
Sep 4, 2024 09:13:10.629369974 CEST	443	49750	172.64.41.3	192.168.2.5
Sep 4, 2024 09:13:10.629446983 CEST	49750	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:13:10.630058050 CEST	443	49751	172.64.41.3	192.168.2.5
Sep 4, 2024 09:13:10.630117893 CEST	443	49751	172.64.41.3	192.168.2.5
Sep 4, 2024 09:13:10.630166054 CEST	49751	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:13:13.899328947 CEST	443	49754	172.64.41.3	192.168.2.5
Sep 4, 2024 09:13:13.899395943 CEST	443	49754	172.64.41.3	192.168.2.5
Sep 4, 2024 09:13:13.899451017 CEST	49754	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:13:13.899822950 CEST	443	49753	172.64.41.3	192.168.2.5
Sep 4, 2024 09:13:13.899873018 CEST	443	49753	172.64.41.3	192.168.2.5
Sep 4, 2024 09:13:13.899916887 CEST	49753	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:13:35.767745972 CEST	49740	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:13:35.767771006 CEST	443	49740	142.250.65.238	192.168.2.5
Sep 4, 2024 09:13:35.908401012 CEST	49741	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:13:35.908435106 CEST	443	49741	142.250.65.238	192.168.2.5
Sep 4, 2024 09:13:48.924608946 CEST	49736	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:13:48.924643993 CEST	443	49736	172.64.41.3	192.168.2.5
Sep 4, 2024 09:13:48.924654007 CEST	49735	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:13:48.924659967 CEST	443	49735	172.64.41.3	192.168.2.5
Sep 4, 2024 09:13:55.642788887 CEST	49750	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:13:55.642834902 CEST	443	49750	172.64.41.3	192.168.2.5
Sep 4, 2024 09:13:55.642889977 CEST	49751	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:13:55.642916918 CEST	443	49751	172.64.41.3	192.168.2.5
Sep 4, 2024 09:13:58.907875061 CEST	49753	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:13:58.907875061 CEST	49754	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:13:58.907917023 CEST	443	49753	172.64.41.3	192.168.2.5
Sep 4, 2024 09:13:58.907932997 CEST	443	49754	172.64.41.3	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 4, 2024 09:11:57.368824005 CEST	53	54119	1.1.1.1	192.168.2.5
Sep 4, 2024 09:11:58.508740902 CEST	52036	53	192.168.2.5	1.1.1.1
Sep 4, 2024 09:11:58.508872986 CEST	50337	53	192.168.2.5	1.1.1.1
Sep 4, 2024 09:11:59.765415907 CEST	53	52410	1.1.1.1	192.168.2.5
Sep 4, 2024 09:11:59.774137020 CEST	53	57949	1.1.1.1	192.168.2.5
Sep 4, 2024 09:12:02.112869024 CEST	65356	53	192.168.2.5	1.1.1.1
Sep 4, 2024 09:12:02.113306999 CEST	65285	53	192.168.2.5	1.1.1.1
Sep 4, 2024 09:12:02.113662004 CEST	53786	53	192.168.2.5	1.1.1.1
Sep 4, 2024 09:12:02.114005089 CEST	58064	53	192.168.2.5	1.1.1.1
Sep 4, 2024 09:12:02.114360094 CEST	60091	53	192.168.2.5	1.1.1.1
Sep 4, 2024 09:12:02.114530087 CEST	62635	53	192.168.2.5	1.1.1.1
Sep 4, 2024 09:12:02.114823103 CEST	57866	53	192.168.2.5	1.1.1.1
Sep 4, 2024 09:12:02.115319014 CEST	64770	53	192.168.2.5	1.1.1.1
Sep 4, 2024 09:12:02.119532108 CEST	53	65356	1.1.1.1	192.168.2.5
Sep 4, 2024 09:12:02.119721889 CEST	53	65285	1.1.1.1	192.168.2.5
Sep 4, 2024 09:12:02.120403051 CEST	53	53786	1.1.1.1	192.168.2.5
Sep 4, 2024 09:12:02.120613098 CEST	53	58064	1.1.1.1	192.168.2.5
Sep 4, 2024 09:12:02.121159077 CEST	53	60091	1.1.1.1	192.168.2.5
Sep 4, 2024 09:12:02.121169090 CEST	53	62635	1.1.1.1	192.168.2.5
Sep 4, 2024 09:12:02.121417999 CEST	53	57866	1.1.1.1	192.168.2.5
Sep 4, 2024 09:12:02.121824980 CEST	53	64770	1.1.1.1	192.168.2.5
Sep 4, 2024 09:12:02.175102949 CEST	53822	53	192.168.2.5	1.1.1.1
Sep 4, 2024 09:12:02.175359964 CEST	63095	53	192.168.2.5	1.1.1.1
Sep 4, 2024 09:12:02.181627035 CEST	53	53822	1.1.1.1	192.168.2.5
Sep 4, 2024 09:12:02.182506084 CEST	53	63095	1.1.1.1	192.168.2.5
Sep 4, 2024 09:12:03.211993933 CEST	49513	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:03.542202950 CEST	49513	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:03.686460972 CEST	443	49513	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:03.686482906 CEST	443	49513	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:03.686496019 CEST	443	49513	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:03.686592102 CEST	443	49513	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:03.686604977 CEST	443	49513	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:03.948386908 CEST	49513	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:03.950768948 CEST	49513	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:03.954993010 CEST	49513	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:03.955106974 CEST	49513	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:03.965677023 CEST	49513	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:04.060019016 CEST	443	49513	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:04.060034037 CEST	443	49513	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:04.060043097 CEST	443	49513	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:04.060053110 CEST	443	49513	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:04.066634893 CEST	443	49513	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:04.067672014 CEST	443	49513	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:04.067943096 CEST	443	49513	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:04.119471073 CEST	49513	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:04.119556904 CEST	49513	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:04.119729042 CEST	49513	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:04.218978882 CEST	443	49513	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:04.236897945 CEST	49513	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:04.237047911 CEST	49513	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:04.339878082 CEST	443	49513	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:04.341387033 CEST	443	49513	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:04.341424942 CEST	443	49513	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:04.342026949 CEST	49513	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:04.691423893 CEST	49513	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:04.691596985 CEST	49513	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:04.792138100 CEST	443	49513	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:04.792474985 CEST	443	49513	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:04.792762995 CEST	443	49513	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:04.792922020 CEST	49513	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:04.927819014 CEST	52821	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:05.237981081 CEST	52821	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:05.380862951 CEST	443	52821	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:05.380925894 CEST	443	52821	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:05.381325006 CEST	52821	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:05.386604071 CEST	443	52821	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:05.386657953 CEST	443	52821	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:05.386668921 CEST	443	52821	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:05.386679888 CEST	443	52821	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:05.386929035 CEST	52821	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:05.387360096 CEST	52821	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:05.388473034 CEST	52821	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:05.388587952 CEST	52821	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:05.388993979 CEST	52821	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:05.389019966 CEST	52821	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:05.394093990 CEST	52821	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:05.486551046 CEST	443	52821	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:05.486602068 CEST	443	52821	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:05.487392902 CEST	52821	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:05.487869024 CEST	443	52821	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:05.489007950 CEST	443	52821	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:05.490359068 CEST	52821	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:05.501234055 CEST	443	52821	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:05.501506090 CEST	443	52821	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:05.501507998 CEST	52821	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:05.502759933 CEST	443	52821	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:05.503118992 CEST	443	52821	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:05.503679037 CEST	52821	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:05.534029961 CEST	52821	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:05.597070932 CEST	443	52821	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:13.016518116 CEST	52821	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:13.016699076 CEST	52821	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:13.113540888 CEST	443	52821	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:13.167685986 CEST	443	52821	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:13.167864084 CEST	443	52821	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:13.200439930 CEST	52821	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:13.251621962 CEST	52821	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:13.318686962 CEST	443	52821	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:13.394500017 CEST	52821	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:34.440047026 CEST	52821	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:34.440102100 CEST	52821	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:34.534090996 CEST	443	52821	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:34.549439907 CEST	443	52821	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:34.549684048 CEST	443	52821	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:34.552130938 CEST	52821	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:34.583113909 CEST	52821	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:34.670530081 CEST	443	52821	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:37.179068089 CEST	52821	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:37.179116011 CEST	52821	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:37.347939968 CEST	52821	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:37.347973108 CEST	52821	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:37.531390905 CEST	443	52821	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:37.531404972 CEST	443	52821	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:37.531414986 CEST	443	52821	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:37.531948090 CEST	443	52821	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:37.532063007 CEST	52821	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:37.532063007 CEST	52821	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:37.622473955 CEST	443	52821	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:37.622896910 CEST	52821	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:37.636573076 CEST	443	52821	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:37.636583090 CEST	443	52821	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:37.639941931 CEST	52821	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:37.674849033 CEST	52821	443	192.168.2.5	142.250.65.238
Sep 4, 2024 09:12:37.758255005 CEST	443	52821	142.250.65.238	192.168.2.5
Sep 4, 2024 09:12:55.140064955 CEST	58184	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:55.455370903 CEST	58184	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:55.712630987 CEST	443	58184	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:55.712654114 CEST	443	58184	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:55.712663889 CEST	443	58184	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:55.712676048 CEST	443	58184	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:55.712687016 CEST	443	58184	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:55.713248968 CEST	58184	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:55.714940071 CEST	58184	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:55.715173960 CEST	58184	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:55.715276003 CEST	58184	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:55.715611935 CEST	58184	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:55.715708971 CEST	58184	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:55.814526081 CEST	443	58184	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:55.814640999 CEST	443	58184	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:55.814651012 CEST	443	58184	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:55.814661026 CEST	443	58184	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:55.814670086 CEST	443	58184	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:55.814903021 CEST	58184	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:55.815053940 CEST	58184	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:55.815355062 CEST	443	58184	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:55.816082954 CEST	443	58184	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:55.816380024 CEST	443	58184	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:55.816500902 CEST	58184	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:55.914331913 CEST	443	58184	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:55.939870119 CEST	58184	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:58.523164034 CEST	58128	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:58.828442097 CEST	58128	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:59.094302893 CEST	443	58128	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:59.094360113 CEST	443	58128	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:59.094368935 CEST	443	58128	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:59.094382048 CEST	443	58128	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:59.094901085 CEST	58128	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:59.096760035 CEST	58128	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:59.096856117 CEST	58128	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:59.097472906 CEST	58128	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:59.097592115 CEST	58128	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:59.188153028 CEST	443	58128	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:59.194086075 CEST	443	58128	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:59.194587946 CEST	443	58128	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:59.194597006 CEST	443	58128	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:59.194603920 CEST	443	58128	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:59.194825888 CEST	58128	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:59.194916964 CEST	58128	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:59.196465015 CEST	443	58128	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:59.197896957 CEST	443	58128	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:59.198921919 CEST	443	58128	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:59.199496984 CEST	443	58128	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:59.199673891 CEST	58128	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:12:59.292093992 CEST	443	58128	172.64.41.3	192.168.2.5
Sep 4, 2024 09:12:59.330847979 CEST	58128	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:13:06.037997007 CEST	63121	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:13:06.038146973 CEST	63121	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:13:06.038449049 CEST	63121	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:13:06.038548946 CEST	63121	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:13:06.632978916 CEST	443	63121	172.64.41.3	192.168.2.5
Sep 4, 2024 09:13:06.633625031 CEST	63121	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:13:06.658951998 CEST	63121	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:13:07.050770044 CEST	63121	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:13:07.050829887 CEST	63121	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:13:07.051384926 CEST	63121	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:13:07.051422119 CEST	63121	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:13:07.311644077 CEST	53	55594	1.1.1.1	192.168.2.5
Sep 4, 2024 09:13:07.403428078 CEST	443	63121	172.64.41.3	192.168.2.5
Sep 4, 2024 09:13:07.403438091 CEST	443	63121	172.64.41.3	192.168.2.5
Sep 4, 2024 09:13:07.403445959 CEST	443	63121	172.64.41.3	192.168.2.5
Sep 4, 2024 09:13:07.403453112 CEST	443	63121	172.64.41.3	192.168.2.5
Sep 4, 2024 09:13:07.403460979 CEST	443	63121	172.64.41.3	192.168.2.5
Sep 4, 2024 09:13:07.403850079 CEST	63121	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:13:07.403951883 CEST	63121	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:13:07.403991938 CEST	63121	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:13:07.439295053 CEST	63121	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:13:07.501363039 CEST	443	63121	172.64.41.3	192.168.2.5
Sep 4, 2024 09:13:07.501404047 CEST	443	63121	172.64.41.3	192.168.2.5
Sep 4, 2024 09:13:07.533221960 CEST	63121	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:13:11.708142042 CEST	63121	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:13:11.708251953 CEST	63121	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:13:11.807579994 CEST	443	63121	172.64.41.3	192.168.2.5
Sep 4, 2024 09:13:11.807987928 CEST	443	63121	172.64.41.3	192.168.2.5
Sep 4, 2024 09:13:11.808394909 CEST	443	63121	172.64.41.3	192.168.2.5
Sep 4, 2024 09:13:11.808656931 CEST	63121	443	192.168.2.5	172.64.41.3
Sep 4, 2024 09:13:11.809318066 CEST	62204	443	192.168.2.5	142.251.35.174
Sep 4, 2024 09:13:11.809451103 CEST	62204	443	192.168.2.5	142.251.35.174
Sep 4, 2024 09:13:12.269048929 CEST	62204	443	192.168.2.5	142.251.35.174
Sep 4, 2024 09:13:12.283999920 CEST	443	62204	142.251.35.174	192.168.2.5
Sep 4, 2024 09:13:12.284045935 CEST	443	62204	142.251.35.174	192.168.2.5
Sep 4, 2024 09:13:12.284583092 CEST	62204	443	192.168.2.5	142.251.35.174
Sep 4, 2024 09:13:12.284651041 CEST	62204	443	192.168.2.5	142.251.35.174
Sep 4, 2024 09:13:12.284924030 CEST	62204	443	192.168.2.5	142.251.35.174
Sep 4, 2024 09:13:12.285023928 CEST	62204	443	192.168.2.5	142.251.35.174
Sep 4, 2024 09:13:12.285023928 CEST	62204	443	192.168.2.5	142.251.35.174
Sep 4, 2024 09:13:12.285063028 CEST	62204	443	192.168.2.5	142.251.35.174
Sep 4, 2024 09:13:12.304155111 CEST	443	62204	142.251.35.174	192.168.2.5
Sep 4, 2024 09:13:12.362201929 CEST	443	62204	142.251.35.174	192.168.2.5
Sep 4, 2024 09:13:12.368009090 CEST	62204	443	192.168.2.5	142.251.35.174
Sep 4, 2024 09:13:12.377482891 CEST	443	62204	142.251.35.174	192.168.2.5
Sep 4, 2024 09:13:12.377722979 CEST	62204	443	192.168.2.5	142.251.35.174
Sep 4, 2024 09:13:12.378169060 CEST	443	62204	142.251.35.174	192.168.2.5
Sep 4, 2024 09:13:12.378177881 CEST	443	62204	142.251.35.174	192.168.2.5
Sep 4, 2024 09:13:12.378339052 CEST	62204	443	192.168.2.5	142.251.35.174
Sep 4, 2024 09:13:12.378418922 CEST	443	62204	142.251.35.174	192.168.2.5
Sep 4, 2024 09:13:12.392843008 CEST	443	62204	142.251.35.174	192.168.2.5
Sep 4, 2024 09:13:12.392997980 CEST	443	62204	142.251.35.174	192.168.2.5
Sep 4, 2024 09:13:12.393013954 CEST	443	62204	142.251.35.174	192.168.2.5
Sep 4, 2024 09:13:12.393292904 CEST	443	62204	142.251.35.174	192.168.2.5
Sep 4, 2024 09:13:12.393341064 CEST	62204	443	192.168.2.5	142.251.35.174
Sep 4, 2024 09:13:12.393502951 CEST	62204	443	192.168.2.5	142.251.35.174
Sep 4, 2024 09:13:12.424619913 CEST	62204	443	192.168.2.5	142.251.35.174
Sep 4, 2024 09:13:12.461378098 CEST	443	62204	142.251.35.174	192.168.2.5
Sep 4, 2024 09:13:12.486598015 CEST	443	62204	142.251.35.174	192.168.2.5
Sep 4, 2024 09:13:12.511253119 CEST	443	62204	142.251.35.174	192.168.2.5
Sep 4, 2024 09:13:42.334836006 CEST	57620	443	192.168.2.5	142.251.35.174
Sep 4, 2024 09:13:42.335006952 CEST	57620	443	192.168.2.5	142.251.35.174
Sep 4, 2024 09:13:42.794282913 CEST	443	57620	142.251.35.174	192.168.2.5
Sep 4, 2024 09:13:42.794703960 CEST	443	57620	142.251.35.174	192.168.2.5
Sep 4, 2024 09:13:42.794955015 CEST	57620	443	192.168.2.5	142.251.35.174
Sep 4, 2024 09:13:42.795042038 CEST	57620	443	192.168.2.5	142.251.35.174
Sep 4, 2024 09:13:42.795336008 CEST	57620	443	192.168.2.5	142.251.35.174
Sep 4, 2024 09:13:42.795347929 CEST	57620	443	192.168.2.5	142.251.35.174
Sep 4, 2024 09:13:42.811856031 CEST	443	57620	142.251.35.174	192.168.2.5
Sep 4, 2024 09:13:42.894958973 CEST	443	57620	142.251.35.174	192.168.2.5
Sep 4, 2024 09:13:42.895395041 CEST	443	57620	142.251.35.174	192.168.2.5
Sep 4, 2024 09:13:42.895688057 CEST	57620	443	192.168.2.5	142.251.35.174
Sep 4, 2024 09:13:42.909358978 CEST	443	57620	142.251.35.174	192.168.2.5
Sep 4, 2024 09:13:42.909486055 CEST	443	57620	142.251.35.174	192.168.2.5
Sep 4, 2024 09:13:42.909821033 CEST	57620	443	192.168.2.5	142.251.35.174
Sep 4, 2024 09:13:42.944705963 CEST	57620	443	192.168.2.5	142.251.35.174
Sep 4, 2024 09:13:43.032723904 CEST	443	57620	142.251.35.174	192.168.2.5
Sep 4, 2024 09:13:46.845155954 CEST	57620	443	192.168.2.5	142.251.35.174
Sep 4, 2024 09:13:46.845210075 CEST	57620	443	192.168.2.5	142.251.35.174
Sep 4, 2024 09:13:46.943526983 CEST	443	57620	142.251.35.174	192.168.2.5
Sep 4, 2024 09:13:46.957962036 CEST	443	57620	142.251.35.174	192.168.2.5
Sep 4, 2024 09:13:46.958014011 CEST	443	57620	142.251.35.174	192.168.2.5
Sep 4, 2024 09:13:46.958981037 CEST	57620	443	192.168.2.5	142.251.35.174
Sep 4, 2024 09:13:46.988940954 CEST	57620	443	192.168.2.5	142.251.35.174
Sep 4, 2024 09:13:47.082665920 CEST	443	57620	142.251.35.174	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 4, 2024 09:11:58.508740902 CEST	192.168.2.5	1.1.1.1	0x4948	Standard query (0)	bzib.nelreports.net	A (IP address)	IN (0x0001)	false
Sep 4, 2024 09:11:58.508872986 CEST	192.168.2.5	1.1.1.1	0x6a4f	Standard query (0)	bzib.nelreports.net	65	IN (0x0001)	false
Sep 4, 2024 09:12:02.112869024 CEST	192.168.2.5	1.1.1.1	0x7b45	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Sep 4, 2024 09:12:02.113306999 CEST	192.168.2.5	1.1.1.1	0x20b9	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Sep 4, 2024 09:12:02.113662004 CEST	192.168.2.5	1.1.1.1	0x3e20	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Sep 4, 2024 09:12:02.114005089 CEST	192.168.2.5	1.1.1.1	0xd01b	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Sep 4, 2024 09:12:02.114360094 CEST	192.168.2.5	1.1.1.1	0x474f	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Sep 4, 2024 09:12:02.114530087 CEST	192.168.2.5	1.1.1.1	0x3b42	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Sep 4, 2024 09:12:02.114823103 CEST	192.168.2.5	1.1.1.1	0x6a01	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Sep 4, 2024 09:12:02.115319014 CEST	192.168.2.5	1.1.1.1	0x30a	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Sep 4, 2024 09:12:02.175102949 CEST	192.168.2.5	1.1.1.1	0xec1	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Sep 4, 2024 09:12:02.175359964 CEST	192.168.2.5	1.1.1.1	0xb067	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 4, 2024 09:11:58.515461922 CEST	1.1.1.1	192.168.2.5	0x6a4f	No error (0)	bzib.nelreports.net	bzib.nelreports.net.akamaized.net		CNAME (Canonical name)	IN (0x0001)	false
Sep 4, 2024 09:11:58.515602112 CEST	1.1.1.1	192.168.2.5	0x4948	No error (0)	bzib.nelreports.net	bzib.nelreports.net.akamaized.net		CNAME (Canonical name)	IN (0x0001)	false
Sep 4, 2024 09:12:00.088310003 CEST	1.1.1.1	192.168.2.5	0xf625	No error (0)	shed.dual-low.s-part-0032.t-0009.t-msedge.net	azurefd-t-fb-prod.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Sep 4, 2024 09:12:00.088310003 CEST	1.1.1.1	192.168.2.5	0xf625	No error (0)	dual.s-part-0044.t-0009.fb-t-msedge.net	s-part-0044.t-0009.fb-t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Sep 4, 2024 09:12:00.088310003 CEST	1.1.1.1	192.168.2.5	0xf625	No error (0)	s-part-0044.t-0009.fb-t-msedge.net		13.107.253.72	A (IP address)	IN (0x0001)	false
Sep 4, 2024 09:12:02.119532108 CEST	1.1.1.1	192.168.2.5	0x7b45	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Sep 4, 2024 09:12:02.119532108 CEST	1.1.1.1	192.168.2.5	0x7b45	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Sep 4, 2024 09:12:02.119721889 CEST	1.1.1.1	192.168.2.5	0x20b9	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Sep 4, 2024 09:12:02.120403051 CEST	1.1.1.1	192.168.2.5	0x3e20	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Sep 4, 2024 09:12:02.120403051 CEST	1.1.1.1	192.168.2.5	0x3e20	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Sep 4, 2024 09:12:02.120613098 CEST	1.1.1.1	192.168.2.5	0xd01b	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Sep 4, 2024 09:12:02.121159077 CEST	1.1.1.1	192.168.2.5	0x474f	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Sep 4, 2024 09:12:02.121159077 CEST	1.1.1.1	192.168.2.5	0x474f	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Sep 4, 2024 09:12:02.121169090 CEST	1.1.1.1	192.168.2.5	0x3b42	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Sep 4, 2024 09:12:02.121417999 CEST	1.1.1.1	192.168.2.5	0x6a01	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Sep 4, 2024 09:12:02.121417999 CEST	1.1.1.1	192.168.2.5	0x6a01	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Sep 4, 2024 09:12:02.121824980 CEST	1.1.1.1	192.168.2.5	0x30a	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Sep 4, 2024 09:12:02.181627035 CEST	1.1.1.1	192.168.2.5	0xec1	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Sep 4, 2024 09:12:02.181627035 CEST	1.1.1.1	192.168.2.5	0xec1	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Sep 4, 2024 09:12:02.182506084 CEST	1.1.1.1	192.168.2.5	0xb067	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false

HTTP Request Dependency Graph

edgeassetservice.azureedge.net

chrome.cloudflare-dns.com

fs.microsoft.com

https:

www.google.com

slscr.update.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49722	13.107.253.72	443	7580	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-04 07:12:00 UTC	711	OUT	GET /assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtractionDomainsConfig HTTP/1.1 Host: edgeassetservice.azureedge.net Connection: keep-alive Edge-Asset-Group: EntityExtractionDomainsConfig Sec-Mesh-Client-Edge-Version: 117.0.2045.47 Sec-Mesh-Client-Edge-Channel: stable Sec-Mesh-Client-OS: Windows Sec-Mesh-Client-OS-Version: 10.0.19045 Sec-Mesh-Client-Arch: x86_64 Sec-Mesh-Client-WebView: 0 Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-09-04 07:12:00 UTC	583	IN	HTTP/1.1 200 OK Date: Wed, 04 Sep 2024 07:12:00 GMT Content-Type: application/octet-stream Content-Length: 70207 Connection: close Content-Encoding: gzip Last-Modified: Fri, 02 Aug 2024 18:10:35 GMT ETag: 0x8DCB31E67C22927 x-ms-request-id: 3afe9785-e01e-0066-3464-fbda5d000000 x-ms-version: 2009-09-19 x-ms-lease-status: unlocked x-ms-blob-type: BlockBlob x-azure-ref: 20240904T071200Z-17bfd4cd76csdbttkxpb989b2400000009dg0000000014yx Cache-Control: public, max-age=604800 x-fd-int-roxy-purgeid: 0 X-Cache-Info: L2_T2 X-Cache: TCP_REMOTE_HIT Accept-Ranges: bytes
2024-09-04 07:12:00 UTC	15801	IN	Data Raw: 1f 8b 08 08 1a 21 ad 66 02 ff 61 73 73 65 74 00 ec bd 0b 97 db 36 b2 30 f8 57 b2 b9 33 b3 dd 89 d5 d6 5b dd d9 cd fa f4 d3 f1 f8 39 6d 3b 19 db f1 d5 01 49 48 a2 45 91 0c 1f 6a ab c3 be bf 7d 0b 05 80 00 08 50 52 db ce 77 ef b7 67 67 9c 16 09 14 0a 40 a1 50 a8 2a 14 c0 3f bf f7 93 78 16 ce bf ff e9 bb 3f bf 2f 92 25 8d a7 51 b8 0a 0b 78 ef 8d bb dd 07 df 7d 9f 92 39 9d fa 65 91 cc 66 90 38 1c f4 59 62 40 67 a4 8c 8a 69 94 f8 24 a2 d3 15 49 11 81 c7 f0 c0 df 0e 3c 00 94 97 e3 6b de f1 08 7b a5 11 7b a5 51 67 9e e1 6b 8c af 71 a7 cc f1 15 81 69 de 59 7d c6 d7 02 5f 8b 0e a5 ec d5 c7 5c 3f ef f8 b7 ec 35 20 ec 35 20 9d 60 89 af 14 5f 69 27 40 e0 19 e6 ce 48 27 c4 8a 66 21 be 86 1d 78 60 af 19 be 66 9d 19 e6 2e b0 ec 82 76 c2 08 5f 31 77 91 75 16 3c b7 c4 d7 Data Ascii: !fasset60W3[9m;IHEj}PRwgg@P*?x?/%Qx}9ef8Yb@gi$I<k{{QgkqiY}_\?5 5 `_i'@H'f!x`f.v_1wu<
2024-09-04 07:12:00 UTC	16384	IN	Data Raw: 4a b0 09 cb 82 45 ac c5 f3 e8 07 bb 82 71 ba da 2a 0b c7 62 2c 30 96 c2 52 09 74 65 c0 2a 8a c3 88 95 9c 7c 3e a9 79 09 d4 fa 9a 9f 30 4a 49 28 2b d7 97 ff 7a 7b f9 fa cd f4 c9 05 68 2b 37 9c c1 08 01 cb 2f 28 f3 02 34 de 08 0c a6 34 da 38 c6 ec 48 27 33 28 96 9f 45 d9 4f 9f 12 f7 54 d2 47 a6 39 87 08 81 e9 6d 4f c1 43 97 10 bf ad 59 55 67 39 13 fe 1e 05 67 65 16 87 6c 9b f5 cb 90 60 eb 3d ea 25 09 33 8b f9 4a fb 10 ef 11 3b 7c e8 61 60 14 a0 60 b9 7c 16 e7 69 54 b1 c3 22 c0 e0 29 df c2 05 4c 8f bc f0 67 5e 04 75 33 51 9a b7 e1 61 1a 61 48 f5 c3 30 f7 62 91 d5 a8 34 39 2a 97 ff 2d f5 aa c1 c2 6c 78 e0 35 33 d1 42 b3 75 c4 be 3b f4 d0 68 83 51 a7 81 2d a0 ff 0d 5d 10 62 ed 7f 55 a5 99 9f 25 2b 2f a4 4d 09 21 65 43 c7 04 cf 93 19 f3 c1 d0 b6 e9 14 38 59 31 Data Ascii: JEqb,0Rte\|>y0JI(+z{h+7/(448H'3(EOTG9mOCYUg9gel`=%3J;\|a``\|iT")Lg^u3QaaH0b49*-lx53Bu;hQ-]bU%+/M!eC8Y1
2024-09-04 07:12:00 UTC	16384	IN	Data Raw: 2f 4d 35 19 b9 3f d5 c1 f4 52 a7 67 b3 99 ff bc b7 c2 8e 7c d3 4d 9a a5 bf dc f0 20 15 b1 bc 1f 82 9a 8d 98 a7 af db 80 6b 74 e7 ab 7c e6 18 7d 9a 2b 3e 34 2d 1a e7 c0 d5 e8 b4 a0 0e d4 7d 19 bb 69 52 58 a2 33 32 78 db 4b 2d cd 54 dd d2 2b 9c a0 29 69 1a ba 4a ee 0a 4d 33 5a 7b a7 1a 83 5f f3 f7 fe 2c 2f 84 3b 39 d0 56 82 ef 75 a4 f3 69 57 af 58 09 8c 2a 1d 24 b9 4e 6b cf 63 d0 74 99 e3 02 0f 26 7f 1a 86 a9 a8 69 fa 5a d8 25 83 c1 ea f8 fd 12 62 16 86 38 17 5a 19 6f 13 03 00 e6 6a 07 a4 40 be bb 20 de a6 de bf d1 06 75 32 1f c3 4f 67 41 ad 31 bd b0 9c ee 44 47 33 2a 92 9c d3 f6 35 64 a9 b1 d3 f6 b1 c7 a7 b4 80 af ea c1 2a 6c dd 81 a0 0b 67 ca d2 b2 11 7c 8d dc 39 47 56 d1 bd 08 e8 ec 3e 4f c9 56 d6 7a d3 9a 56 4d 17 50 41 9b 17 9b 37 36 da 2e 7c a4 ba 63 Data Ascii: /M5?Rg\|M kt\|}+>4-}iRX32xK-T+)iJM3Z{_,/;9VuiWX$Nkct&iZ%b8Zoj@ u2OgA1DG35d*lg\|9GV>OVzVMPA76.\|c
2024-09-04 07:12:01 UTC	16384	IN	Data Raw: 99 dc 5a 2e 69 cf 52 41 9e 48 c8 71 d7 39 94 dd f7 b6 3f 2a 48 d1 b5 2e 37 a4 97 5f 43 54 c9 8d d7 76 7a 14 e4 6f 3b 80 f7 6a 61 e8 6f 47 e9 2d cb 60 84 66 2b c0 b9 77 09 1b c0 32 5c aa 6c 0e 25 81 ed a0 5e 61 25 37 6f 3c a5 bc 1f 04 1a dd b1 04 1d c9 73 16 3a 58 a8 69 4d 12 c1 5e e9 66 5f 14 6c e4 9e d4 61 25 e1 2f c3 fc b8 ed df 80 5d 2b 3a 5b 4c 56 c9 72 1f 59 1d 6a 72 0b d2 b0 4c 8e d5 67 db 16 79 41 90 65 4f 4b 68 63 f6 d1 e5 db b6 6a 18 e6 ca 5f 04 79 2e 71 69 5d 0e 19 cc d9 f6 58 27 58 af 1c 18 04 f1 98 d2 bf 15 1e 37 ce e0 1e 88 54 83 3c 82 f8 a8 05 5f b0 1b 3f 2f 02 8f 31 a4 e9 1d ed 45 e6 e4 85 e6 b9 66 4c fd cd 8d e4 58 f7 79 73 8b 47 40 25 b6 0d 7f 78 ff a8 fe e7 7d 69 4a fc 00 c7 b0 37 a9 44 f0 40 1e e8 bd 41 8a b4 0a 5d 5a 2c 0e 60 f7 fb 81 Data Ascii: Z.iRAHq9?*H.7_CTvzo;jaoG-`f+w2\l%^a%7o<s:XiM^f_la%/]+:[LVrYjrLgyAeOKhcj_y.qi]X'X7T<_?/1EfLXysG@%x}iJ7D@A]Z,`
2024-09-04 07:12:01 UTC	5254	IN	Data Raw: 29 50 5f 50 34 9a d3 9a 2a 83 ab 27 93 58 c5 2b d2 9c af 2b 4e 0f 79 ac a9 56 57 20 b1 61 ca d2 f5 ed 38 df 10 b9 60 88 4c 48 ac b1 cd 10 b5 8f 76 49 19 f2 b6 d5 54 1d d1 9c b1 20 7a d3 64 f7 91 a2 0c 4d 73 6d e0 da be ee e6 87 03 9f 5e f7 4f 98 9c 12 cd 88 68 4c 2e b1 48 00 60 c3 31 74 31 8d 87 b4 32 56 02 4f bf e1 a9 3b c0 40 d6 24 8e 10 55 c7 c3 e7 8c f3 78 28 78 d3 94 de b0 5a 4d 22 eb 28 5c 22 00 98 8e 15 1a f8 ab ac 54 f4 5d 80 d0 a5 aa 6e 87 83 fd d6 f1 b0 c0 82 f7 f4 5e ef 2f 2b b8 62 a2 13 a1 4d ae 60 cf 59 3c b1 b1 f4 40 4d 41 74 7c ac 2c 5a 9e ef f4 d2 81 6d 69 e1 d3 8b 73 2c 84 2c 06 37 fd 72 38 10 a5 b2 13 51 f1 a0 a2 06 7d 3f 89 8f 72 35 a0 58 a0 46 79 2f b7 1f cc 57 92 ec c8 b4 b5 f2 5c 65 e7 30 5a 93 e3 b1 8e 5f f5 91 44 87 44 19 1d 59 83 Data Ascii: )P_P4*'X++NyVW a8`LHvIT zdMsm^OhL.H`1t12VO;@$Ux(xZM"(\"T]n^/+bM`Y<@MAt\|,Zmis,,7r8Q}?r5XFy/W\e0Z_DDY

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49721	13.107.253.72	443	7580	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-04 07:12:00 UTC	486	OUT	GET /assets/arbitration_priority_list/4.0.5/asset?assetgroup=ArbitrationService HTTP/1.1 Host: edgeassetservice.azureedge.net Connection: keep-alive Edge-Asset-Group: ArbitrationService Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-09-04 07:12:00 UTC	552	IN	HTTP/1.1 200 OK Date: Wed, 04 Sep 2024 07:12:00 GMT Content-Type: application/octet-stream Content-Length: 11989 Connection: close Last-Modified: Fri, 30 Aug 2024 17:05:10 GMT ETag: 0x8DCC915E7CD8385 x-ms-request-id: 1b6aa40f-801e-0039-70c1-fc28a3000000 x-ms-version: 2009-09-19 x-ms-lease-status: unlocked x-ms-blob-type: BlockBlob x-azure-ref: 20240904T071200Z-r1ffcbf6898sctx2y46ydkc2yg00000009t00000000046sv Cache-Control: public, max-age=604800 x-fd-int-roxy-purgeid: 0 X-Cache-Info: L1_T2 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-09-04 07:12:00 UTC	11989	IN	Data Raw: 7b 0d 0a 20 20 22 63 6f 6e 66 69 67 56 65 72 73 69 6f 6e 22 3a 20 33 32 2c 0d 0a 20 20 22 50 72 69 76 69 6c 65 67 65 64 45 78 70 65 72 69 65 6e 63 65 73 22 3a 20 5b 0d 0a 20 20 20 20 22 53 68 6f 72 65 6c 69 6e 65 50 72 69 76 69 6c 65 67 65 64 45 78 70 65 72 69 65 6e 63 65 49 44 22 2c 0d 0a 20 20 20 20 22 53 48 4f 50 50 49 4e 47 5f 41 55 54 4f 5f 53 48 4f 57 5f 43 4f 55 50 4f 4e 53 5f 43 48 45 43 4b 4f 55 54 22 2c 0d 0a 20 20 20 20 22 53 48 4f 50 50 49 4e 47 5f 41 55 54 4f 5f 53 48 4f 57 5f 4c 4f 57 45 52 5f 50 52 49 43 45 5f 46 4f 55 4e 44 22 2c 0d 0a 20 20 20 20 22 53 48 4f 50 50 49 4e 47 5f 41 55 54 4f 5f 53 48 4f 57 5f 42 49 4e 47 5f 53 45 41 52 43 48 22 2c 0d 0a 20 20 20 20 22 53 48 4f 50 50 49 4e 47 5f 41 55 54 4f 5f 53 48 4f 57 5f 52 45 42 41 54 45 Data Ascii: { "configVersion": 32, "PrivilegedExperiences": [ "ShorelinePrivilegedExperienceID", "SHOPPING_AUTO_SHOW_COUPONS_CHECKOUT", "SHOPPING_AUTO_SHOW_LOWER_PRICE_FOUND", "SHOPPING_AUTO_SHOW_BING_SEARCH", "SHOPPING_AUTO_SHOW_REBATE

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49729	172.64.41.3	443	7580	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-04 07:12:02 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-09-04 07:12:02 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-09-04 07:12:02 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Wed, 04 Sep 2024 07:12:02 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8bdc2b413a707c82-EWR alt-svc: h3=":443"; ma=86400
2024-09-04 07:12:02 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 00 f7 00 04 8e fb 28 83 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom()

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49728	172.64.41.3	443	7580	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-04 07:12:02 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-09-04 07:12:02 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-09-04 07:12:02 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Wed, 04 Sep 2024 07:12:02 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8bdc2b4138fa0f5f-EWR alt-svc: h3=":443"; ma=86400
2024-09-04 07:12:02 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 00 d6 00 04 8e fa 50 43 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcomPC)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49730	172.64.41.3	443	7580	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-04 07:12:02 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-09-04 07:12:02 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-09-04 07:12:02 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Wed, 04 Sep 2024 07:12:02 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8bdc2b414bee5e6a-EWR alt-svc: h3=":443"; ma=86400
2024-09-04 07:12:02 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 01 0e 00 04 8e fb 20 63 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom c)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49731	162.159.61.3	443	7580	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-04 07:12:02 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-09-04 07:12:02 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-09-04 07:12:02 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Wed, 04 Sep 2024 07:12:02 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8bdc2b41391f42c3-EWR alt-svc: h3=":443"; ma=86400
2024-09-04 07:12:02 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 01 25 00 04 8e fb 28 a3 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom%()

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49732	172.64.41.3	443	7580	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-04 07:12:02 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-09-04 07:12:02 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-09-04 07:12:02 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Wed, 04 Sep 2024 07:12:02 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8bdc2b412c3643c1-EWR alt-svc: h3=":443"; ma=86400
2024-09-04 07:12:02 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 01 05 00 04 8e fa 48 63 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcomHc)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49733	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-09-04 07:12:03 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-09-04 07:12:03 UTC	467	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF67) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=207217 Date: Wed, 04 Sep 2024 07:12:03 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49734	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-09-04 07:12:04 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-09-04 07:12:04 UTC	515	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=207270 Date: Wed, 04 Sep 2024 07:12:04 GMT Content-Length: 55 Connection: close X-CID: 2
2024-09-04 07:12:04 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49737	142.250.65.238	443	7580	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-04 07:12:04 UTC	567	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9
2024-09-04 07:12:04 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Wed, 04 Sep 2024 07:12:04 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49738	142.250.65.238	443	7580	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-04 07:12:04 UTC	567	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9
2024-09-04 07:12:05 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Wed, 04 Sep 2024 07:12:05 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49739	142.251.40.132	443	7580	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-04 07:12:05 UTC	887	OUT	GET /favicon.ico HTTP/1.1 Host: www.google.com Connection: keep-alive sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 sec-ch-ua-arch: "x86" sec-ch-ua-full-version: "117.0.2045.47" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9
2024-09-04 07:12:05 UTC	705	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="static-on-bigtable" Report-To: {"group":"static-on-bigtable","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/static-on-bigtable"}]} Content-Length: 5430 X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Date: Wed, 04 Sep 2024 06:51:43 GMT Expires: Thu, 12 Sep 2024 06:51:43 GMT Cache-Control: public, max-age=691200 Last-Modified: Tue, 22 Oct 2019 18:30:00 GMT Content-Type: image/x-icon Vary: Accept-Encoding Age: 1222 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-09-04 07:12:05 UTC	685	IN	Data Raw: 00 00 01 00 02 00 10 10 00 00 01 00 20 00 68 04 00 00 26 00 00 00 20 20 00 00 01 00 20 00 a8 10 00 00 8e 04 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 20 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 30 fd fd fd 96 fd fd fd d8 fd fd fd f9 fd fd fd f9 fd fd fd d7 fd fd fd 94 fe fe fe 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd 99 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 95 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd c1 ff ff ff ff fa fd f9 ff b4 d9 a7 ff 76 ba 5d ff 58 ab 3a ff 58 aa 3a ff 72 b8 59 ff ac d5 9d ff f8 fb f6 ff ff Data Ascii: h& ( 0.v]X:X:rY
2024-09-04 07:12:05 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d8 fd fd fd 99 ff ff ff ff 92 cf fb ff 37 52 ec ff 38 46 ea ff d0 d4 fa ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 96 fe fe fe 32 ff ff ff ff f9 f9 fe ff 56 62 ed ff 35 43 ea ff 3b 49 eb ff 95 9c f4 ff cf d2 fa ff d1 d4 fa ff 96 9d f4 ff 52 5e ed ff e1 e3 fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 30 00 00 00 00 fd fd fd 9d ff ff ff ff e8 ea fd ff 58 63 ee ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 6c 76 f0 ff ff ff ff ff ff ff ff ff fd fd fd 98 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd c3 ff ff ff ff f9 f9 fe ff a5 ac f6 ff 5d 69 ee ff 3c 4a Data Ascii: 7R8F2Vb5C;IR^0Xc5C5C5C5C5C5Clv]i<J
2024-09-04 07:12:05 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff fd fd fd d0 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fd fd fd 8b ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff b1 d8 a3 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 60 a5 35 ff ca 8e 3e ff f9 c1 9f ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 87 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 25 fd fd fd fb ff ff ff ff ff ff ff ff ff ff ff ff c2 e0 b7 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 6e b6 54 ff 9f ce 8d ff b7 da aa ff b8 db ab ff a5 d2 95 ff 7b bc 64 ff 54 a8 35 ff 53 a8 34 ff 77 a0 37 ff e3 89 41 ff f4 85 42 ff f4 85 42 ff Data Ascii: S4S4S4S4S4S4S4S4S4S4S4S4S4S4`5>%S4S4S4S4S4S4nT{dT5S4w7ABB
2024-09-04 07:12:05 UTC	1390	IN	Data Raw: ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff fb d5 bf ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd ea fd fd fd cb ff ff ff ff ff ff ff ff ff ff ff ff 46 cd fc ff 05 bc fb ff 05 bc fb ff 05 bc fb ff 21 ae f9 ff fb fb ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd c8 fd fd fd 9c ff ff ff ff ff ff ff ff ff ff ff ff 86 df fd ff 05 bc fb ff 05 bc fb ff 15 93 f5 ff 34 49 eb ff b3 b8 f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: BBBBBBF!4I
2024-09-04 07:12:05 UTC	575	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d2 fe fe fe 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd 8d fd fd fd fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd fb fd fd fd 8b fe fe fe 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 27 fd fd fd 9f fd fd fd f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: $'

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49742	40.68.123.157	443

Timestamp	Bytes transferred	Direction	Data
2024-09-04 07:12:12 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=xX6G8uuRM2u6AlD&MD=BgroDaC4 HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-09-04 07:12:12 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: 3ecd6c08-e856-405a-8782-bfd47ef059a1 MS-RequestId: aa78f096-5898-4f38-a4d5-19ec81b256c3 MS-CV: lSWr7j4c80OKHOUa.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Wed, 04 Sep 2024 07:12:11 GMT Connection: close Content-Length: 24490
2024-09-04 07:12:12 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-09-04 07:12:12 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49749	40.68.123.157	443

Timestamp	Bytes transferred	Direction	Data
2024-09-04 07:12:51 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=xX6G8uuRM2u6AlD&MD=BgroDaC4 HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-09-04 07:12:51 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440" MS-CorrelationId: ada12670-3e74-4693-b239-c07e8f975d98 MS-RequestId: 7830d9a9-f5b1-4924-8229-5a97285fc845 MS-CV: JcBA8HzuakGKaWZ9.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Wed, 04 Sep 2024 07:12:51 GMT Connection: close Content-Length: 30005
2024-09-04 07:12:51 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK\|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
2024-09-04 07:12:51 UTC	14181	IN	Data Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49755	23.219.161.132	443	7580	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-04 07:12:59 UTC	442	OUT	OPTIONS /api/report?cat=bingbusiness HTTP/1.1 Host: bzib.nelreports.net Connection: keep-alive Origin: https://business.bing.com Access-Control-Request-Method: POST Access-Control-Request-Headers: content-type User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-09-04 07:12:59 UTC	331	IN	HTTP/1.1 429 Too Many Requests Content-Length: 0 Date: Wed, 04 Sep 2024 07:12:59 GMT Connection: close PMUSER_FORMAT_QS: X-CDN-TraceId: 0.84112317.1725433979.9ffbcc1 Access-Control-Allow-Credentials: false Access-Control-Allow-Methods: * Access-Control-Allow-Methods: GET, OPTIONS, POST Access-Control-Allow-Origin: *

Target ID:	0
Start time:	03:11:52
Start date:	04/09/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xfc0000
File size:	917'504 bytes
MD5 hash:	A7B043CD523ABC9DDB4756A6C633B5CA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	03:11:52
Start date:	04/09/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:11:52
Start date:	04/09/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2064 --field-trial-handle=2036,i,3849763096522647370,4896450222763674263,262144 --disable-features=TranslateUI /prefetch:3
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:11:52
Start date:	04/09/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	03:11:53
Start date:	04/09/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2028 --field-trial-handle=2044,i,11574969173397465828,18444030210144044815,262144 --disable-features=TranslateUI /prefetch:3
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	03:11:58
Start date:	04/09/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=7332 --field-trial-handle=2044,i,11574969173397465828,18444030210144044815,262144 --disable-features=TranslateUI /prefetch:8
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	03:11:58
Start date:	04/09/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7304 --field-trial-handle=2044,i,11574969173397465828,18444030210144044815,262144 --disable-features=TranslateUI /prefetch:8
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	03:12:11
Start date:	04/09/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	03:12:11
Start date:	04/09/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2944 --field-trial-handle=2768,i,548461295133709711,14865383362578032956,262144 /prefetch:3
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	03:12:13
Start date:	04/09/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=4480 --field-trial-handle=2768,i,548461295133709711,14865383362578032956,262144 /prefetch:8
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	03:12:19
Start date:	04/09/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	03:12:19
Start date:	04/09/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2284 --field-trial-handle=2124,i,5193650039718528943,5512548186967427648,262144 /prefetch:3
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	03:12:19
Start date:	04/09/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=3596 --field-trial-handle=2124,i,5193650039718528943,5512548186967427648,262144 /prefetch:8
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.7%
Total number of Nodes:	1399
Total number of Limit Nodes:	39

Executed Functions

Function 00FC42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00FC430D

Part of subcall function 00FC6B57: _wcslen.LIBCMT ref: 00FC6B6A

GetCurrentProcess.KERNEL32(?,0105CB64,00000000,?,?), ref: 00FC4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00FC4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00FC4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00FC4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00FC4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00FC447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00FC44A0

Strings

GetNativeSystemInfo, xrefs: 00FC4460
kernel32.dll, xrefs: 00FC444F
|O, xrefs: 010036F8

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 494dd4c5d6ee55b917f6dfc0c890869f2ac371f997f6d7695a08aa8926e0f9e4
Instruction ID: 3f7d477aad0342a08738c9175e40d814702504c07a1491ee1366a27fc0b78cb9
Opcode Fuzzy Hash: 494dd4c5d6ee55b917f6dfc0c890869f2ac371f997f6d7695a08aa8926e0f9e4
Instruction Fuzzy Hash: F0A1B136B0A3C3CFD737C76975616A53FF47B26220B18C89DD8C1A7A4AD23A4508DB61

Function 00FC42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00FC50AA,?,?,00000000,00000000), ref: 00FC42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00FC50AA,?,?,00000000,00000000), ref: 00FC42C9
LoadResource.KERNEL32(?,00000000,?,?,00FC50AA,?,?,00000000,00000000,?,?,?,?,?,?,00FC4F20), ref: 010035BE
SizeofResource.KERNEL32(?,00000000,?,?,00FC50AA,?,?,00000000,00000000,?,?,?,?,?,?,00FC4F20), ref: 010035D3
LockResource.KERNEL32(00FC50AA,?,?,00FC50AA,?,?,00000000,00000000,?,?,?,?,?,?,00FC4F20,?), ref: 010035E6

Strings

SCRIPT, xrefs: 00FC42BF

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 4235410384bc762cab5ede1da8cab6bdeca45d6c8433fa4d8a6d50e5de14b4ad
Instruction ID: be72716bdc11c7f8020ab9401f8071fa4b3caddc35a9569bc60400980ef57826
Opcode Fuzzy Hash: 4235410384bc762cab5ede1da8cab6bdeca45d6c8433fa4d8a6d50e5de14b4ad
Instruction Fuzzy Hash: BD11AC70200301BFE7258B65DE4AF677BBDEBC5B51F20456DB84686290DB72E800E630

Function 01002BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00FC2B6B

Part of subcall function 00FC3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,01091418,?,00FC2E7F,?,?,?,00000000), ref: 00FC3A78

Part of subcall function 00FC9CB3: _wcslen.LIBCMT ref: 00FC9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,01082224), ref: 01002C10
ShellExecuteW.SHELL32(00000000,?,?,01082224), ref: 01002C17

Strings

runas, xrefs: 01002C0B

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 40627567f5b256b89fb6c7bae153af6436027f45e5977bfa177c85cac31b7720
Instruction ID: cbf7ae887d1394f1cdef8d59090d4c5a0e0855b99b2e0244f237a1b178c8fd06
Opcode Fuzzy Hash: 40627567f5b256b89fb6c7bae153af6436027f45e5977bfa177c85cac31b7720
Instruction Fuzzy Hash: 2511D2316083476ACB15FF20DE57F6EBBA4EB95360F44442CB1C206092CF398A4AA712

Function 0102DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,01005222), ref: 0102DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0102DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0102DBEE
FindClose.KERNEL32(00000000), ref: 0102DBFA

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: bce5978e741563c33c4fb806dc7e7a4ee72ba825df4101d462c2f179f085d9b5
Instruction ID: d27fee451edac0084c1e7186d7e543746e2a3cdb5ad72d073924d8a6adf9f986
Opcode Fuzzy Hash: bce5978e741563c33c4fb806dc7e7a4ee72ba825df4101d462c2f179f085d9b5
Instruction Fuzzy Hash: A1F0A73041072597A3306BBC990D46B37AC9E01375B104742F4B5D20D0EBB55D548795

Function 0104AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0104B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0104B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0104B1D4
_wcslen.LIBCMT ref: 0104B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0104B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0104B236
_wcslen.LIBCMT ref: 0104B332

Part of subcall function 010305A7: GetStdHandle.KERNEL32(000000F6), ref: 010305C6

_wcslen.LIBCMT ref: 0104B34B
_wcslen.LIBCMT ref: 0104B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0104B3B6
GetLastError.KERNEL32(00000000), ref: 0104B407
CloseHandle.KERNEL32(?), ref: 0104B439
CloseHandle.KERNEL32(00000000), ref: 0104B44A
CloseHandle.KERNEL32(00000000), ref: 0104B45C
CloseHandle.KERNEL32(00000000), ref: 0104B46E
CloseHandle.KERNEL32(?), ref: 0104B4E3

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 47e69bc25ad6e775ec2f74e4f4711ebada138563f8ea4a4b41657078b5264541
Instruction ID: c49c21d50cbe57a629905fe4e0a37db726549338ffdb7a021979e2c9a131cfa1
Opcode Fuzzy Hash: 47e69bc25ad6e775ec2f74e4f4711ebada138563f8ea4a4b41657078b5264541
Instruction Fuzzy Hash: 84F1C1715043419FD714EF28C981B6EBBE5AF85310F1889ADF8C59B2A2CB35EC04CB52

Function 00FCD730 Relevance: 21.6, APIs: 14, Instructions: 625windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00FCD807
timeGetTime.WINMM ref: 00FCDA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FCDB28
TranslateMessage.USER32(?), ref: 00FCDB7B
DispatchMessageW.USER32(?), ref: 00FCDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FCDB9F
Sleep.KERNELBASE(0000000A), ref: 00FCDBB1

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: bc1399a8e3affec346b05495d7531c4a648a5b2326a1f83ee91bd9c5ce1fc54b
Instruction ID: e7e81a4a8758e30bdbf9c5ba106af1f2ed58939a420b2356171cb5f732bf19b1
Opcode Fuzzy Hash: bc1399a8e3affec346b05495d7531c4a648a5b2326a1f83ee91bd9c5ce1fc54b
Instruction Fuzzy Hash: 9F420130608342EFD739CB24C986FAEBBE1BF85314F14456DE59687281D779E844EB82

Function 00FC2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00FC2D07
RegisterClassExW.USER32(00000030), ref: 00FC2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FC2D42
InitCommonControlsEx.COMCTL32(?), ref: 00FC2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00FC2D6F
LoadIconW.USER32(000000A9), ref: 00FC2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00FC2D94

Strings

+, xrefs: 00FC2CF0
TaskbarCreated, xrefs: 00FC2D37
AutoIt v3 GUI, xrefs: 00FC2D23
0, xrefs: 00FC2CE9

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 6afa300eefaf45f8757d058eb65160c87c76e215e09825eb48aabb0c23359ba9
Instruction ID: f6bd92d1ed31fc1d42e7bddbb849b5a773573b0df0de3e8d7feb65056be4834a
Opcode Fuzzy Hash: 6afa300eefaf45f8757d058eb65160c87c76e215e09825eb48aabb0c23359ba9
Instruction Fuzzy Hash: 2D211FB5E01309AFEB10DF94E949BDE7FB8FB08710F00811AF591A6284D7BA0544CF51

Function 0100065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0100039A: CreateFileW.KERNELBASE(00000000,00000000,?,01000704,?,?,00000000,?,01000704,00000000,0000000C), ref: 010003B7

GetLastError.KERNEL32 ref: 0100076F
__dosmaperr.LIBCMT ref: 01000776
GetFileType.KERNELBASE(00000000), ref: 01000782
GetLastError.KERNEL32 ref: 0100078C
__dosmaperr.LIBCMT ref: 01000795
CloseHandle.KERNEL32(00000000), ref: 010007B5
CloseHandle.KERNEL32(?), ref: 010008FF
GetLastError.KERNEL32 ref: 01000931
__dosmaperr.LIBCMT ref: 01000938

Strings

H, xrefs: 010008BD

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 1957df415e83bfb38dd8fb906b90e26d9e9937177fbd4caf397b29a7823106bc
Instruction ID: 6f2e8e3193ebb7a94ef8146bb6d9854d4ed72ad4c314852319a663df5ae085f7
Opcode Fuzzy Hash: 1957df415e83bfb38dd8fb906b90e26d9e9937177fbd4caf397b29a7823106bc
Instruction Fuzzy Hash: A1A12932A041488FEF1AAF68DC51BAE3BE5EB06360F144199F8959B2D5D7398902CB51

Function 00FC344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00FC3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,01091418,?,00FC2E7F,?,?,?,00000000), ref: 00FC3A78

Part of subcall function 00FC3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00FC3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00FC356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0100318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 010031CE
RegCloseKey.ADVAPI32(?), ref: 01003210
_wcslen.LIBCMT ref: 01003277
_wcslen.LIBCMT ref: 01003286

Strings

Software\AutoIt v3\AutoIt, xrefs: 00FC3560
\Include\, xrefs: 00FC3527
\, xrefs: 0100328C
Include, xrefs: 01003184, 010031C5

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 3ebe9d98a9c755e5bdbb7e285313ad34ccb0491f5df9fb4e4d4038a7d26867b9
Instruction ID: b7ccdb29df7f383537b286cf6910e05ddac062d75dd8c687715a607023b252e0
Opcode Fuzzy Hash: 3ebe9d98a9c755e5bdbb7e285313ad34ccb0491f5df9fb4e4d4038a7d26867b9
Instruction Fuzzy Hash: 11710171408302AED325DF29DD92DABBBE8FF85340F40882EF5C5871A4EB369548CB52

Function 00FC2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00FC2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00FC2B9D
LoadIconW.USER32(00000063), ref: 00FC2BB3
LoadIconW.USER32(000000A4), ref: 00FC2BC5
LoadIconW.USER32(000000A2), ref: 00FC2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00FC2BEF
RegisterClassExW.USER32(?), ref: 00FC2C40

Part of subcall function 00FC2CD4: GetSysColorBrush.USER32(0000000F), ref: 00FC2D07
Part of subcall function 00FC2CD4: RegisterClassExW.USER32(00000030), ref: 00FC2D31
Part of subcall function 00FC2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FC2D42
Part of subcall function 00FC2CD4: InitCommonControlsEx.COMCTL32(?), ref: 00FC2D5F
Part of subcall function 00FC2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00FC2D6F
Part of subcall function 00FC2CD4: LoadIconW.USER32(000000A9), ref: 00FC2D85
Part of subcall function 00FC2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00FC2D94

Strings

0, xrefs: 00FC2C0F
#, xrefs: 00FC2C16
AutoIt v3, xrefs: 00FC2C2F

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 040fbf69329962dcd8f146d1bfc46befc4b202b6e5473db25ced5c89c630c4af
Instruction ID: d81656ca3abe46dee2a9684f8bb08950157ee91d2ddb65f98adcfd8c140e6cf5
Opcode Fuzzy Hash: 040fbf69329962dcd8f146d1bfc46befc4b202b6e5473db25ced5c89c630c4af
Instruction Fuzzy Hash: DE216F70F00319AFDB209FA5E965B9E7FB9FB08B60F00C11AF584A6684D7BA0540DF90

Function 00FC3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00FC316A,?,?), ref: 00FC31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00FC316A,?,?), ref: 00FC3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00FC3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00FC316A,?,?), ref: 00FC3232
CreatePopupMenu.USER32 ref: 00FC3246
PostQuitMessage.USER32(00000000), ref: 00FC3267

Strings

TaskbarCreated, xrefs: 00FC322D

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 92e3a37c773b35ff78152442f7caac15480796c08356528d05d8cea5a3e57b70
Instruction ID: 28e0acec37f75cc013b3d3723fd178a7b08f997394cc748643f8bede28cd10b8
Opcode Fuzzy Hash: 92e3a37c773b35ff78152442f7caac15480796c08356528d05d8cea5a3e57b70
Instruction Fuzzy Hash: D441F436B44207AAEF251B289F1FFBA3A69F7053A0F08C11DF58285585C67A8E40B761

Function 00FC2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00FC2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00FC2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00FC1CAD,?), ref: 00FC2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00FC1CAD,?), ref: 00FC2CCF

Strings

edit, xrefs: 00FC2CAC
AutoIt v3, xrefs: 00FC2C89, 00FC2C8E, 00FC2C8F

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 8e1f16d8818497ca4acabb4814aabae637b518d764c7beab87ea6781e773c2a9
Instruction ID: 5d9688299ff6f2ae4b34f8bd608aec288e26528c59b02a55ba07e304d100e932
Opcode Fuzzy Hash: 8e1f16d8818497ca4acabb4814aabae637b518d764c7beab87ea6781e773c2a9
Instruction Fuzzy Hash: 92F0DA756403957AEB311727AC1CE772EBDF7C6F60B00805EF944A6554C67A1850DBB0

Function 0102E97B Relevance: 7.5, APIs: 5, Instructions: 47
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0102E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0102E9A5
Sleep.KERNEL32(00000000), ref: 0102E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0102E9B7
Sleep.KERNELBASE ref: 0102E9F3

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 4614b0e67ae559c83d784fdbc66a48fe57c561b9bae1b4f341d53f2537957d5f
Instruction ID: e642877e88f8ca021afe5ddd80ed9cc997a0799ec45559041ba475ac34664a1e
Opcode Fuzzy Hash: 4614b0e67ae559c83d784fdbc66a48fe57c561b9bae1b4f341d53f2537957d5f
Instruction Fuzzy Hash: 1901A931E00739DBDF10AFE4D948AEEBBB8FF09300F000546E582B2244CB398540CBA1

Function 00FC3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00FC3B0F,SwapMouseButtons,00000004,?), ref: 00FC3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00FC3B0F,SwapMouseButtons,00000004,?), ref: 00FC3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00FC3B0F,SwapMouseButtons,00000004,?), ref: 00FC3B83

Strings

Control Panel\Mouse, xrefs: 00FC3B3E

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 41ad193487217bec13801e172e0f758c9bb709ca1d145f43a0f077032b8a04a1
Instruction ID: 920975529ef44fc8924940794ec411770bb4874ad0007b4bd5afbfff048cf6fd
Opcode Fuzzy Hash: 41ad193487217bec13801e172e0f758c9bb709ca1d145f43a0f077032b8a04a1
Instruction Fuzzy Hash: E3112AB5510209FFDB208FA5DD45EEFB7BCEF45794B108459B805D7114D231AE44AB60

Function 00FC3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 010033A2

Part of subcall function 00FC6B57: _wcslen.LIBCMT ref: 00FC6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00FC3A04

Strings

Line: , xrefs: 010033EB

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: e36ff8a9d598a5659d56ace4be0c842ab66bffbc1f4cda47ba7af29a16ad24ab
Instruction ID: 16404a1405b5a7c3bbb529c4437ffc05663b6ac4d15c05dc7a6cc76e5ed38f3d
Opcode Fuzzy Hash: e36ff8a9d598a5659d56ace4be0c842ab66bffbc1f4cda47ba7af29a16ad24ab
Instruction Fuzzy Hash: 8431C471908302AAD725EB20DD46FEBB7E8AB44760F00C91EF5D992181DB789648D7C2

Function 00FDFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00FE0668

Part of subcall function 00FE32A4: RaiseException.KERNEL32(?,?,?,00FE068A,?,01091444,?,?,?,?,?,?,00FE068A,00FC1129,01088738,00FC1129), ref: 00FE3304

__CxxThrowException@8.LIBVCRUNTIME ref: 00FE0685

Strings

Unknown exception, xrefs: 00FE0692

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: b3cc78a59c5b195e0840ecb621e3c3a595e8c8e89de172a6d98d073128ef2655
Instruction ID: a26982b27b007776ba85e01f4c44f1d74b33fcdc2e054a89addc7b1f867ce19d
Opcode Fuzzy Hash: b3cc78a59c5b195e0840ecb621e3c3a595e8c8e89de172a6d98d073128ef2655
Instruction Fuzzy Hash: B6F04C34C0038D73CB00B666DC4AD5E777E5E00320BA44136B964D6591EFB5DA69F9C0

Function 00FC10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00FC1BF4
Part of subcall function 00FC1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00FC1BFC
Part of subcall function 00FC1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00FC1C07
Part of subcall function 00FC1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00FC1C12
Part of subcall function 00FC1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00FC1C1A
Part of subcall function 00FC1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00FC1C22

Part of subcall function 00FC1B4A: RegisterWindowMessageW.USER32(00000004,?,00FC12C4), ref: 00FC1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00FC136A
OleInitialize.OLE32 ref: 00FC1388
CloseHandle.KERNEL32(00000000,00000000), ref: 010024AB

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: f0c2e127b0846eb88c228a6f7c4f446c58a347b2544e534f4b7fa8c2d203d355
Instruction ID: bbfe7afc9247d8a5404b6c0d388243b25399be5f1322f595769d20ce9fdb6bbe
Opcode Fuzzy Hash: f0c2e127b0846eb88c228a6f7c4f446c58a347b2544e534f4b7fa8c2d203d355
Instruction Fuzzy Hash: 0B71BEB4B01303CFC7A5DF79E666A563AE4BB4836435A822ED4DAC7349EB3A4401DF41

Function 0102C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC3923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00FC3A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0102C259
KillTimer.USER32(?,00000001,?,?), ref: 0102C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0102C270

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: fd81c1002801a3a02b68928e5c86b63ef511787c310921857501ae3e3021d5ab
Instruction ID: fbf22ead45b3b0dccd69268d0d8f6a92ec692d0eefcc666553ff8608426ff950
Opcode Fuzzy Hash: fd81c1002801a3a02b68928e5c86b63ef511787c310921857501ae3e3021d5ab
Instruction Fuzzy Hash: CB31C070900364AFFB728B688955BEBBBECAB03308F00409AD6DE93241C7745688CB51

Function 00FF86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,00FF85CC,?,01088CC8,0000000C), ref: 00FF8704
GetLastError.KERNEL32(?,00FF85CC,?,01088CC8,0000000C), ref: 00FF870E
__dosmaperr.LIBCMT ref: 00FF8739

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: 7418355e5935e62ac09d1d5062af30a1ae44b5a6fc9362709758e07106c48809
Instruction ID: 1a03565daf1df0591768c00d9fe49a2ea8702b22a8d99f19423fbaea3f93ad97
Opcode Fuzzy Hash: 7418355e5935e62ac09d1d5062af30a1ae44b5a6fc9362709758e07106c48809
Instruction Fuzzy Hash: 02012F33E0566C16D7246234A84977E77894F82BF8F350119FB14DB1F2DE698C82B250

Function 00FCDB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 00FCDB7B
DispatchMessageW.USER32(?), ref: 00FCDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FCDB9F
Sleep.KERNELBASE(0000000A), ref: 00FCDBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 01011CC9

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 64066d5ac6e69246021338e9c38bc23ca17488468776ff01dca71f3ade6fdf22
Instruction ID: 773c47c3ae41e8c9dd76354494945b8837317d452429f8852260c0a5772baa24
Opcode Fuzzy Hash: 64066d5ac6e69246021338e9c38bc23ca17488468776ff01dca71f3ade6fdf22
Instruction Fuzzy Hash: A5F030306043459BEB348760DD55F9B73ADEB84310F104519E689870C4DB389448AB15

Function 00FD1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00FD17F6

Strings

CALL, xrefs: 00FD17C6

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 25a3d8605d24ebce440ca5bf555f2f8fa597d4be42ac3a8e85003debcc991e35
Instruction ID: c492eb7212ee889249ed87550a13449d768ed7f8fe0acb4011971026f29135bc
Opcode Fuzzy Hash: 25a3d8605d24ebce440ca5bf555f2f8fa597d4be42ac3a8e85003debcc991e35
Instruction Fuzzy Hash: 74228D71608301AFC714DF14C894B2ABBF2BF85314F18895EF4968B361D77AE845EB92

Function 00FC2DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 01002C8C

Part of subcall function 00FC3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FC3A97,?,?,00FC2E7F,?,?,?,00000000), ref: 00FC3AC2

Part of subcall function 00FC2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00FC2DC4

Strings

X, xrefs: 01002C5A

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: e0d0ac038c4f22cb2a873ef00eced9d9853b6c36123f6d897519b846b9b36f46
Instruction ID: fe06a7654ef8ef8004061d8218dea429e775534935ecdc5ccb0f57e8c1056e6d
Opcode Fuzzy Hash: e0d0ac038c4f22cb2a873ef00eced9d9853b6c36123f6d897519b846b9b36f46
Instruction Fuzzy Hash: A121F671A002489FDB41EF98CC06BEE7BFCAF48314F00805DE445B7241DBB859499F61

Function 00FC3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00FC3908

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 4bc270019ff89160c6572d2bdd5a2de552b1428d5b38104f814a9d688f68fa7a
Instruction ID: 5c204e7e0ba257170d7ec0346614079f5ec164204daf4bc72f40cbce1de50149
Opcode Fuzzy Hash: 4bc270019ff89160c6572d2bdd5a2de552b1428d5b38104f814a9d688f68fa7a
Instruction Fuzzy Hash: 8031E571A043029FE321DF24D585B97BBF8FB49358F00492EF5D983280E775AA04DB52

Function 00FDF645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00FDF661

Part of subcall function 00FCD730: GetInputState.USER32 ref: 00FCD807

Sleep.KERNEL32(00000000), ref: 0101F2DE

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 0d2e229c00d32a1af4a9d90325eb4da35e79ea37ad26cb5ebb3078ded50371fc
Instruction ID: bf72d76a1acc187c3f99b9aa0c6128e4730fb499662818d942e8ec3f170acc5c
Opcode Fuzzy Hash: 0d2e229c00d32a1af4a9d90325eb4da35e79ea37ad26cb5ebb3078ded50371fc
Instruction Fuzzy Hash: E9F08C352407069FD310EF69DA4AF6AB7E8FF45760F00002AE89AC7350DB75A800DB90

Function 00FCB710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00FCBB4E

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: e2d714d5c073e085ea0707adf022ca0dd1509c986f76b227cb5edb2e903e4041
Instruction ID: 0101c83646d7e39d8cd58421a10e5c930c2c7d1f1c4aff9fb3d7accd1ffea18b
Opcode Fuzzy Hash: e2d714d5c073e085ea0707adf022ca0dd1509c986f76b227cb5edb2e903e4041
Instruction Fuzzy Hash: 7E32EE39A0020AAFDB20CF58C996FBE77B9FF44310F148059F985AB259C779AD81DB50

Function 01052598 Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,000000FE,00000000,00000000,00000000,00000000,00000013,00000001,?), ref: 01052649

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 8fb03fc1e9eb92e99916b29d11d06f49bed6e68df8194130b554e327488f9017
Instruction ID: 4e09684645dea241a7f531a0ec2b56b5feac42cd84f521cf701527704ab0e331
Opcode Fuzzy Hash: 8fb03fc1e9eb92e99916b29d11d06f49bed6e68df8194130b554e327488f9017
Instruction Fuzzy Hash: 7421AF74200616AFE790DF18C8D0D77B799EF58368B5480ACE8968B391C771ED41CBA0

Function 010513B7 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000001,?), ref: 01051420

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: a9969d52abeb3bb6848b13e829a51268f65168e17209adeaa9f877e6584cd29b
Instruction ID: b9f01a2d0c634962068986a5fc7f00e33071ed4b7770f0f03f85a7597efbdff5
Opcode Fuzzy Hash: a9969d52abeb3bb6848b13e829a51268f65168e17209adeaa9f877e6584cd29b
Instruction Fuzzy Hash: E9317170604203AFD754DF29C495B6ABBA2FF45324F0481ADE8994B292DB35EC41CFD0

Function 00FC4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00FC4EDD,?,01091418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FC4E9C
Part of subcall function 00FC4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00FC4EAE
Part of subcall function 00FC4E90: FreeLibrary.KERNEL32(00000000,?,?,00FC4EDD,?,01091418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FC4EC0

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,01091418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FC4EFD

Part of subcall function 00FC4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,01003CDE,?,01091418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FC4E62
Part of subcall function 00FC4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00FC4E74
Part of subcall function 00FC4E59: FreeLibrary.KERNEL32(00000000,?,?,01003CDE,?,01091418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FC4E87

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 394744738be42582478fd3187e69f4a6e98ca6ca2ecdef318da3be5cf2fdf765
Instruction ID: 38c69fc5c9b372b08ecc125c5d5efe645e646d9698cce36d9823b6542ee85b88
Opcode Fuzzy Hash: 394744738be42582478fd3187e69f4a6e98ca6ca2ecdef318da3be5cf2fdf765
Instruction Fuzzy Hash: 3D112732600306AADB11EB64DE23FAD77A5AF90B10F10442DF582EB1C1EE78BA44F750

Function 00FF8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00FF8440

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: edce4a4a241de026a05265b20d9f47d61c438a3038a35f6edece0a628b5ca420
Instruction ID: e47a4802f7a14a9a696d6bc903762feb9a92c5b2e3106ca53fa6fb03a2be71bd
Opcode Fuzzy Hash: edce4a4a241de026a05265b20d9f47d61c438a3038a35f6edece0a628b5ca420
Instruction Fuzzy Hash: 5C11487190410AAFCB05DF58E940AEE7BF8FF48310F104059F908AB311DB31DA12DBA4

Function 00FF5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00FF4C7D: RtlAllocateHeap.NTDLL(00000008,00FC1129,00000000,?,00FF2E29,00000001,00000364,?,?,?,00FEF2DE,00FF3863,01091444,?,00FDFDF5,?), ref: 00FF4CBE

_free.LIBCMT ref: 00FF506C

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 4131120c8f85d05e89725b2c993b026b0422f8bd600ab86ea6dc6d8a3a70dfbd
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: B1012B726047095BE3318E559C41A6AFBE8FF85370F25051DE39493280EA706805C674

Function 010529BF Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?,?,?,010514B5,?), ref: 01052A01

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 22f7dca24d5e78e7a9d85da5be7d7ec449017b6a8fc22207acac3434541ee5b1
Instruction ID: 3e77f1f956bce8be12aa77bbffb1716d447509de869d4d0a53968d3feb05221d
Opcode Fuzzy Hash: 22f7dca24d5e78e7a9d85da5be7d7ec449017b6a8fc22207acac3434541ee5b1
Instruction Fuzzy Hash: 2901B536300642DFE3A5CA2CC454B273BE2EFD5254F2984A8C5C78B255D732EC42C790

Function 00FEE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 6575b48395feadca492c25c4842b4c8b573b13e40330a849e6aa265d93f3c3d0
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: B9F02D32521E5897C7313B6BEC05B6B33989F52374F100715F620931E2DF78D806B9A5

Function 0105149E Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?), ref: 010514EB

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 8f01fb1f1556883996327809f92f551409d1de736d0bb45d8540e91a345cf971
Instruction ID: 28ef1fabc732fe073f8b65ba7e8f6199ee131c70345319441c2a8b88c6921a95
Opcode Fuzzy Hash: 8f01fb1f1556883996327809f92f551409d1de736d0bb45d8540e91a345cf971
Instruction Fuzzy Hash: 8101D4353047419F97A0CF69D440927BF99FF94264354809DDC8A8B702DB32DD82CBC0

Function 00FF4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00FC1129,00000000,?,00FF2E29,00000001,00000364,?,?,?,00FEF2DE,00FF3863,01091444,?,00FDFDF5,?), ref: 00FF4CBE

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 13f97a6f4bab1ec564d57c210c49b6b937b0d70ac28c964d12c1b50e72281db5
Instruction ID: 413a7935c6e760023299781f4e7cee9c102d71276b487b0653bc2b949d0d602c
Opcode Fuzzy Hash: 13f97a6f4bab1ec564d57c210c49b6b937b0d70ac28c964d12c1b50e72281db5
Instruction Fuzzy Hash: 0EF0B432A0226866EB215E62AC05B7B3798BF417B0B149115BB15A72A5CA35F800B6A0

Function 00FF3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,01091444,?,00FDFDF5,?,?,00FCA976,00000010,01091440,00FC13FC,?,00FC13C6,?,00FC1129), ref: 00FF3852

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: edc53aa01d4baa2c12df8418c80fc6c79390c15001a89a12c4da53b3f26c2e98
Instruction ID: 778eefbfe2b9206dd867a760bdabaab3b49194eb98d4f809f9eeb4f60aabd316
Opcode Fuzzy Hash: edc53aa01d4baa2c12df8418c80fc6c79390c15001a89a12c4da53b3f26c2e98
Instruction Fuzzy Hash: A2E0E5339002ACA6E73126779D00BBB3648AF42BF0F050024BE44925A0DB2DED01F2E0

Function 00FC4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,01091418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FC4F6D

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 11fae70dc0d0a50742fc97cc356fb81ad3187462ae1e160b84ebc6a62625e0d6
Instruction ID: 00176490b57e932445bb75c8ed49d8df0a08591b9683e6ef1734864a95c1e95b
Opcode Fuzzy Hash: 11fae70dc0d0a50742fc97cc356fb81ad3187462ae1e160b84ebc6a62625e0d6
Instruction Fuzzy Hash: 23F03971905752CFDB349F64E5A1E22BBE4AF14329320897EE1EA83610CB32A844EF10

Function 01052A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 01052A66

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 69f9ff4f891bfc420f327b25bd40f792b2bd8484188e48ecad99fedfaebb1adf
Instruction ID: 536b7d43b0ca13bcc6e47646145ce2673fb92f77578d67b1943f65e872bd6fc6
Opcode Fuzzy Hash: 69f9ff4f891bfc420f327b25bd40f792b2bd8484188e48ecad99fedfaebb1adf
Instruction Fuzzy Hash: 1EE08636354227EBD794EA30DC808FFB75CEF682957004536EC96C6140DB34999586F0

Function 00FC2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00FC2DC4

Part of subcall function 00FC6B57: _wcslen.LIBCMT ref: 00FC6B6A

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: e9e577cd18883ff75f304b67e3b22f478aa794b1776b2a0a90111f3d425c3e50
Instruction ID: e77391dc41d11f49d63a426efd4910a71c04cc4b14d2865739d6450dfa00e898
Opcode Fuzzy Hash: e9e577cd18883ff75f304b67e3b22f478aa794b1776b2a0a90111f3d425c3e50
Instruction Fuzzy Hash: FEE0C272A042245BDB21E2989C0AFEA77EDDFC87D0F0400B5FD4DE7248DA74ED808690

Function 00FC2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00FC3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00FC3908

Part of subcall function 00FCD730: GetInputState.USER32 ref: 00FCD807

SetCurrentDirectoryW.KERNEL32(?), ref: 00FC2B6B

Part of subcall function 00FC30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00FC314E

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 739dcc89cd348d13ef3a7feb103662a3ae94dea13ad9e207b715d45cd263bb66
Instruction ID: a5dcf4c6c7b1ea07d31c528850b97206823e5c669292eaa5a1ba573e289e69d8
Opcode Fuzzy Hash: 739dcc89cd348d13ef3a7feb103662a3ae94dea13ad9e207b715d45cd263bb66
Instruction Fuzzy Hash: FDE0263270430B02CB04BA309E27F7DB3499BD93A1F40443EF18243193CE3D4A4A6351

Function 01023D03 Relevance: 1.5, APIs: 1, Instructions: 18windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 01023D18

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: MessageSendTimeout
String ID:
API String ID: 1599653421-0
Opcode ID: 7cd4268dd68a43b3c18740614a49685803a5a194a8fa20ad8283887b9df24c62
Instruction ID: 390285fcba228a0badc147056bb37cf3310cdc73cc85b217c57b1c8049b74663
Opcode Fuzzy Hash: 7cd4268dd68a43b3c18740614a49685803a5a194a8fa20ad8283887b9df24c62
Instruction Fuzzy Hash: 6ED08CF06A03087EFB0083718D0BEBB339CC31AE85F004BA47E02D64C1D9A5EE080230

Function 0100039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,01000704,?,?,00000000,?,01000704,00000000,0000000C), ref: 010003B7

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 0c4c9efe135944085e924724e40a1156f1f1a4541a95696372bc148d149fc386
Instruction ID: 712fbde3b941b1b8479a326a237d5645a9e979151e5b82b9cfd291a42f3fdc47
Opcode Fuzzy Hash: 0c4c9efe135944085e924724e40a1156f1f1a4541a95696372bc148d149fc386
Instruction Fuzzy Hash: 75D06C3204020DBBDF128E84DD06EDA3BAAFB48714F014000BE5856020C736E821AB94

Function 00FC1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00FC1CBC

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: da3c918590189bba73a63bf235de40237521b762a7f4cb8c36a1c5c34e7242d2
Instruction ID: 182a44a9c9bf7b47dde6e8851b29dab68c254b36e30fe60a0da1e9e70a4e6a41
Opcode Fuzzy Hash: da3c918590189bba73a63bf235de40237521b762a7f4cb8c36a1c5c34e7242d2
Instruction Fuzzy Hash: 1CC0483A280305AAF3248A90A96AF117769B348B14F448001F68AA95CB82BB18A0EB50

Non-executed Functions

Function 01059576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FD9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0105961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0105965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0105969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 010596C9
SendMessageW.USER32 ref: 010596F2
GetKeyState.USER32(00000011), ref: 0105978B
GetKeyState.USER32(00000009), ref: 01059798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 010597AE
GetKeyState.USER32(00000010), ref: 010597B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 010597E9
SendMessageW.USER32 ref: 01059810
SendMessageW.USER32(?,00001030,?,01057E95), ref: 01059918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0105992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 01059941
SetCapture.USER32(?), ref: 0105994A
ClientToScreen.USER32(?,?), ref: 010599AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 010599BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 010599D6
ReleaseCapture.USER32 ref: 010599E1
GetCursorPos.USER32(?), ref: 01059A19
ScreenToClient.USER32(?,?), ref: 01059A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 01059A80
SendMessageW.USER32 ref: 01059AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 01059AEB
SendMessageW.USER32 ref: 01059B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 01059B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 01059B4A
GetCursorPos.USER32(?), ref: 01059B68
ScreenToClient.USER32(?,?), ref: 01059B75
GetParent.USER32(?), ref: 01059B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 01059BFA
SendMessageW.USER32 ref: 01059C2B
ClientToScreen.USER32(?,?), ref: 01059C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 01059CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 01059CDE
SendMessageW.USER32 ref: 01059D01
ClientToScreen.USER32(?,?), ref: 01059D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 01059D82

Part of subcall function 00FD9944: GetWindowLongW.USER32(?,000000EB), ref: 00FD9952

GetWindowLongW.USER32(?,000000F0), ref: 01059E05

Strings

@GUI_DRAGID, xrefs: 0105997D
F, xrefs: 01059D07

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 1b6f1187f007c1af19ae229154abc8079c07607f21ce77922c3bda243cd91e44
Instruction ID: 0e6ed18d79ba894c3c555f067ea4f27c4f4584d720163989e3adfb90d4744a2b
Opcode Fuzzy Hash: 1b6f1187f007c1af19ae229154abc8079c07607f21ce77922c3bda243cd91e44
Instruction Fuzzy Hash: BA429F34204301EFEBA5CF28C944AABBBE9FF48318F040559FAD9872A1D735A954DB61

Function 01054873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 010548F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 01054908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 01054927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0105494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0105495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0105497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 010549AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 010549D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 01054A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 01054A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 01054A7E
IsMenu.USER32(?), ref: 01054A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 01054AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 01054B20
GetWindowLongW.USER32(?,000000F0), ref: 01054B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 01054BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 01054C82
wsprintfW.USER32 ref: 01054CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 01054CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 01054CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 01054D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 01054D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 01054D5A

Strings

%d/%02d/%02d, xrefs: 01054CA8

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 7a477966c20d0f6dcb42a40e7877db9a245cab55338d68358adc36d669f78f52
Instruction ID: 37b8ef6d22b9dd042046fffe9d6d99876d77ffcfd9685c75f8b505ef012d3eb0
Opcode Fuzzy Hash: 7a477966c20d0f6dcb42a40e7877db9a245cab55338d68358adc36d669f78f52
Instruction Fuzzy Hash: 2812DE71600314ABFBA58F28CD49FEF7BF8EB45310F044159F996DA291E7789A81CB50

Function 00FDF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00FDF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0101F474
IsIconic.USER32(00000000), ref: 0101F47D
ShowWindow.USER32(00000000,00000009), ref: 0101F48A
SetForegroundWindow.USER32(00000000), ref: 0101F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0101F4AA
GetCurrentThreadId.KERNEL32 ref: 0101F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0101F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0101F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0101F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0101F4DE
SetForegroundWindow.USER32(00000000), ref: 0101F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0101F4F6
keybd_event.USER32(00000012,00000000), ref: 0101F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0101F50B
keybd_event.USER32(00000012,00000000), ref: 0101F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0101F519
keybd_event.USER32(00000012,00000000), ref: 0101F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0101F528
keybd_event.USER32(00000012,00000000), ref: 0101F52D
SetForegroundWindow.USER32(00000000), ref: 0101F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0101F557

Strings

Shell_TrayWnd, xrefs: 0101F46F

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 1141bba8cb92bae80b86c0e35addc1a8c8d86e3936aa6970630ec2c286c80706
Instruction ID: 331bfcaf32d09502f11d482f44fb8eaf535dcfd49d6f11bde361474c9585523c
Opcode Fuzzy Hash: 1141bba8cb92bae80b86c0e35addc1a8c8d86e3936aa6970630ec2c286c80706
Instruction Fuzzy Hash: 9D318171A40318BBFB316BB54D4AFBF7EACEB44B50F100055FA41E61C5D6B55A40ABA0

Function 01021201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 010216C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0102170D
Part of subcall function 010216C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0102173A
Part of subcall function 010216C3: GetLastError.KERNEL32 ref: 0102174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 01021286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 010212A8
CloseHandle.KERNEL32(?), ref: 010212B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 010212D1
GetProcessWindowStation.USER32 ref: 010212EA
SetProcessWindowStation.USER32(00000000), ref: 010212F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 01021310

Part of subcall function 010210BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,010211FC), ref: 010210D4
Part of subcall function 010210BF: CloseHandle.KERNEL32(?,?,010211FC), ref: 010210E9

Strings

, xrefs: 0102125A
default, xrefs: 0102130B
winsta0, xrefs: 010212CC

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: df91eea44dc2f195f6ebe7c440b52cfd4a98d45f25ae97e7d979274c89a4e889
Instruction ID: d44aa1537f2cbd66b1101665efa5a339290571c67f52deb3135ffb2ff47dcfb4
Opcode Fuzzy Hash: df91eea44dc2f195f6ebe7c440b52cfd4a98d45f25ae97e7d979274c89a4e889
Instruction Fuzzy Hash: E3819A71900319ABEF219FA8DD48BEF7FBDEF08704F044169FA95A6190CB359A44CB60

Function 01020B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 010210F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 01021114
Part of subcall function 010210F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,01020B9B,?,?,?), ref: 01021120
Part of subcall function 010210F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,01020B9B,?,?,?), ref: 0102112F
Part of subcall function 010210F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,01020B9B,?,?,?), ref: 01021136
Part of subcall function 010210F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0102114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 01020BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 01020C00
GetLengthSid.ADVAPI32(?), ref: 01020C17
GetAce.ADVAPI32(?,00000000,?), ref: 01020C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 01020C6D
GetLengthSid.ADVAPI32(?), ref: 01020C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 01020C8C
HeapAlloc.KERNEL32(00000000), ref: 01020C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 01020CB4
CopySid.ADVAPI32(00000000), ref: 01020CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 01020CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 01020D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 01020D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01020D45
HeapFree.KERNEL32(00000000), ref: 01020D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01020D55
HeapFree.KERNEL32(00000000), ref: 01020D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01020D65
HeapFree.KERNEL32(00000000), ref: 01020D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 01020D78
HeapFree.KERNEL32(00000000), ref: 01020D7F

Part of subcall function 01021193: GetProcessHeap.KERNEL32(00000008,01020BB1,?,00000000,?,01020BB1,?), ref: 010211A1
Part of subcall function 01021193: HeapAlloc.KERNEL32(00000000,?,00000000,?,01020BB1,?), ref: 010211A8
Part of subcall function 01021193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,01020BB1,?), ref: 010211B7

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 115b31bdc6c5d6423ed3d935229af557cbc630c20ae342d968b8f771cc619441
Instruction ID: bae5a590c52165fdd402abc3b1185bd15575afeb457536dfeb63d71656e56e3e
Opcode Fuzzy Hash: 115b31bdc6c5d6423ed3d935229af557cbc630c20ae342d968b8f771cc619441
Instruction Fuzzy Hash: 05717B7190131AABEF209FA8DD44BAFBBBCFF05210F144195FA94A7184D775A905CF60

Function 0103EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0105CC08), ref: 0103EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0103EB37
GetClipboardData.USER32(0000000D), ref: 0103EB43
CloseClipboard.USER32 ref: 0103EB4F
GlobalLock.KERNEL32(00000000), ref: 0103EB87
CloseClipboard.USER32 ref: 0103EB91
GlobalUnlock.KERNEL32(00000000,00000000), ref: 0103EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0103EBC9
GetClipboardData.USER32(00000001), ref: 0103EBD1
GlobalLock.KERNEL32(00000000), ref: 0103EBE2
GlobalUnlock.KERNEL32(00000000,?), ref: 0103EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0103EC38
GetClipboardData.USER32(0000000F), ref: 0103EC44
GlobalLock.KERNEL32(00000000), ref: 0103EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0103EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0103EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0103ECD2
GlobalUnlock.KERNEL32(00000000,?,?), ref: 0103ECF3
CountClipboardFormats.USER32 ref: 0103ED14
CloseClipboard.USER32 ref: 0103ED59

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 834156342f4acd7dd67356c31521db4a803da1d9d8503313f3d9bb63725fc981
Instruction ID: 311361c12d20126466a44b7d0274b727257dda77279495eba95859b1b75ad4bd
Opcode Fuzzy Hash: 834156342f4acd7dd67356c31521db4a803da1d9d8503313f3d9bb63725fc981
Instruction Fuzzy Hash: 0261BD342043029FE311EF28D989F6B7BECAF84744F04465DF5969B292CB36E905CB62

Function 0103698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 010369BE
FindClose.KERNEL32(00000000), ref: 01036A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 01036A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 01036A75

Part of subcall function 00FC9CB3: _wcslen.LIBCMT ref: 00FC9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 01036AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 01036ADF

Strings

%03d, xrefs: 01036DA2
%4d%02d%02d%02d%02d%02d%03d, xrefs: 01036B32
%4d, xrefs: 01036BB1
%02d, xrefs: 01036C00, 01036C0A, 01036C5A, 01036CAA, 01036CFA, 01036D4A
%4d%02d%02d%02d%02d%02d, xrefs: 01036B6A

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 6a13e1ced346dd039c685076c5f91c41c45f83a9b3156558fe1bfd920f7b6c75
Instruction ID: 2fd27a702a3d179e8bc88e7372e107b7164bdd92182137c90325da54ab8f6c0d
Opcode Fuzzy Hash: 6a13e1ced346dd039c685076c5f91c41c45f83a9b3156558fe1bfd920f7b6c75
Instruction Fuzzy Hash: 72D16171508301AFC310EBA4CD86EABB7ECAF88704F44491DF589C7191EB79DA48DB62

Function 01039642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 01039663
GetFileAttributesW.KERNEL32(?), ref: 010396A1
SetFileAttributesW.KERNEL32(?,?), ref: 010396BB
FindNextFileW.KERNEL32(00000000,?), ref: 010396D3
FindClose.KERNEL32(00000000), ref: 010396DE
FindFirstFileW.KERNEL32(*.*,?), ref: 010396FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0103974A
SetCurrentDirectoryW.KERNEL32(01086B7C), ref: 01039768
FindNextFileW.KERNEL32(00000000,00000010), ref: 01039772
FindClose.KERNEL32(00000000), ref: 0103977F
FindClose.KERNEL32(00000000), ref: 0103978F

Strings

*.*, xrefs: 010396F5

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: dfeeb207d586b90aa82567352cd6d785d7268ac64b3e65ebc15c0cb75d3f6b4d
Instruction ID: 0219ee0fd28c65513eeaa46f049b7a9beb8709553e783ea67e633c67c357fd45
Opcode Fuzzy Hash: dfeeb207d586b90aa82567352cd6d785d7268ac64b3e65ebc15c0cb75d3f6b4d
Instruction Fuzzy Hash: 6431F63254131A6BEF25AEB9DD49ADF37ECAF89364F004099F985E2090DB75DA40CB10

Function 0103979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 010397BE
FindNextFileW.KERNEL32(00000000,?), ref: 01039819
FindClose.KERNEL32(00000000), ref: 01039824
FindFirstFileW.KERNEL32(*.*,?), ref: 01039840
SetCurrentDirectoryW.KERNEL32(?), ref: 01039890
SetCurrentDirectoryW.KERNEL32(01086B7C), ref: 010398AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 010398B8
FindClose.KERNEL32(00000000), ref: 010398C5
FindClose.KERNEL32(00000000), ref: 010398D5

Part of subcall function 0102DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0102DB00

Strings

*.*, xrefs: 0103983B

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: c540f1cacf66347769245ac47cfe424e262f2274e6714fda17d7cee1c6c9db9d
Instruction ID: 6920a7e7dd58097cdacc3a4412870bcfabd814143e3ae5bb89e6f7322b1ac887
Opcode Fuzzy Hash: c540f1cacf66347769245ac47cfe424e262f2274e6714fda17d7cee1c6c9db9d
Instruction Fuzzy Hash: CF31D83150031AAAEF20EFB9DC48ADF77AC9FC5328F104195E9D4A2090DB75DA85CF20

Function 0104BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0104C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0104B6AE,?,?), ref: 0104C9B5
Part of subcall function 0104C998: _wcslen.LIBCMT ref: 0104C9F1
Part of subcall function 0104C998: _wcslen.LIBCMT ref: 0104CA68
Part of subcall function 0104C998: _wcslen.LIBCMT ref: 0104CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0104BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0104BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0104BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0104C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0104C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0104C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0104C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0104C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0104C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0104C382
RegCloseKey.ADVAPI32(00000000), ref: 0104C38F

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 151545d1b58124c45aa237ab886a233b39eadb8781a71366d06788922c026329
Instruction ID: 462e98666f7c842b9bbcf6eee79e3e32730b3c4fcd7a5c02117279ab54e336b1
Opcode Fuzzy Hash: 151545d1b58124c45aa237ab886a233b39eadb8781a71366d06788922c026329
Instruction Fuzzy Hash: F7025EB06042019FE754DF28C9D5E2ABBE5AF89304F08C4ADF48ACB2A2D735ED45CB51

Function 01038195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 01038257
SystemTimeToFileTime.KERNEL32(?,?), ref: 01038267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 01038273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 01038310
SetCurrentDirectoryW.KERNEL32(?), ref: 01038324
SetCurrentDirectoryW.KERNEL32(?), ref: 01038356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0103838C
SetCurrentDirectoryW.KERNEL32(?), ref: 01038395

Strings

*.*, xrefs: 0103839B

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 5389c8b56dff6d4a075111b060ca9c5f098966cb6719c868349e033bf4162161
Instruction ID: 321a77dde669468b071760b66c341c880a23f9653e6890e325a5764938d08e91
Opcode Fuzzy Hash: 5389c8b56dff6d4a075111b060ca9c5f098966cb6719c868349e033bf4162161
Instruction Fuzzy Hash: 106179725083059FD710EF64C841AAEB3ECFF89310F04896EF98987251DB35E945CB92

Function 0102D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FC3A97,?,?,00FC2E7F,?,?,?,00000000), ref: 00FC3AC2

Part of subcall function 0102E199: GetFileAttributesW.KERNEL32(?,0102CF95), ref: 0102E19A

FindFirstFileW.KERNEL32(?,?), ref: 0102D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0102D1DD
MoveFileW.KERNEL32(?,?), ref: 0102D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0102D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0102D237

Part of subcall function 0102D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0102D21C,?,?), ref: 0102D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0102D253
FindClose.KERNEL32(00000000), ref: 0102D264

Strings

\*.*, xrefs: 0102D0CD, 0102D0D6, 0102D0EB

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: f0f278f16bb3a587c47d388544575d5cf8b9602268aa2628accd3a82e7d63ed2
Instruction ID: fef3b001b582a705cb6d1456ab7a70412837557168ad6788be1d120fc23bc476
Opcode Fuzzy Hash: f0f278f16bb3a587c47d388544575d5cf8b9602268aa2628accd3a82e7d63ed2
Instruction Fuzzy Hash: A661913180521EABDF05EBE0DE52EEDB7B9AF11300F6041A9E44173191EB35AF09DB60

Function 0103ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0103ED91
EmptyClipboard.USER32 ref: 0103ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0103EDAC
CloseClipboard.USER32 ref: 0103EEA3

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 8a0998b570a7fd927d8537d6b7b87c1469e2c6f07ab9cb6dc8fa0488d421eca0
Instruction ID: b7054f31319a807178eea07454530da50aaaaa5ca5a4f7e8669481ee1f01f458
Opcode Fuzzy Hash: 8a0998b570a7fd927d8537d6b7b87c1469e2c6f07ab9cb6dc8fa0488d421eca0
Instruction Fuzzy Hash: A8418F352046119FE721DF19D549F1ABBE9EF84318F04C19DE49A8B662C73AFD42CBA0

Function 0102E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 010216C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0102170D
Part of subcall function 010216C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0102173A
Part of subcall function 010216C3: GetLastError.KERNEL32 ref: 0102174A

ExitWindowsEx.USER32(?,00000000), ref: 0102E932

Strings

SeShutdownPrivilege, xrefs: 0102E902
, xrefs: 0102E95C
, xrefs: 0102E920
@, xrefs: 0102E925

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 27d6e603dee98ca98cf012b2f90f744a3e7fa7cc401bcfb9a1cf6aa984207f65
Instruction ID: dd4ca136a057015e0c6dc27d20dbbf1418011539c48f3149a165f614c5a8e031
Opcode Fuzzy Hash: 27d6e603dee98ca98cf012b2f90f744a3e7fa7cc401bcfb9a1cf6aa984207f65
Instruction Fuzzy Hash: C4012132790331ABFBA422B8DC89BFF72ACAB14740F050823FDC2E20C1D6A55C4082A0

Function 01041204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 01041276
WSAGetLastError.WSOCK32 ref: 01041283
bind.WSOCK32(00000000,?,00000010), ref: 010412BA
WSAGetLastError.WSOCK32 ref: 010412C5
closesocket.WSOCK32(00000000), ref: 010412F4
listen.WSOCK32(00000000,00000005), ref: 01041303
WSAGetLastError.WSOCK32 ref: 0104130D
closesocket.WSOCK32(00000000), ref: 0104133C

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 9713ddb8fbe2240af1c035b5cba46ea2470d216883cbdf332db00b692d87fa22
Instruction ID: 214b9fa5175c54c2ed7969ca6cb46c521e5ffd492d636fc9460c6b35cbdfb259
Opcode Fuzzy Hash: 9713ddb8fbe2240af1c035b5cba46ea2470d216883cbdf332db00b692d87fa22
Instruction Fuzzy Hash: 864172B56002019FE710DF68C6C5B2ABBE5AF46314F188198D9968F296C775FC81CBA1

Function 00FFB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00FFB9D4
_free.LIBCMT ref: 00FFB9F8
_free.LIBCMT ref: 00FFBB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,01063700), ref: 00FFBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0109121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00FFBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,01091270,000000FF,?,0000003F,00000000,?), ref: 00FFBC36
_free.LIBCMT ref: 00FFBD4B

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 1450ce1039d02b29a9628c5306e5998111468815682c21d24a82c2320d6acf77
Instruction ID: fea25849869f15fe175f072f1d0ae048c82400f0e45690140fea1e390195a0a1
Opcode Fuzzy Hash: 1450ce1039d02b29a9628c5306e5998111468815682c21d24a82c2320d6acf77
Instruction Fuzzy Hash: F3C13771E0420DAFDB20AF69DC51BBE7BB8EF45320F14419AEA90D7265E7398E01E750

Function 0102D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FC3A97,?,?,00FC2E7F,?,?,?,00000000), ref: 00FC3AC2

Part of subcall function 0102E199: GetFileAttributesW.KERNEL32(?,0102CF95), ref: 0102E19A

FindFirstFileW.KERNEL32(?,?), ref: 0102D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0102D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0102D481
FindClose.KERNEL32(00000000), ref: 0102D498
FindClose.KERNEL32(00000000), ref: 0102D4A1

Strings

\*.*, xrefs: 0102D3F2

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: e78550b59e6a0f39c14d5019458134e38721f6d9c6d63b9a51df278ffb0a2560
Instruction ID: c2866105bc6449e56be7b6b7b1a2f873b2face943d47aafb5110255f575d934d
Opcode Fuzzy Hash: e78550b59e6a0f39c14d5019458134e38721f6d9c6d63b9a51df278ffb0a2560
Instruction Fuzzy Hash: 6731C03100C3469BC311EF64C996DEFB7E8AE91304F404A1DF4D593191EB29AA09DB63

Function 00FFE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00FFE645

Strings

1#IND, xrefs: 00FFF83D
1#QNAN, xrefs: 00FFF84B
1#INF, xrefs: 00FFF852
1#SNAN, xrefs: 00FFF844

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 7544f2b9a5ada8875c6b271a97d34d7df2575fcbb5f563d9091a1e7bb8ed7ece
Instruction ID: 436ec4c46dac7e14133e51ad7e5558eb3318101bf8ba322f8346f225f50dd761
Opcode Fuzzy Hash: 7544f2b9a5ada8875c6b271a97d34d7df2575fcbb5f563d9091a1e7bb8ed7ece
Instruction Fuzzy Hash: 6CC22872E086288FDB25CE28DD407EAB7B5EF44314F1441EAD94DE7260E778AE859F40

Function 0103648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 010364DC
CoInitialize.OLE32(00000000), ref: 01036639
CoCreateInstance.OLE32(0105FCF8,00000000,00000001,0105FB68,?), ref: 01036650
CoUninitialize.OLE32 ref: 010368D4

Strings

.lnk, xrefs: 010364BA, 01036524, 010365E0

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: d8e87512891a581520b0b8b2df6c54a72103e066127689412bcc3506a5e60831
Instruction ID: 5ef3b08946887d5a92ce49badcad1ac13a9dac6c238b5d09f932e5d39e84c37b
Opcode Fuzzy Hash: d8e87512891a581520b0b8b2df6c54a72103e066127689412bcc3506a5e60831
Instruction Fuzzy Hash: 7DD14C71508302AFD314EF24C981E6BB7E8FF99704F00496DF5958B291DB75EA09CBA2

Function 01039B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC9CB3: _wcslen.LIBCMT ref: 00FC9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 01039B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 01039C8B

Part of subcall function 01033874: GetInputState.USER32 ref: 010338CB
Part of subcall function 01033874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 01033966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 01039BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 01039C75

Strings

*.*, xrefs: 01039B5D

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: db78dba4c6909937a050f6d6e26e8d71b37948e7bf3fd70bb4db5c25fee65f7b
Instruction ID: 27beb2c24b8ae98e76ab5ca9fcd4206f84f7c98e1078be44732caba84c0bf5a7
Opcode Fuzzy Hash: db78dba4c6909937a050f6d6e26e8d71b37948e7bf3fd70bb4db5c25fee65f7b
Instruction Fuzzy Hash: FF41E03190420E9FDF54DFA8CD89AEEBBF8EF45304F144099E985A3191EB709A84CF60

Function 00FD997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00FD9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FD9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00FD9A4E
GetSysColor.USER32(0000000F), ref: 00FD9B23
SetBkColor.GDI32(?,00000000), ref: 00FD9B36

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 31833da6609e2143a8d4a1bd41f99577f51fc1d24d5849ed14128e70c44a1b6e
Instruction ID: ca2c2eb4da478824f0156397c4a03ea55110e2f69cecbcd5f65059825e2e363d
Opcode Fuzzy Hash: 31833da6609e2143a8d4a1bd41f99577f51fc1d24d5849ed14128e70c44a1b6e
Instruction Fuzzy Hash: C4A13D7220C105AEE7759ABC8C58E7F399EEB46354F19020BF582C7789CAAD9D01E371

Function 01041806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0104304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0104307A
Part of subcall function 0104304E: _wcslen.LIBCMT ref: 0104309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0104185D
WSAGetLastError.WSOCK32 ref: 01041884
bind.WSOCK32(00000000,?,00000010), ref: 010418DB
WSAGetLastError.WSOCK32 ref: 010418E6
closesocket.WSOCK32(00000000), ref: 01041915

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: c8f81921fab4b990c985712fd457b06e17f7df474f80e2a111f39c3aba85dcf3
Instruction ID: 17225be6d62dad2d450c22958cf1c0ee48f0ec4fc39055b068d1699a22d68ff0
Opcode Fuzzy Hash: c8f81921fab4b990c985712fd457b06e17f7df474f80e2a111f39c3aba85dcf3
Instruction Fuzzy Hash: 3251B275A00210AFEB10EF24C986F6A77E5AB45718F08849CF9469F3C3C775AD41DBA1

Function 0103CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 0103CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0103CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0103C21E,00000000), ref: 0103CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0103C21E,00000000), ref: 0103CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0103C21E,00000000), ref: 0103CFF2

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 850466d3961f538a4e6c2ee0cc8d9d74d18cf9830aede3ad71f1983427c5b2fc
Instruction ID: 232d0c838ba6dfaaa9f8975f67dcb0ffa9229ddb79e25cb618eba0c2003f8ed5
Opcode Fuzzy Hash: 850466d3961f538a4e6c2ee0cc8d9d74d18cf9830aede3ad71f1983427c5b2fc
Instruction Fuzzy Hash: 96314B71500705AFFB20DFA9CA84AAFBBFCEB44354B10446FE58AE2141DB34AA41DB60

Function 01051C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 01051CC0
IsWindowEnabled.USER32 ref: 01051CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 01051CDB
IsIconic.USER32 ref: 01051CE9
IsZoomed.USER32 ref: 01051CF7

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 0e94ab502c1c3526af4986269dde49524bce1500829232cc2bffe3fb807674c6
Instruction ID: 7cc8d4d636a54c43c6932ff5d5a17d80669bc19c36a29276eb0fac5325233e18
Opcode Fuzzy Hash: 0e94ab502c1c3526af4986269dde49524bce1500829232cc2bffe3fb807674c6
Instruction Fuzzy Hash: 8B2182317002055FE7A19F1AC884F6B7FE9AF95315B19809CEC898B341C776E942CBA0

Function 00FC8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00FC843C
VUUU, xrefs: 00FC83FA
VUUU, xrefs: 00FC83E8
ERCP, xrefs: 00FC813C
VUUU, xrefs: 01005DF0

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 84c7209b2ebfdeac303fca8203ba0e57eb9673fd61040f101cbe57270fa62f45
Instruction ID: 5761531ccae8478c7f5ebb8083e5db22ee5ff18f6e2a887ac82dcc23f2e64c94
Opcode Fuzzy Hash: 84c7209b2ebfdeac303fca8203ba0e57eb9673fd61040f101cbe57270fa62f45
Instruction Fuzzy Hash: 97A2C471E0021ACBEF25CF58C941BEEB7B2BF44350F1481AAD855A7281EB719D92DF90

Function 0104A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0104A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0104A6BA

Part of subcall function 00FC9CB3: _wcslen.LIBCMT ref: 00FC9CBD

Process32NextW.KERNEL32(00000000,?), ref: 0104A79C
CloseHandle.KERNEL32(00000000), ref: 0104A7AB

Part of subcall function 00FDCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,01003303,?), ref: 00FDCE8A

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: e6b6c5ca683c64a87f92b0cdd309dc4dbd2c881e7791fd22e0a283d3f52c5944
Instruction ID: f0b2b772cb85bf416c70cb1a2541c179a72cf25585b3b6ac68e39768965945e0
Opcode Fuzzy Hash: e6b6c5ca683c64a87f92b0cdd309dc4dbd2c881e7791fd22e0a283d3f52c5944
Instruction Fuzzy Hash: F3515AB1508301AFD710EF24C986E6BBBE8FF89714F40492DF58697291EB35D904CB92

Function 0102AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 0102ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0102AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0102AC74
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 0102ACC6

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 3d1a08232336546ef4a538f0fb08597639f25dcf05e80dbd15a5a8dd302de4e6
Instruction ID: cb07da7f6b819a9f7c72f729c60b9bd1ed655864ee2d37064a988cadca6858eb
Opcode Fuzzy Hash: 3d1a08232336546ef4a538f0fb08597639f25dcf05e80dbd15a5a8dd302de4e6
Instruction Fuzzy Hash: 40310530B0032CEFFF358A68C8047FEBAA9AB89310F24425AE4C5535D1CB7585858751

Function 01028298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 010282AA

Strings

|, xrefs: 010282DA
(, xrefs: 010282F0

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: a543a96132707b500e97542cb5c58de0b151059e3cff2127b6adc0e82ffe863c
Instruction ID: 7bded17634b1b3e194726f4a18006a55a841cd08893e90d937febf2f6b4961eb
Opcode Fuzzy Hash: a543a96132707b500e97542cb5c58de0b151059e3cff2127b6adc0e82ffe863c
Instruction Fuzzy Hash: CF323578A007159FDB28CF59C480AAAB7F0FF48310B15C5AEE59ADB7A1E770E941CB40

Function 01035C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 01035CC1
FindNextFileW.KERNEL32(00000000,?), ref: 01035D17
FindClose.KERNEL32(?), ref: 01035D5F

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: b9c5c9ae7841db6dab45e7126a798d3231b9e4cfcca22da0f341ef970580e678
Instruction ID: d2ccff3a0134e8d10cec7ab99f683d793317a751db086cdbafc408dc0ee20571
Opcode Fuzzy Hash: b9c5c9ae7841db6dab45e7126a798d3231b9e4cfcca22da0f341ef970580e678
Instruction Fuzzy Hash: 6A51BE346047029FD714DF28C899E9AB7E8FF49314F14859DE99A8B3A2CB34E905CF91

Function 00FF2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00FF271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00FF2724
UnhandledExceptionFilter.KERNEL32(?), ref: 00FF2731

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 64141f8094e2e96d5eae7727e213b1800916a055aeeb64179b304c3161b6f9ec
Instruction ID: 711a0c158d5d68478922658299b2fd875a0d71d1bf23aa871b24b4de21e888da
Opcode Fuzzy Hash: 64141f8094e2e96d5eae7727e213b1800916a055aeeb64179b304c3161b6f9ec
Instruction Fuzzy Hash: 6A31E27190131CABCB61DF68DD8879DBBB8AF08310F1041EAE80CA6261EB749F819F44

Function 010351CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 010351DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 01035238
SetErrorMode.KERNEL32(00000000), ref: 010352A1

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: d966ab0932db85a92f87f878442c488e5083dd0a6f8086dea278637cc104e17f
Instruction ID: bdd29b70da8a305b5e3ee7376021596829b1d2fdd36f7dafdcce310bb448e0ab
Opcode Fuzzy Hash: d966ab0932db85a92f87f878442c488e5083dd0a6f8086dea278637cc104e17f
Instruction Fuzzy Hash: 64314D75A002199FDB00DF54D884EADBBB8FF49314F048099E9459B356DB36E855CB90

Function 010216C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00FDFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00FE0668
Part of subcall function 00FDFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00FE0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0102170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0102173A
GetLastError.KERNEL32 ref: 0102174A

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 91dface993078b686f2e9433196b643d19c16403c1597fd02539693c79d77459
Instruction ID: e9ad6e265dfadb5307c68b9c1dc99bc87775a3b01112dcf498a611ea5371d677
Opcode Fuzzy Hash: 91dface993078b686f2e9433196b643d19c16403c1597fd02539693c79d77459
Instruction Fuzzy Hash: 5411BFB2400304AFE7289F54DC86D6BBBBEFB44724B24852EF49653241EB74B8418B20

Function 0102D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0102D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0102D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0102D650

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 081fe24d883ee94caa97a9a8dd495e6e45877f7335b3a6ef79f7353a1184f91b
Instruction ID: 45a2c2ff636f757b1feec2c4afd981bc064784261e1f4e3c7a608e08d16ff3ac
Opcode Fuzzy Hash: 081fe24d883ee94caa97a9a8dd495e6e45877f7335b3a6ef79f7353a1184f91b
Instruction Fuzzy Hash: 34117071E01328BBEB208F989848FAFBFBCEB49B50F104151F954E7280C2744A018BA1

Function 01021663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0102168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 010216A1
FreeSid.ADVAPI32(?), ref: 010216B1

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 7a95b4de2922ae3fbe4de3b933d3fde1060eafc29aefa36f6be14e033e88adb7
Instruction ID: d23374d075362a99a9d72787023174c54b349fceea399817a199102c835db8bd
Opcode Fuzzy Hash: 7a95b4de2922ae3fbe4de3b933d3fde1060eafc29aefa36f6be14e033e88adb7
Instruction Fuzzy Hash: 0EF0177195030DBBEF10DFE4D989EAEBBBCFB08604F5045A5F501E2181E775AA448B50

Function 00FE4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00FF28E9,?,00FE4CBE,00FF28E9,010888B8,0000000C,00FE4E15,00FF28E9,00000002,00000000,?,00FF28E9), ref: 00FE4D09
TerminateProcess.KERNEL32(00000000,?,00FE4CBE,00FF28E9,010888B8,0000000C,00FE4E15,00FF28E9,00000002,00000000,?,00FF28E9), ref: 00FE4D10
ExitProcess.KERNEL32 ref: 00FE4D22

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 9443e3c33376cda0d0ef766efa3c7589611274697e793ff4432481b89db27a71
Instruction ID: 93bfba5beed54f4bdf10c5ada5d6904e6097fa4f447473c8575523c92e4e32fe
Opcode Fuzzy Hash: 9443e3c33376cda0d0ef766efa3c7589611274697e793ff4432481b89db27a71
Instruction Fuzzy Hash: A8E0B631400388ABDF31AF55DE09A593F6DEF81791B104058FD45CA227CB3AEE42EB80

Function 00FFC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 00FFC36C

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 92e4df050e931eb940b5ecd87a17a4377b1caf31382be46620f2a97b8b18ece0
Instruction ID: cd37208d18a5696aac8f2856b779fa1017248925a7600ad7e3ba5cf92c468966
Opcode Fuzzy Hash: 92e4df050e931eb940b5ecd87a17a4377b1caf31382be46620f2a97b8b18ece0
Instruction Fuzzy Hash: 3341287290022D6FCB209FB9DD49EBB7778EF84354F104269FA05D7190E6719D419B90

Function 0101D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0101D28C

Strings

X64, xrefs: 0101D2A8

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 6835fa94032d5875fc1a5e222b0a598a6a5adaa62c7fcc93458457f52c3a6ed5
Instruction ID: 608f7ef7b891dd94e23563f7082def4bc37fc6f39ff025bddbf41fbc7bf191b6
Opcode Fuzzy Hash: 6835fa94032d5875fc1a5e222b0a598a6a5adaa62c7fcc93458457f52c3a6ed5
Instruction Fuzzy Hash: C9D0C9B580121DEACF90DA90D88CDDEB3BCFB14305F000152F146A2104D77895488F10

Function 00FECAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: d08603ae0ca4951b2df1bbf2634cc82bc7e6675d4a60f8f8fdf9b8053ccda9a0
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: BE021E72E012599FDF14CFA9C8806ADFBF1EF48324F25416AE919E7380D731A9429BD4

Function 010368EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 01036918
FindClose.KERNEL32(00000000), ref: 01036961

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 584c9afaf52ae5682574c406cb1aa36ffa2db2c15a0c067c6cab76bba909d8eb
Instruction ID: 6febd01ab2f9c91856129150349f55e2957873abcef19cebde7ce7387e746442
Opcode Fuzzy Hash: 584c9afaf52ae5682574c406cb1aa36ffa2db2c15a0c067c6cab76bba909d8eb
Instruction Fuzzy Hash: 6C1193316042019FD710DF29D489E16BBE9FF85328F04C69DE5A98F6A2C735ED05CB91

Function 010337B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,01044891,?,?,00000035,?), ref: 010337E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,01044891,?,?,00000035,?), ref: 010337F4

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 6c064ccbfb8d9a37f27068511ad4f33e79b21f8aebc69ee65201b966457c18d0
Instruction ID: 833fed41ab56315a35741aa6db471b025caaa71ad9b18fb53b1ed05454983094
Opcode Fuzzy Hash: 6c064ccbfb8d9a37f27068511ad4f33e79b21f8aebc69ee65201b966457c18d0
Instruction Fuzzy Hash: EEF0E5706043292AE73156668D8DFEB3AAEFFC4761F0001A5F509D2285D9609904C7B0

Function 0102B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0102B25D
keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 0102B270

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 204c725394d5a1df06ac66f6eb7f22480960a5604231a8146a32de4cf10bb1df
Instruction ID: f538fa4fc05bfe5e634ab75b185344a0da3a9944b0e6fbae2387bb50bfd25764
Opcode Fuzzy Hash: 204c725394d5a1df06ac66f6eb7f22480960a5604231a8146a32de4cf10bb1df
Instruction Fuzzy Hash: 83F01D7180434DABEB159FA4C805BAE7FB4FF05309F008049F995A5192C7798255DF94

Function 010210BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,010211FC), ref: 010210D4
CloseHandle.KERNEL32(?,?,010211FC), ref: 010210E9

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: c7bdce44fb66b6d87fad31e3145b467d24a1a03662f28b7d73f637be701a3c5d
Instruction ID: b30e900a6308abe64fd4218db5345f6a3a91ab5cdfeecb520f5c6ad49050b198
Opcode Fuzzy Hash: c7bdce44fb66b6d87fad31e3145b467d24a1a03662f28b7d73f637be701a3c5d
Instruction Fuzzy Hash: 11E04F32004710AEF7252B51FC05E777BEEEB04310B14882EF5A6804B5DB666C90EB50

Function 00FCCAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 01010C40

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 229ab5d7f15c8b0c67cc060d89d60e4b3c3db4fbe67a934ba0657fe2d3caaf0d
Instruction ID: 2b53f1eadf3511478ee7b15b90b8eb8923e17de52b7e26059d47b76c47451010
Opcode Fuzzy Hash: 229ab5d7f15c8b0c67cc060d89d60e4b3c3db4fbe67a934ba0657fe2d3caaf0d
Instruction Fuzzy Hash: B532B37190021ADFDF14DF94CA82FEDB7B5BF05304F14405DE88AAB286C779A945EBA0

Function 00FF676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00FF6766,?,?,00000008,?,?,00FFFEFE,00000000), ref: 00FF6998

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 7ba4a0d5e85085df9fe3aa6371106e1bc1ccc783735cd3002781d6c5fa2be061
Instruction ID: 354313f1f0b777b3f85ca43f3417393b60c1e1503177cbae3b6d1a13fdb4a6cb
Opcode Fuzzy Hash: 7ba4a0d5e85085df9fe3aa6371106e1bc1ccc783735cd3002781d6c5fa2be061
Instruction Fuzzy Hash: C7B15B32A106089FD715CF28C48AB657BE0FF05364F25865CE999CF2B2CB35E981DB40

Function 00FDB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0101851F

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: e43d8da97d70a584d342ceb44586fd7867e9ce1f3820b29c6046ec341de75371
Instruction ID: 977a22e6205ed0a2b4300059dca93592301f2cbc33fbe50f6cf017fe6932540e
Opcode Fuzzy Hash: e43d8da97d70a584d342ceb44586fd7867e9ce1f3820b29c6046ec341de75371
Instruction Fuzzy Hash: 2A125D71D00229DBDB65CF58C880BEEB7F5FF48310F15819AE849EB255E7349A81DB90

Function 0103EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0103EABD

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 3026ffd2eeb6bcdf85937ec0327aefa22db031fdaca3ce945ce2c3ebed43c290
Instruction ID: e4caa2fd11fa2a5ae3331847a59755932deb3314ffd0be5a6dbeaaa0ed366e34
Opcode Fuzzy Hash: 3026ffd2eeb6bcdf85937ec0327aefa22db031fdaca3ce945ce2c3ebed43c290
Instruction Fuzzy Hash: D0E01A352002059FD710EF59D905E9AB7EDAF98760F00841AFC89C7351DA75B8418BA0

Function 0102E355 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 0102E37E

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 54abe1903e54824b5d4b103af54dc5d27a47f0829287d2ed68826575aaf1747b
Instruction ID: edb7a0af1bfd72eb959b9be999aee05d153338ddd201999149cf4042f5612141
Opcode Fuzzy Hash: 54abe1903e54824b5d4b103af54dc5d27a47f0829287d2ed68826575aaf1747b
Instruction Fuzzy Hash: 19D05EF25D03213DFBBD0A3CCE2FF7A698CE302583F40D789F2C289689DA91A4444021

Function 00FE09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00FE03EE), ref: 00FE09DA

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 2a545b325d62e647a4ed04d6cd805365feb3d5a00192d4b91272cfc7b9e86173
Instruction ID: 07aa1ab62765a13b2e25c995c4884a53ef6c5973b04f1a1df51445acaea972c4
Opcode Fuzzy Hash: 2a545b325d62e647a4ed04d6cd805365feb3d5a00192d4b91272cfc7b9e86173
Instruction Fuzzy Hash:

Function 00FE781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00FE798B

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: d3076e0523725e7661ee0f5526f578af9a583801f9a89f118c2c194249c1b9ae
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 4E515772E0C7C55ADB38B56B88597BF63899F22360F280519D886C7293C619DF06F352

Function 00FF6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69df661e144dc3a2317659699be4f6770122f2617192f9cc97a372e596f9e298
Instruction ID: 09e77f15e3bf31845954a39c74bab6001de4587581a68be259e8834dff5ed2df
Opcode Fuzzy Hash: 69df661e144dc3a2317659699be4f6770122f2617192f9cc97a372e596f9e298
Instruction Fuzzy Hash: A7324532D29F054DD723A534D822335A249AFB73D5F19D737F81AB5AB9EB2AC4835200

Function 00FDCC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adf033b86711acc4b08b57c169fc7d584d4094a29be09e56e7a53cdff734ac78
Instruction ID: 44e44a2b80ebf2548dbafc9a50a7d9053ef81ef848a4d804c3f0b50e11c1dcea
Opcode Fuzzy Hash: adf033b86711acc4b08b57c169fc7d584d4094a29be09e56e7a53cdff734ac78
Instruction Fuzzy Hash: 9A321532A441868BFF24CE2CC6946BD7BE2FB45314F5885ABD6C5CB289D238DC81DB41

Function 00FC7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fa77adae676d37bbe6b270dec25c71da9a3b74de4b99df8c5ec7352d3577b44
Instruction ID: 613a6e0f872cd6521dd16cdb7d0693c456e42dd18dce01799eed0921fc69fd05
Opcode Fuzzy Hash: 1fa77adae676d37bbe6b270dec25c71da9a3b74de4b99df8c5ec7352d3577b44
Instruction Fuzzy Hash: 0322B070A0420A9FEF15DF68CD42BAEB7F6FF44300F144529E856A7291EB3AA914DF50

Function 00FC91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b27f07beecd7883a3c15d1a3fd2437579f8ead045c252f7736f880bfa83d5c33
Instruction ID: d177964b134e96d0cad2ff45b016fb60ab732028549560e7d5523c76f37f48f4
Opcode Fuzzy Hash: b27f07beecd7883a3c15d1a3fd2437579f8ead045c252f7736f880bfa83d5c33
Instruction Fuzzy Hash: 1202E5B1E0020AEBDB05DF54D981FAEB7B1FF44300F108569E846AB391EB35EA55DB90

Function 00FF9EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82902383dfbac00c5c5b8010ca0f2be107a46c31e6790ee30046f4205a356c66
Instruction ID: d7fa066e965204c49bc83e5177812dd3021db1521806f4314ba6f97b163ee36b
Opcode Fuzzy Hash: 82902383dfbac00c5c5b8010ca0f2be107a46c31e6790ee30046f4205a356c66
Instruction Fuzzy Hash: DCB1E230D2AF504DD22396398431336B65CBFBB6D5F51D31BFC5A78E66EB2685834280

Function 00FE1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 43484d9248cd1a29405e2a6242537ee91be5855fa17e774d44db07b80a65266d
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: B4915773A080E349DB29463F857457EFFE16A923B131A079EE4F2CA1C5EE349954F620

Function 00FE1F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 7be6fdec552788ff537ed4737b04b4cdb89a206e0b443f1f6d4955877d888cb8
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 3B916573A090E349DB69463B887413EFFE55A923B131A079ED4F2CB1C5FE248A54F620

Function 00FE19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: a437e2e9f4909046052c1998d455bbe8649adfc48c261b100111ff3f8ffcda7e
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 709122736090E34ADB69467B857407EFFE16A927B131A07AED4F2CA1C1FE348564F620

Function 00FE7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7175a011beb3dbab2e0ead8a57e0e07cd4eb43a3a8aa4924bf7477eb555d4efc
Instruction ID: 44a8783052f87231bf1ada67da925c2f608be6742d1817815eb67942b10368e6
Opcode Fuzzy Hash: 7175a011beb3dbab2e0ead8a57e0e07cd4eb43a3a8aa4924bf7477eb555d4efc
Instruction Fuzzy Hash: A6617D31E087C956DA34B92F4C55BBF3394DF81B60F20092EE843CB2A5D6199E43B315

Function 00FE7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ae835cbc875afe3cb709b5258a32d403468c1154cb1db2314d2cd2d104754d3
Instruction ID: fd13c5872ec2815bca2ab240658ae13ee35c7c430b1caa552470d640ead6c463
Opcode Fuzzy Hash: 6ae835cbc875afe3cb709b5258a32d403468c1154cb1db2314d2cd2d104754d3
Instruction Fuzzy Hash: D0618C71E0C7C966DE38792B4C91BBF338ADF42760F14095AE943CB281DA16AD42B315

Function 00FE1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 6727b7b9ac030c156ceb72b34f2f726604f9acb74b6c09738b10ced8660034f6
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: A4813173A090E349DB69463B857447EFFE17A923B131A079DD4F2CA1C1EE349654F620

Function 01032046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e72f7951565bf158f85638cbe203f9465f9501a85e4f6c57d7911be7e19c39e3
Instruction ID: 3bb6ba3168c1717527b5c4748e342c11e3bc52c146769921f93703c8ac6f391d
Opcode Fuzzy Hash: e72f7951565bf158f85638cbe203f9465f9501a85e4f6c57d7911be7e19c39e3
Instruction Fuzzy Hash: 0821BB326215118BD728CE79C82267EB3D9B794310F15866EE4E7C77C5DE3AA904C780

Function 01042ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 01042B30
DeleteObject.GDI32(00000000), ref: 01042B43
DestroyWindow.USER32 ref: 01042B52
GetDesktopWindow.USER32 ref: 01042B6D
GetWindowRect.USER32(00000000), ref: 01042B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 01042CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 01042CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01042CF8
GetClientRect.USER32(00000000,?), ref: 01042D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 01042D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01042D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01042D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01042D80
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01042D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01042D98
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01042DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01042DA8
GlobalFree.KERNEL32(00000000), ref: 01042DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01042DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0105FC38,00000000), ref: 01042DDB
GlobalFree.KERNEL32(00000000), ref: 01042DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 01042E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 01042E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01042E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0104303F

Strings

DISPLAY, xrefs: 01042EA2
static, xrefs: 01042D3A, 01042E91
AutoIt v3, xrefs: 01042CF2
, xrefs: 01042FC5

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 82e9476434833e86ff5a114f90bed55c8827ad85320438cd50881f6f5473c312
Instruction ID: 789e72ef46ab67acddda58bcff33a066200c627709fe256cb874bd805592c40f
Opcode Fuzzy Hash: 82e9476434833e86ff5a114f90bed55c8827ad85320438cd50881f6f5473c312
Instruction Fuzzy Hash: 81028EB5600209AFEB24DF64DD89EAF7BB9FB48310F048558F955AB294C739AD00CB60

Function 010570D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0105712F
GetSysColorBrush.USER32(0000000F), ref: 01057160
GetSysColor.USER32(0000000F), ref: 0105716C
SetBkColor.GDI32(?,000000FF), ref: 01057186
SelectObject.GDI32(?,?), ref: 01057195
InflateRect.USER32(?,000000FF,000000FF), ref: 010571C0
GetSysColor.USER32(00000010), ref: 010571C8
CreateSolidBrush.GDI32(00000000), ref: 010571CF
FrameRect.USER32(?,?,00000000), ref: 010571DE
DeleteObject.GDI32(00000000), ref: 010571E5
InflateRect.USER32(?,000000FE,000000FE), ref: 01057230
FillRect.USER32(?,?,?), ref: 01057262
GetWindowLongW.USER32(?,000000F0), ref: 01057284

Part of subcall function 010573E8: GetSysColor.USER32(00000012), ref: 01057421
Part of subcall function 010573E8: SetTextColor.GDI32(?,?), ref: 01057425
Part of subcall function 010573E8: GetSysColorBrush.USER32(0000000F), ref: 0105743B
Part of subcall function 010573E8: GetSysColor.USER32(0000000F), ref: 01057446
Part of subcall function 010573E8: GetSysColor.USER32(00000011), ref: 01057463
Part of subcall function 010573E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 01057471
Part of subcall function 010573E8: SelectObject.GDI32(?,00000000), ref: 01057482
Part of subcall function 010573E8: SetBkColor.GDI32(?,00000000), ref: 0105748B
Part of subcall function 010573E8: SelectObject.GDI32(?,?), ref: 01057498
Part of subcall function 010573E8: InflateRect.USER32(?,000000FF,000000FF), ref: 010574B7
Part of subcall function 010573E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 010574CE
Part of subcall function 010573E8: GetWindowLongW.USER32(00000000,000000F0), ref: 010574DB

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 9cdf107969a5d380be49203dc47e7e86fbd0e0e9741f2c6e34f9d535b5f948ad
Instruction ID: ca04069cb80884e2ff3a99df831c2b1924af4190cefe66d7ff4347fb6dd273a2
Opcode Fuzzy Hash: 9cdf107969a5d380be49203dc47e7e86fbd0e0e9741f2c6e34f9d535b5f948ad
Instruction Fuzzy Hash: FFA1C072008301AFEB619F64DD48E5BBBE9FB49320F500A19FAE2961D0D73AD944DB51

Function 00FD8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00FD8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 01016AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 01016AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 01016F43

Part of subcall function 00FD8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00FD8BE8,?,00000000,?,?,?,?,00FD8BBA,00000000,?), ref: 00FD8FC5

SendMessageW.USER32(?,00001053), ref: 01016F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 01016F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 01016FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 01016FB7

Strings

0, xrefs: 01016DCF

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 4b75feb04920239a5e12b11e5535ef9cc4b1e5835a04b29fddb8e95cabdec98c
Instruction ID: 4e4aa430e69d626ed9506de72323e62cc59b2801452718bdb23f0d25f514dc46
Opcode Fuzzy Hash: 4b75feb04920239a5e12b11e5535ef9cc4b1e5835a04b29fddb8e95cabdec98c
Instruction Fuzzy Hash: C712E031600201EFDB22CF18C984BA6BBE6FB44310F5844A9F5D58B259CB7BE892DF51

Function 01042711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0104273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0104286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 010428A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 010428B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 01042900
GetClientRect.USER32(00000000,?), ref: 0104290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 01042955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 01042964
GetStockObject.GDI32(00000011), ref: 01042974
SelectObject.GDI32(00000000,00000000), ref: 01042978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 01042988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 01042991
DeleteDC.GDI32(00000000), ref: 0104299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 010429C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 010429DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 01042A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 01042A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 01042A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 01042A77
GetStockObject.GDI32(00000011), ref: 01042A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 01042A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 01042A97

Strings

msctls_progress32, xrefs: 01042A13
DISPLAY, xrefs: 0104295A
static, xrefs: 0104294F, 01042A71
AutoIt v3, xrefs: 010428F8

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 329c6572bd57726bc442b526fd2111d0654b2453da57874ae4deaacd0c446578
Instruction ID: e0ef44f62c2f4288697b5e6cdc374dfaaa8e2d3043f1bbec04efe15dc2c4c8a0
Opcode Fuzzy Hash: 329c6572bd57726bc442b526fd2111d0654b2453da57874ae4deaacd0c446578
Instruction Fuzzy Hash: 8BB14CB1A00205AFEB24DF68DD86FAF7BB9FB08710F008558F955E7290D775A940CB64

Function 01034ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 01034AED
GetDriveTypeW.KERNEL32(?,0105CB68,?,\\.\,0105CC08), ref: 01034BCA
SetErrorMode.KERNEL32(00000000,0105CB68,?,\\.\,0105CC08), ref: 01034D36

Strings

RAMDisk, xrefs: 01034BF4
Network, xrefs: 01034C02
iSCSI, xrefs: 01034CC2
PhysicalDrive, xrefs: 01034B76
Fixed, xrefs: 01034C09
ATA, xrefs: 01034C98
1394, xrefs: 01034C9F
Unknown, xrefs: 01034BED, 01034C83
SAS, xrefs: 01034CC9
SSD, xrefs: 01034C4A
SCSI, xrefs: 01034C8A
RAID, xrefs: 01034CBB
Virtual, xrefs: 01034CE5
CDROM, xrefs: 01034BFB
USB, xrefs: 01034CB4
SATA, xrefs: 01034CD0
ATAPI, xrefs: 01034C91
MMC, xrefs: 01034CDE
FileBackedVirtual, xrefs: 01034CEC
SSA, xrefs: 01034CA6
Fibre, xrefs: 01034CAD
Removable, xrefs: 01034C10, 01034C15
\\.\, xrefs: 01034B3F

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 30e18d0b6fb1e53db457410205f579521ee63f552a5eaa700ee582e001d2dc77
Instruction ID: 1e6e831b9a1810537b8608c90997c37fc1f6f17d55365e984c6b63b1fad8b943
Opcode Fuzzy Hash: 30e18d0b6fb1e53db457410205f579521ee63f552a5eaa700ee582e001d2dc77
Instruction Fuzzy Hash: 9D61D430A1820ADBCB84FF19CA86D6D77E9EB84300B148459F8C6EF252DB76DD85CB41

Function 010573E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 01057421
SetTextColor.GDI32(?,?), ref: 01057425
GetSysColorBrush.USER32(0000000F), ref: 0105743B
GetSysColor.USER32(0000000F), ref: 01057446
CreateSolidBrush.GDI32(?), ref: 0105744B
GetSysColor.USER32(00000011), ref: 01057463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 01057471
SelectObject.GDI32(?,00000000), ref: 01057482
SetBkColor.GDI32(?,00000000), ref: 0105748B
SelectObject.GDI32(?,?), ref: 01057498
InflateRect.USER32(?,000000FF,000000FF), ref: 010574B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 010574CE
GetWindowLongW.USER32(00000000,000000F0), ref: 010574DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0105752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 01057554
InflateRect.USER32(?,000000FD,000000FD), ref: 01057572
DrawFocusRect.USER32(?,?), ref: 0105757D
GetSysColor.USER32(00000011), ref: 0105758E
SetTextColor.GDI32(?,00000000), ref: 01057596
DrawTextW.USER32(?,010570F5,000000FF,?,00000000), ref: 010575A8
SelectObject.GDI32(?,?), ref: 010575BF
DeleteObject.GDI32(?), ref: 010575CA
SelectObject.GDI32(?,?), ref: 010575D0
DeleteObject.GDI32(?), ref: 010575D5
SetTextColor.GDI32(?,?), ref: 010575DB
SetBkColor.GDI32(?,?), ref: 010575E5

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: e5e577d05ea710fc3fce35321d1aea3d95563603d60254c23e3dc43c97fc68ad
Instruction ID: 6060bf5fcd5e182c3553fde11e2f04cf2228b927e4ecb8544467c5e6e4e7233f
Opcode Fuzzy Hash: e5e577d05ea710fc3fce35321d1aea3d95563603d60254c23e3dc43c97fc68ad
Instruction Fuzzy Hash: EA618B76900318AFEF119FA8DD48EAFBFB9EB09320F144111FA51AB291D7799940DF90

Function 01050FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 01051128
GetDesktopWindow.USER32 ref: 0105113D
GetWindowRect.USER32(00000000), ref: 01051144
GetWindowLongW.USER32(?,000000F0), ref: 01051199
DestroyWindow.USER32(?), ref: 010511B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 010511ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0105120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0105121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 01051232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 01051245
IsWindowVisible.USER32(00000000), ref: 010512A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 010512BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 010512D0
GetWindowRect.USER32(00000000,?), ref: 010512E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0105130E
GetMonitorInfoW.USER32(00000000,?), ref: 01051328
CopyRect.USER32(?,?), ref: 0105133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 010513AA

Strings

(, xrefs: 0105131B
0, xrefs: 010510D3
tooltips_class32, xrefs: 010511E6

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 9c19c014065b880b5282ef2a52eb8468259bd55f9ab5a80dba6eefd3d8b16364
Instruction ID: 1c2b69344d8a0f295953e99213ca2f50275e59dff825986820b0fbc8b6326440
Opcode Fuzzy Hash: 9c19c014065b880b5282ef2a52eb8468259bd55f9ab5a80dba6eefd3d8b16364
Instruction Fuzzy Hash: 53B17B71608341AFE750DF68C985B6BBBE4FF88350F00895CF9999B291C775E844CBA1

Function 01050241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 010502E5
_wcslen.LIBCMT ref: 0105031F
_wcslen.LIBCMT ref: 01050389
_wcslen.LIBCMT ref: 010503F1
_wcslen.LIBCMT ref: 01050475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 010504C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 01050504

Part of subcall function 00FDF9F2: _wcslen.LIBCMT ref: 00FDF9FD

Part of subcall function 0102223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 01022258
Part of subcall function 0102223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0102228A

Strings

SELECTCLEAR, xrefs: 0105052D
GETTEXT, xrefs: 010503EC, 01050407
ISSELECTED, xrefs: 010504DD
FINDITEM, xrefs: 01050627
GETITEMCOUNT, xrefs: 01050316, 01050337
GETSELECTED, xrefs: 010505E1
SELECTALL, xrefs: 01050515
DESELECT, xrefs: 0105059C
SELECT, xrefs: 01050548
GETSELECTEDCOUNT, xrefs: 01050470, 0105048B
VIEWCHANGE, xrefs: 01050675
GETSUBITEMCOUNT, xrefs: 01050384, 0105039F
SELECTINVERT, xrefs: 0105057E

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 6b6d35ea65fe4367d4c0012b67de4f5cd2317f760a42905e058126e4fcbae1c3
Instruction ID: 0b4077c3ee2bf28d811df161a74e4e276515d6573c253b08bb04a6341abb20a7
Opcode Fuzzy Hash: 6b6d35ea65fe4367d4c0012b67de4f5cd2317f760a42905e058126e4fcbae1c3
Instruction Fuzzy Hash: 5DE18D312082018FC754EF28C95196FB7E6BF88314B14899DF8D69B3AADB34ED45CB91

Function 00FD8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00FD8968
GetSystemMetrics.USER32(00000007), ref: 00FD8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00FD899B
GetSystemMetrics.USER32(00000008), ref: 00FD89A3
GetSystemMetrics.USER32(00000004), ref: 00FD89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00FD89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00FD89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00FD8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00FD8A3C
GetClientRect.USER32(00000000,000000FF), ref: 00FD8A5A
GetStockObject.GDI32(00000011), ref: 00FD8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00FD8A81

Part of subcall function 00FD912D: GetCursorPos.USER32(?), ref: 00FD9141
Part of subcall function 00FD912D: ScreenToClient.USER32(00000000,?), ref: 00FD915E
Part of subcall function 00FD912D: GetAsyncKeyState.USER32(00000001), ref: 00FD9183
Part of subcall function 00FD912D: GetAsyncKeyState.USER32(00000002), ref: 00FD919D

SetTimer.USER32(00000000,00000000,00000028,00FD90FC), ref: 00FD8AA8

Strings

AutoIt v3 GUI, xrefs: 00FD8A20

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 55357c8c22aff153fd93e1da7a48862440e1096ca4d450a07736e4a66ce6eccb
Instruction ID: 4eb4f241528e19fcef9be24c11f9ac05f0c2e3167365c9b84bc3f4eefff2442c
Opcode Fuzzy Hash: 55357c8c22aff153fd93e1da7a48862440e1096ca4d450a07736e4a66ce6eccb
Instruction Fuzzy Hash: 82B1A171A0030AAFDF14DFA8CD55BAE3BB5FB48320F04421AFA95A7284DB79D841DB51

Function 01020D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 010210F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 01021114
Part of subcall function 010210F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,01020B9B,?,?,?), ref: 01021120
Part of subcall function 010210F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,01020B9B,?,?,?), ref: 0102112F
Part of subcall function 010210F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,01020B9B,?,?,?), ref: 01021136
Part of subcall function 010210F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0102114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 01020DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 01020E29
GetLengthSid.ADVAPI32(?), ref: 01020E40
GetAce.ADVAPI32(?,00000000,?), ref: 01020E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 01020E96
GetLengthSid.ADVAPI32(?), ref: 01020EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 01020EB5
HeapAlloc.KERNEL32(00000000), ref: 01020EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 01020EDD
CopySid.ADVAPI32(00000000), ref: 01020EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 01020F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 01020F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 01020F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01020F6E
HeapFree.KERNEL32(00000000), ref: 01020F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01020F7E
HeapFree.KERNEL32(00000000), ref: 01020F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01020F8E
HeapFree.KERNEL32(00000000), ref: 01020F95
GetProcessHeap.KERNEL32(00000000,?), ref: 01020FA1
HeapFree.KERNEL32(00000000), ref: 01020FA8

Part of subcall function 01021193: GetProcessHeap.KERNEL32(00000008,01020BB1,?,00000000,?,01020BB1,?), ref: 010211A1
Part of subcall function 01021193: HeapAlloc.KERNEL32(00000000,?,00000000,?,01020BB1,?), ref: 010211A8
Part of subcall function 01021193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,01020BB1,?), ref: 010211B7

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 0d7c4306cb32acf1b9620aed3aef29cbdf605db5fee6bebfcd7a1004a03a58f5
Instruction ID: 414c80a5f7cdc4de5d17ac9ae55a5a01caea83c3c4390766499f9a85f0d528a3
Opcode Fuzzy Hash: 0d7c4306cb32acf1b9620aed3aef29cbdf605db5fee6bebfcd7a1004a03a58f5
Instruction Fuzzy Hash: 8A71697290031AABEF609FA8DD48FAFBBBCFF05310F044155FA99A6184D7359A05CB60

Function 0104C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0104C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0105CC08,00000000,?,00000000,?,?), ref: 0104C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0104C5A4
_wcslen.LIBCMT ref: 0104C5F4
_wcslen.LIBCMT ref: 0104C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0104C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0104C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0104C84D
RegCloseKey.ADVAPI32(?), ref: 0104C881
RegCloseKey.ADVAPI32(00000000), ref: 0104C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0104C960

Strings

REG_MULTI_SZ, xrefs: 0104C6F5
REG_DWORD, xrefs: 0104C804
REG_EXPAND_SZ, xrefs: 0104C5CD
REG_SZ, xrefs: 0104C644
REG_QWORD, xrefs: 0104C8C3
REG_BINARY, xrefs: 0104C913

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: f21f241aa135b46b02192bda49d3b69a65fe51e661f1b86d8389a30e60d9f738
Instruction ID: 9df99fcb117d2011496336e80a294ca21af3ab1e7a82ad56480ba77429ffa7b0
Opcode Fuzzy Hash: f21f241aa135b46b02192bda49d3b69a65fe51e661f1b86d8389a30e60d9f738
Instruction Fuzzy Hash: 4A124B756042019FE714DF14C981F2AB7E5EF88714F1888ACF98A9B3A2DB35ED41DB81

Function 0105091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 010509C6
_wcslen.LIBCMT ref: 01050A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 01050A54
_wcslen.LIBCMT ref: 01050A8A
_wcslen.LIBCMT ref: 01050B06
_wcslen.LIBCMT ref: 01050B81

Part of subcall function 00FDF9F2: _wcslen.LIBCMT ref: 00FDF9FD

Part of subcall function 01022BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 01022BFA

Strings

ISCHECKED, xrefs: 01050CE1
COLLAPSE, xrefs: 01050B01, 01050B1C
SELECT, xrefs: 01050D11
GETTEXT, xrefs: 01050C97
UNCHECK, xrefs: 01050D3E
EXPAND, xrefs: 01050BF8
CHECK, xrefs: 01050A85, 01050AA0
GETITEMCOUNT, xrefs: 01050C1E
GETTOTALCOUNT, xrefs: 010509F2, 01050A17
GETSELECTED, xrefs: 01050C4E
EXISTS, xrefs: 01050B7C, 01050B97

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 451f02f370641aa4d40a2d92952e30288b1d0ee97fcb45654d10dbe1f85a4a8f
Instruction ID: 208526a9c86517e27150ffca01073d64b12efeec6e6b32476861f145fd2a1e46
Opcode Fuzzy Hash: 451f02f370641aa4d40a2d92952e30288b1d0ee97fcb45654d10dbe1f85a4a8f
Instruction Fuzzy Hash: 63E18C312083028FC754EF28C99196EB7E2BF88314B14899DF8D69B36AD735ED45CB91

Function 0104C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0104B6AE,?,?), ref: 0104C9B5
_wcslen.LIBCMT ref: 0104C9F1
_wcslen.LIBCMT ref: 0104CA68
_wcslen.LIBCMT ref: 0104CA9E
_wcslen.LIBCMT ref: 0104CAF9
_wcslen.LIBCMT ref: 0104CB2F
_wcslen.LIBCMT ref: 0104CB7F

Strings

HKCR, xrefs: 0104CB29, 0104CB2E
HKEY_LOCAL_MACHINE, xrefs: 0104CA62, 0104CA67
HKCU, xrefs: 0104CBCE
HKCC, xrefs: 0104CBAC
HKEY_CLASSES_ROOT, xrefs: 0104CAF3, 0104CAF8
HKEY_USERS, xrefs: 0104CBDF
HKLM, xrefs: 0104CA98, 0104CA9D
HKEY_CURRENT_CONFIG, xrefs: 0104CB79, 0104CB7E
HKU, xrefs: 0104CBF0
HKEY_CURRENT_USER, xrefs: 0104CBBD

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: aa8097ff272fdbefb87d527afbea3e3b6ed09f0a6ba49b7ad891324d21139d7f
Instruction ID: 9be53028545611bc08cccb4472303e906d30a10ed9bd862f963be31e4cebd335
Opcode Fuzzy Hash: aa8097ff272fdbefb87d527afbea3e3b6ed09f0a6ba49b7ad891324d21139d7f
Instruction Fuzzy Hash: A77116B26011268BEB21EE7CCED15BE33D1AF50658F1405B8F8D2A7286EA35CD54D3A0

Function 0105833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0105835A
_wcslen.LIBCMT ref: 0105836E
_wcslen.LIBCMT ref: 01058391
_wcslen.LIBCMT ref: 010583B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 010583F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,01055BF2), ref: 0105844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 01058487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 010584CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 01058501
FreeLibrary.KERNEL32(?), ref: 0105850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0105851D
DestroyIcon.USER32(?,?,?,?,?,01055BF2), ref: 0105852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 01058549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 01058555

Strings

.exe, xrefs: 01058388
.icl, xrefs: 01058368
.dll, xrefs: 010583AB

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 49cfcd308f113b8c976a0af7fe2e1b7589799a9d4a81ae9a48a9768e1f6cb27c
Instruction ID: 765c0a873130c83775b5ea9eca32b75b087f5a599f2cb9d46ca5eba66ea43632
Opcode Fuzzy Hash: 49cfcd308f113b8c976a0af7fe2e1b7589799a9d4a81ae9a48a9768e1f6cb27c
Instruction Fuzzy Hash: B561F371900305BAEB64DF65CC41BBF7BACBB08711F10864AFD95D60D1DB78A980DBA0

Function 00FC7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

", xrefs: 01005153
#ce, xrefs: 00FC78ED
Bad directive syntax error, xrefs: 0100519A
#comments-end, xrefs: 00FC78D9
#requireadmin, xrefs: 00FC77FF
', xrefs: 01005169
Unterminated group of comments, xrefs: 0100528C
#notrayicon, xrefs: 00FC77E7
#include, xrefs: 00FC7847
#comments-start, xrefs: 00FC785F, 00FC78B1
#cs, xrefs: 00FC7873, 00FC78C5
#pragma compile, xrefs: 00FC77D3
Cannot parse #include, xrefs: 01005279
#OnAutoItStartRegister, xrefs: 00FC7817
#include-once, xrefs: 00FC782F

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 00e006548ab72022d952f379123aa868a78f4f25aa5414e8d882be3224a47d79
Instruction ID: fcf7541216843e4ce961162eba9dca8c2ad4a07aafccbcf76edea326698b87f6
Opcode Fuzzy Hash: 00e006548ab72022d952f379123aa868a78f4f25aa5414e8d882be3224a47d79
Instruction Fuzzy Hash: E9812B71A04306BBEB11BF65CE43FAF3BA9AF15340F044029F945AB192EB74D911EB91

Function 01033E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 01033EF8
_wcslen.LIBCMT ref: 01033F03
_wcslen.LIBCMT ref: 01033F5A
_wcslen.LIBCMT ref: 01033F98
GetDriveTypeW.KERNEL32(?), ref: 01033FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0103401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 01034059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 01034087

Strings

close cd wait, xrefs: 01034072
closed, xrefs: 01033F08, 01033F2D, 01033F46, 01033F7E, 01033F97
set cd door , xrefs: 01034028
open, xrefs: 01033F54, 01033F59
open , xrefs: 01033FE5
close, xrefs: 01033EFE, 01033F18
wait, xrefs: 01034044
type cdaudio alias cd wait, xrefs: 01034001

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: d4fd4af78cb9606132c8289d472f6a87ef520d2dae0eb8bb6e5d73bf93f5f71a
Instruction ID: 928fe97a2c441c14f9660a0b30213eabb2c709f09d88f73714a7e80b3975e737
Opcode Fuzzy Hash: d4fd4af78cb9606132c8289d472f6a87ef520d2dae0eb8bb6e5d73bf93f5f71a
Instruction Fuzzy Hash: 3F71AE326082069FC310EF28C98196AB7E8FF84758F40496DF8D69B252EB35ED45CB91

Function 01025A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 01025A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 01025A40
SetWindowTextW.USER32(?,?), ref: 01025A57
GetDlgItem.USER32(?,000003EA), ref: 01025A6C
SetWindowTextW.USER32(00000000,?), ref: 01025A72
GetDlgItem.USER32(?,000003E9), ref: 01025A82
SetWindowTextW.USER32(00000000,?), ref: 01025A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 01025AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 01025AC3
GetWindowRect.USER32(?,?), ref: 01025ACC
_wcslen.LIBCMT ref: 01025B33
SetWindowTextW.USER32(?,?), ref: 01025B6F
GetDesktopWindow.USER32 ref: 01025B75
GetWindowRect.USER32(00000000), ref: 01025B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 01025BD3
GetClientRect.USER32(?,?), ref: 01025BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 01025C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 01025C2F

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: f1d53e02b00e1c7ea237f40532a1be3da06d89b6c5cf64ca27272bfea13c76b4
Instruction ID: 7ff1fa5800c433a0c72fffcbe8eccf487e91d5ad33c04a5d81c98ef64393458d
Opcode Fuzzy Hash: f1d53e02b00e1c7ea237f40532a1be3da06d89b6c5cf64ca27272bfea13c76b4
Instruction Fuzzy Hash: BD718D31A00719AFDB21DFA8CE85AAEBBF9FF48704F104958E582A3590D775E940CF64

Function 0103FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0103FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0103FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0103FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0103FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0103FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0103FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0103FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0103FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0103FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0103FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0103FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0103FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0103FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0103FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0103FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0103FECC
GetCursorInfo.USER32(?), ref: 0103FEDC
GetLastError.KERNEL32 ref: 0103FF1E

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 2f30bee8ff4d5fa9fb8b9521ba1ba94e14e8c2a3b8daaa49d0660f388a5dc615
Instruction ID: 1e5c71dac791a446fef0f247d1adadba8b7dc0628437c6af8c842c024573423f
Opcode Fuzzy Hash: 2f30bee8ff4d5fa9fb8b9521ba1ba94e14e8c2a3b8daaa49d0660f388a5dc615
Instruction Fuzzy Hash: ED4170B0D0831AAEDB109FBA8C89C5EBFE8FF44314B50456AE55CE7281DB78A501CF91

Function 00FE00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00FE00C6

Part of subcall function 00FE00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0109070C,00000FA0,A3BDD54C,?,?,?,?,010023B3,000000FF), ref: 00FE011C
Part of subcall function 00FE00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,010023B3,000000FF), ref: 00FE0127
Part of subcall function 00FE00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,010023B3,000000FF), ref: 00FE0138
Part of subcall function 00FE00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00FE014E
Part of subcall function 00FE00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00FE015C
Part of subcall function 00FE00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00FE016A
Part of subcall function 00FE00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00FE0195
Part of subcall function 00FE00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00FE01A0

___scrt_fastfail.LIBCMT ref: 00FE00E7

Part of subcall function 00FE00A3: __onexit.LIBCMT ref: 00FE00A9

Strings

kernel32.dll, xrefs: 00FE0133
SleepConditionVariableCS, xrefs: 00FE0154
WakeAllConditionVariable, xrefs: 00FE0162
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00FE0122
InitializeConditionVariable, xrefs: 00FE0148

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: f508665f89de6b53fbc5c8e87d7a221249f2c91e9e7bebd301fa7b848d8b3a02
Instruction ID: 2511fe76afbbba382923e06275fc1dc0fb7de6a578eeee1a36d893dc40ab9528
Opcode Fuzzy Hash: f508665f89de6b53fbc5c8e87d7a221249f2c91e9e7bebd301fa7b848d8b3a02
Instruction Fuzzy Hash: 9B212C32E453416BE7206B76AD05B2F73A9EB05B71F04012AF9819A248DFFD8C409BA0

Function 010230F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0102318D
_wcslen.LIBCMT ref: 010231F8

Strings

REGEXPCLASS, xrefs: 01023255, 01023266
INSTANCE, xrefs: 01023453
CLASSNN, xrefs: 010231F3, 01023204
CLASS, xrefs: 01023188, 010231A5
NAME, xrefs: 01023335, 01023346
TEXT, xrefs: 0102347C

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 3a3ffb6b1447b27d11736a63240bababf3fccdeaa75e9626cbcd5dc7872798f7
Instruction ID: 157dacd096bfe8aba8e593b81ab71b9b1ab11b70027ab07d9ea76d88b2044e62
Opcode Fuzzy Hash: 3a3ffb6b1447b27d11736a63240bababf3fccdeaa75e9626cbcd5dc7872798f7
Instruction Fuzzy Hash: ABE10731A001369BCB599F68C851BEEFBB0BF08710F54819AE5D6FB241DF38A945DB90

Function 010344C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0105CC08), ref: 01034527
_wcslen.LIBCMT ref: 0103453B
_wcslen.LIBCMT ref: 01034599
_wcslen.LIBCMT ref: 010345F4
_wcslen.LIBCMT ref: 0103463F
_wcslen.LIBCMT ref: 010346A7

Part of subcall function 00FDF9F2: _wcslen.LIBCMT ref: 00FDF9FD

GetDriveTypeW.KERNEL32(?,01086BF0,00000061), ref: 01034743

Strings

ramdisk, xrefs: 010346F1
all, xrefs: 01034531, 01034536
removable, xrefs: 010345EA, 010345EF
network, xrefs: 0103469D, 010346A2
fixed, xrefs: 01034635, 0103463A
cdrom, xrefs: 0103458F, 01034594
unknown, xrefs: 01034708

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: fc16a745375c16ce59f4bcc49b5a50486f2be9dced94b41a62178de67609651d
Instruction ID: 645714274be73efbfdc883f0738085f816fea35adc374fdcd4b149801890ebcc
Opcode Fuzzy Hash: fc16a745375c16ce59f4bcc49b5a50486f2be9dced94b41a62178de67609651d
Instruction Fuzzy Hash: 95B1EF31A083029BC711DF28C891A6EBBE9BFD9764F40495DF5D6CB292D734D884CB92

Function 01043FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0105CC08), ref: 010440BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 010440CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,0105CC08), ref: 010440F2
FreeLibrary.KERNEL32(00000000,?,0105CC08), ref: 0104413E
StringFromGUID2.OLE32(?,?,00000028,?,0105CC08), ref: 010441A8
SysFreeString.OLEAUT32(00000009), ref: 01044262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 010442C8
SysFreeString.OLEAUT32(?), ref: 010442F2

Strings

kernel32.dll, xrefs: 010440B6
GetModuleHandleExW, xrefs: 010440C7

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: d1890d663c50f085719558b68e4589baca0aec9ac233b55347ab4364ddd5dc73
Instruction ID: 60443189394115612226b2d0a3a4f0478a6a81fe34c0b6a4ab9148020ba00517
Opcode Fuzzy Hash: d1890d663c50f085719558b68e4589baca0aec9ac233b55347ab4364ddd5dc73
Instruction Fuzzy Hash: 98123AB5A00205AFDB55CF58C9C4EAEBBB9FF85314F1480A8E945DB251CB31ED46CBA0

Function 00FC326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(01091990), ref: 01002F8D
GetMenuItemCount.USER32(01091990), ref: 0100303D
GetCursorPos.USER32(?), ref: 01003081
SetForegroundWindow.USER32(00000000), ref: 0100308A
TrackPopupMenuEx.USER32(01091990,00000000,?,00000000,00000000,00000000), ref: 0100309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 010030A9

Strings

0, xrefs: 00FC327D

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 68adfe2c4b685508efa959e53dd13e923f3b59018f63e3f09d928a1a7812451b
Instruction ID: 94b807a8fd8afb0a3495e064716f8d8ed9aa1ff02ef178209c3c723f8e681e13
Opcode Fuzzy Hash: 68adfe2c4b685508efa959e53dd13e923f3b59018f63e3f09d928a1a7812451b
Instruction Fuzzy Hash: BE713A31640316BEFB329F68CD49FAABFA8FF003A4F20421AF6556A1D0C7B1A950D750

Function 01056CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 01056DEB

Part of subcall function 00FC6B57: _wcslen.LIBCMT ref: 00FC6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 01056E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 01056E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 01056E94
DestroyWindow.USER32(?), ref: 01056EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00FC0000,00000000), ref: 01056EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 01056EFD
GetDesktopWindow.USER32 ref: 01056F16
GetWindowRect.USER32(00000000), ref: 01056F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 01056F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 01056F4D

Part of subcall function 00FD9944: GetWindowLongW.USER32(?,000000EB), ref: 00FD9952

Strings

0, xrefs: 01056D98
tooltips_class32, xrefs: 01056E58, 01056EDD

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: f2beec0feb9b57d40df6fe82233408117ff30e3d351cff38dbf19d729774044b
Instruction ID: 2998fdbf7e703a84f0a3a86631c9f0c7ebb6f6908ec9de52199693b2f372a2f6
Opcode Fuzzy Hash: f2beec0feb9b57d40df6fe82233408117ff30e3d351cff38dbf19d729774044b
Instruction Fuzzy Hash: C6716970504345AFEB61CF18C844FABBBE9FB89304F84055DFAD987261C776A906DB11

Function 0105911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FD9BB2

DragQueryPoint.SHELL32(?,?), ref: 01059147

Part of subcall function 01057674: ClientToScreen.USER32(?,?), ref: 0105769A
Part of subcall function 01057674: GetWindowRect.USER32(?,?), ref: 01057710
Part of subcall function 01057674: PtInRect.USER32(?,?,01058B89), ref: 01057720

SendMessageW.USER32(?,000000B0,?,?), ref: 010591B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 010591BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 010591DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 01059225
SendMessageW.USER32(?,000000B0,?,?), ref: 0105923E
SendMessageW.USER32(?,000000B1,?,?), ref: 01059255
SendMessageW.USER32(?,000000B1,?,?), ref: 01059277
DragFinish.SHELL32(?), ref: 0105927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 01059371

Strings

@GUI_DRAGID, xrefs: 010592E9
@GUI_DROPID, xrefs: 0105929E
@GUI_DRAGFILE, xrefs: 01059320

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 5f247743e2ad3d32ee3e69062d53b9fb5b37aa0dc7a07078ea60e1ece551d381
Instruction ID: 58f806bd275674eae79d61fba095c3c1e0ee32154f1bb3667fae54ca9072feff
Opcode Fuzzy Hash: 5f247743e2ad3d32ee3e69062d53b9fb5b37aa0dc7a07078ea60e1ece551d381
Instruction Fuzzy Hash: 5E61AC71108302AFD701DF60DD89EAFBBE8EF88350F00091EF595931A1DB75AA49CB62

Function 0103C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0103C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0103C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0103C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0103C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0103C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0103C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0103C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0103C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0103C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0103C5F0
InternetCloseHandle.WININET(00000000), ref: 0103C5FB

Strings

, xrefs: 0103C575

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 4bd63c451269309e330bd849329dbff0aba286804d06125490a384e921721c2b
Instruction ID: d214f0364ae95bed53927da43e7ca1b09b9085b1311a5eed64de401775838c2c
Opcode Fuzzy Hash: 4bd63c451269309e330bd849329dbff0aba286804d06125490a384e921721c2b
Instruction Fuzzy Hash: D3512AB1500709BFFB219F65CA88AAB7BFCFB48754F00441AF986E6640DB35D944DB60

Function 0105856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 01058592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010585A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010585AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010585BA
GlobalLock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010585C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010585D7
GlobalUnlock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010585E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010585E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 010585F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0105FC38,?), ref: 01058611
GlobalFree.KERNEL32(00000000), ref: 01058621
GetObjectW.GDI32(?,00000018,?), ref: 01058641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 01058671
DeleteObject.GDI32(?), ref: 01058699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 010586AF

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: b742781240606bec15c6863a0153ccbe0993fc23b1f561a7e4da60026cd43654
Instruction ID: 47d618dd90bcdd9f69d35c5afe450d3c0a87b5c920e8cd293da26d7c6663db9f
Opcode Fuzzy Hash: b742781240606bec15c6863a0153ccbe0993fc23b1f561a7e4da60026cd43654
Instruction Fuzzy Hash: C1411875600308AFEB619FA9CD48EAB7BBCEB89755F008059FD8AE7250D7359941CB20

Function 010314BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 01031502
VariantCopy.OLEAUT32(?,?), ref: 0103150B
VariantClear.OLEAUT32(?), ref: 01031517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 010315FB
VarR8FromDec.OLEAUT32(?,?), ref: 01031657
VariantInit.OLEAUT32(?), ref: 01031708
SysFreeString.OLEAUT32(?), ref: 0103178C
VariantClear.OLEAUT32(?), ref: 010317D8
VariantClear.OLEAUT32(?), ref: 010317E7
VariantInit.OLEAUT32(00000000), ref: 01031823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 01031625
Default, xrefs: 010316AF

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 55fd9dd860fa915e00d82ed874eede5a2d07d98e990d3a333f8486e8378011d3
Instruction ID: da47acbff63726c8e79584fca27e35c74f55a36eff67986261357d062c3f2068
Opcode Fuzzy Hash: 55fd9dd860fa915e00d82ed874eede5a2d07d98e990d3a333f8486e8378011d3
Instruction Fuzzy Hash: 83D1F531A00215DBEB10DF65D885B7DBBF9BF49700F08849AF596AB2C0DB38E845DB61

Function 0104B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC9CB3: _wcslen.LIBCMT ref: 00FC9CBD

Part of subcall function 0104C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0104B6AE,?,?), ref: 0104C9B5
Part of subcall function 0104C998: _wcslen.LIBCMT ref: 0104C9F1
Part of subcall function 0104C998: _wcslen.LIBCMT ref: 0104CA68
Part of subcall function 0104C998: _wcslen.LIBCMT ref: 0104CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0104B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0104B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0104B80A
RegCloseKey.ADVAPI32(?), ref: 0104B87E
RegCloseKey.ADVAPI32(?), ref: 0104B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0104B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0104B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0104B922
FreeLibrary.KERNEL32(00000000), ref: 0104B983
RegCloseKey.ADVAPI32(00000000), ref: 0104B994

Strings

RegDeleteKeyExW, xrefs: 0104B8FE
advapi32.dll, xrefs: 0104B8ED

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 4acf04ee6f46b210fb4464dd87deb371c84a1f383c8f767a238411efcdbf15c8
Instruction ID: 0fa857f958cc23a1109c60b9f527a32efbcf6514700b0bbb4236de3c20fcec74
Opcode Fuzzy Hash: 4acf04ee6f46b210fb4464dd87deb371c84a1f383c8f767a238411efcdbf15c8
Instruction Fuzzy Hash: EAC19074208302AFE714DF18C5D5F2ABBE5BF85318F1884ACF5994B292CB75E845CB91

Function 0104255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 010425D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 010425E8
CreateCompatibleDC.GDI32(?), ref: 010425F4
SelectObject.GDI32(00000000,?), ref: 01042601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0104266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 010426AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 010426D0
SelectObject.GDI32(?,?), ref: 010426D8
DeleteObject.GDI32(?), ref: 010426E1
DeleteDC.GDI32(?), ref: 010426E8
ReleaseDC.USER32(00000000,?), ref: 010426F3

Strings

(, xrefs: 0104268D

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: b0394cce294b233228d755ee075c1982f92548752441a9472bc95e6ad3478925
Instruction ID: ebb7516b21aac65492506810bbd7beedf6809b38409b2a7633bea89a13f26e41
Opcode Fuzzy Hash: b0394cce294b233228d755ee075c1982f92548752441a9472bc95e6ad3478925
Instruction Fuzzy Hash: C06103B5E00309EFDF15CFA4D984AAEBBB9FF48310F208529E996A7240D735A940CF54

Function 00FFDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00FFDAA1

Part of subcall function 00FFD63C: _free.LIBCMT ref: 00FFD659
Part of subcall function 00FFD63C: _free.LIBCMT ref: 00FFD66B
Part of subcall function 00FFD63C: _free.LIBCMT ref: 00FFD67D
Part of subcall function 00FFD63C: _free.LIBCMT ref: 00FFD68F
Part of subcall function 00FFD63C: _free.LIBCMT ref: 00FFD6A1
Part of subcall function 00FFD63C: _free.LIBCMT ref: 00FFD6B3
Part of subcall function 00FFD63C: _free.LIBCMT ref: 00FFD6C5
Part of subcall function 00FFD63C: _free.LIBCMT ref: 00FFD6D7
Part of subcall function 00FFD63C: _free.LIBCMT ref: 00FFD6E9
Part of subcall function 00FFD63C: _free.LIBCMT ref: 00FFD6FB
Part of subcall function 00FFD63C: _free.LIBCMT ref: 00FFD70D
Part of subcall function 00FFD63C: _free.LIBCMT ref: 00FFD71F
Part of subcall function 00FFD63C: _free.LIBCMT ref: 00FFD731

_free.LIBCMT ref: 00FFDA96

Part of subcall function 00FF29C8: HeapFree.KERNEL32(00000000,00000000,?,00FFD7D1,00000000,00000000,00000000,00000000,?,00FFD7F8,00000000,00000007,00000000,?,00FFDBF5,00000000), ref: 00FF29DE
Part of subcall function 00FF29C8: GetLastError.KERNEL32(00000000,?,00FFD7D1,00000000,00000000,00000000,00000000,?,00FFD7F8,00000000,00000007,00000000,?,00FFDBF5,00000000,00000000), ref: 00FF29F0

_free.LIBCMT ref: 00FFDAB8
_free.LIBCMT ref: 00FFDACD
_free.LIBCMT ref: 00FFDAD8
_free.LIBCMT ref: 00FFDAFA
_free.LIBCMT ref: 00FFDB0D
_free.LIBCMT ref: 00FFDB1B
_free.LIBCMT ref: 00FFDB26
_free.LIBCMT ref: 00FFDB5E
_free.LIBCMT ref: 00FFDB65
_free.LIBCMT ref: 00FFDB82
_free.LIBCMT ref: 00FFDB9A

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 1955f9c0b15aff1182d4f5299f420dee94cb5b24986574eeb4c479b1ed60a499
Instruction ID: 7db2b4ce6ed656709ca0ed45ad540b207daa4ad072b66c91bfe431cbaa6a346c
Opcode Fuzzy Hash: 1955f9c0b15aff1182d4f5299f420dee94cb5b24986574eeb4c479b1ed60a499
Instruction Fuzzy Hash: BF316B31A442099FEB31AA38EC45B7A77EAFF40320F104519E248D71B2DB79AC40B724

Function 0102365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0102369C
_wcslen.LIBCMT ref: 010236A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 01023797
GetClassNameW.USER32(?,?,00000400), ref: 0102380C
GetDlgCtrlID.USER32(?), ref: 0102385D
GetWindowRect.USER32(?,?), ref: 01023882
GetParent.USER32(?), ref: 010238A0
ScreenToClient.USER32(00000000), ref: 010238A7
GetClassNameW.USER32(?,?,00000100), ref: 01023921
GetWindowTextW.USER32(?,?,00000400), ref: 0102395D

Strings

%s%u, xrefs: 01023734

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 549a7e2af6be28e3d60541bcd269c754679dd638e80658d298985cc891e1e990
Instruction ID: f04cb1c835e5a123f15fbc653c471f54f00fc338d8770e09be0f751137380c82
Opcode Fuzzy Hash: 549a7e2af6be28e3d60541bcd269c754679dd638e80658d298985cc891e1e990
Instruction Fuzzy Hash: 5591D371204316AFE719DE28C884FAAF7E9FF49344F008519FAD9DA180DB38E545CBA1

Function 01024954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 01024994
GetWindowTextW.USER32(?,?,00000400), ref: 010249DA
_wcslen.LIBCMT ref: 010249EB
CharUpperBuffW.USER32(?,00000000), ref: 010249F7
_wcsstr.LIBVCRUNTIME ref: 01024A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 01024A64
GetWindowTextW.USER32(?,?,00000400), ref: 01024A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 01024AE6
GetClassNameW.USER32(?,?,00000400), ref: 01024B20
GetWindowRect.USER32(?,?), ref: 01024B8B

Strings

ThumbnailClass, xrefs: 01024A6F, 01024AF1

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 415a02b0e6b966f3e4c4fca31f6f09ea99aeb78e4baf5b74736d123e4424dfb5
Instruction ID: a9c8739b65da1caf8f69650002a3276102565b0379487eaee5a99d058541b12a
Opcode Fuzzy Hash: 415a02b0e6b966f3e4c4fca31f6f09ea99aeb78e4baf5b74736d123e4424dfb5
Instruction Fuzzy Hash: DA91CF311043269FEB15DF18C985FAA7BE8FF84314F0484A9EEC5DA086DB34E945CBA1

Function 01058D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FD9BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 01058D5A
GetFocus.USER32 ref: 01058D6A
GetDlgCtrlID.USER32(00000000), ref: 01058D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 01058E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 01058ECF
GetMenuItemCount.USER32(?), ref: 01058EEC
GetMenuItemID.USER32(?,00000000), ref: 01058EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 01058F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 01058F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 01058FA1

Strings

0, xrefs: 01058E9F

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: dbd1c0cb7413121c6b613fb8d9b1b8e25aa5b861dd3269d3b2d51dfed4512eab
Instruction ID: b932ce4c5e84672d20e2a4b0694a0998e87276ec70cf0117fc0acc376826bf33
Opcode Fuzzy Hash: dbd1c0cb7413121c6b613fb8d9b1b8e25aa5b861dd3269d3b2d51dfed4512eab
Instruction Fuzzy Hash: 7081E071508301AFEBA1CF2AC884AAB7BE9FB88314F04495EFEC597281D775D900DB61

Function 0102BF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(01091990,000000FF,00000000,00000030), ref: 0102BFAC
SetMenuItemInfoW.USER32(01091990,00000004,00000000,00000030), ref: 0102BFE1
Sleep.KERNEL32(000001F4), ref: 0102BFF3
GetMenuItemCount.USER32(?), ref: 0102C039
GetMenuItemID.USER32(?,00000000), ref: 0102C056
GetMenuItemID.USER32(?,-00000001), ref: 0102C082
GetMenuItemID.USER32(?,?), ref: 0102C0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0102C10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0102C124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0102C145

Strings

0, xrefs: 0102BF3D

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: cbf29196f5765641d1b1365f9c931d5c3d813a7531203936a566f2789d613859
Instruction ID: eeffa7f55da7f0aeac87b5a553c27f4a9b75233f0f55a82e10effd8b8a93c42d
Opcode Fuzzy Hash: cbf29196f5765641d1b1365f9c931d5c3d813a7531203936a566f2789d613859
Instruction Fuzzy Hash: B1617270900366AFFF25CF58CA89AEE7FB8EF46344F144155F991A3281C739A944CB60

Function 0102DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0102DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0102DC46
_wcslen.LIBCMT ref: 0102DC50
_wcsstr.LIBVCRUNTIME ref: 0102DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0102DCBC

Strings

%u.%u.%u.%u, xrefs: 0102DD9A
DefaultLangCodepage, xrefs: 0102DD1F
StringFileInfo\, xrefs: 0102DC8F
\VarFileInfo\Translation, xrefs: 0102DCB4
04090000, xrefs: 0102DCF2

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 0101db8c9f076c767e54ac0026aa789d25a3d15560e96b7ced678c5712cc812f
Instruction ID: 2de6ae04a3bebdc4902112de3f7730bae30dd8e1996a728c681127171adcb00d
Opcode Fuzzy Hash: 0101db8c9f076c767e54ac0026aa789d25a3d15560e96b7ced678c5712cc812f
Instruction Fuzzy Hash: 934127729443157AEB11B7B69C07EFF37ACEF41710F14006EFA85A6182EB799900A7A4

Function 0104CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0104CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0104CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0104CD48

Part of subcall function 0104CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0104CCAA
Part of subcall function 0104CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0104CCBD
Part of subcall function 0104CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0104CCCF
Part of subcall function 0104CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0104CD05
Part of subcall function 0104CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0104CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0104CCF3

Strings

RegDeleteKeyExW, xrefs: 0104CCC9
advapi32.dll, xrefs: 0104CCB8

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 9470f3e7b70642ccab4c70a4eefa359033d736cc3827021c0d2e3a7e669e0fb9
Instruction ID: d70d66178d4370d11565521447afd4da8bc7631945d02a0538596e4bb4f68a71
Opcode Fuzzy Hash: 9470f3e7b70642ccab4c70a4eefa359033d736cc3827021c0d2e3a7e669e0fb9
Instruction Fuzzy Hash: E23170B1902219BBE7219B55DEC8EFFBBBCEF06650F000165F981E2104DA349A45DBA4

Function 01033D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 01033D40
_wcslen.LIBCMT ref: 01033D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 01033D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 01033DBE
RemoveDirectoryW.KERNEL32(?), ref: 01033DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 01033E55
CloseHandle.KERNEL32(00000000), ref: 01033E60
CloseHandle.KERNEL32(00000000), ref: 01033E6B

Strings

\??\%s, xrefs: 01033D5B
:, xrefs: 01033D82
\, xrefs: 01033D77

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 86711502de403e5351f2bb550074e2ee27df764628bd61594cfa5f2305068d3a
Instruction ID: e51e08adb5e48bea57eca0a913d0d69b6654cc5a1135609973e300aa1b1a0420
Opcode Fuzzy Hash: 86711502de403e5351f2bb550074e2ee27df764628bd61594cfa5f2305068d3a
Instruction Fuzzy Hash: 7731C471900209ABEB21AFA4DC89FEF37BDFF88740F1040B6F649D6155EB7492848B24

Function 0102E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0102E6B4

Part of subcall function 00FDE551: timeGetTime.WINMM(?,?,0102E6D4), ref: 00FDE555

Sleep.KERNEL32(0000000A), ref: 0102E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0102E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0102E727
SetActiveWindow.USER32 ref: 0102E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0102E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0102E773
Sleep.KERNEL32(000000FA), ref: 0102E77E
IsWindow.USER32 ref: 0102E78A
EndDialog.USER32(00000000), ref: 0102E79B

Strings

BUTTON, xrefs: 0102E719

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 9d4e02a73a708b4a61b158cc85950137f5fa99d00c911261b89d7e78d28663cc
Instruction ID: d6571726963978869342d59d3dda989e746c4162cf3a38f111d53dc79ad34332
Opcode Fuzzy Hash: 9d4e02a73a708b4a61b158cc85950137f5fa99d00c911261b89d7e78d28663cc
Instruction Fuzzy Hash: 0021A170248315BFFB315F64ED98A2A3BADF74D348B144425F5C281649DB7BAC108B64

Function 0102E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00FC9CB3: _wcslen.LIBCMT ref: 00FC9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0102EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0102EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0102EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0102EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0102EAA7

Strings

status PlayMe mode, xrefs: 0102EA58
close PlayMe, xrefs: 0102EA6E, 0102EA9B
play PlayMe, xrefs: 0102EAA2
play PlayMe wait, xrefs: 0102EA91
open , xrefs: 0102EA0C
alias PlayMe, xrefs: 0102EA36

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 8e5376aeba2ca477589517177f46567dd008a95312eac14711dcaa38388e7f9e
Instruction ID: e04b0ee61003233abb3f7b24d09630a42612e7b1eb6dd09245dc9951f44e6f26
Opcode Fuzzy Hash: 8e5376aeba2ca477589517177f46567dd008a95312eac14711dcaa38388e7f9e
Instruction Fuzzy Hash: C111A331A9426A79E720B7A6DD4AEFF7ABCEBD1B00F40046DB4C1A60D1EEA11905C5B0

Function 01029F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 0102A012
SetKeyboardState.USER32(?), ref: 0102A07D
GetAsyncKeyState.USER32(000000A0), ref: 0102A09D
GetKeyState.USER32(000000A0), ref: 0102A0B4
GetAsyncKeyState.USER32(000000A1), ref: 0102A0E3
GetKeyState.USER32(000000A1), ref: 0102A0F4
GetAsyncKeyState.USER32(00000011), ref: 0102A120
GetKeyState.USER32(00000011), ref: 0102A12E
GetAsyncKeyState.USER32(00000012), ref: 0102A157
GetKeyState.USER32(00000012), ref: 0102A165
GetAsyncKeyState.USER32(0000005B), ref: 0102A18E
GetKeyState.USER32(0000005B), ref: 0102A19C

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 99b40e338a74af86013de9780664d49159dddeb26aa430522454a5d979076a0e
Instruction ID: 48dd6d7bd2e032e7cc91d601c9223b8b5028e1e7d68e3838e3fc1219a3b0a850
Opcode Fuzzy Hash: 99b40e338a74af86013de9780664d49159dddeb26aa430522454a5d979076a0e
Instruction Fuzzy Hash: 8E510830A047A969FBB5DBA48410BEBBFF49F02384F0885D9D6C2575C3DE54A64CCB61

Function 01025CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 01025CE2
GetWindowRect.USER32(00000000,?), ref: 01025CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 01025D59
GetDlgItem.USER32(?,00000002), ref: 01025D69
GetWindowRect.USER32(00000000,?), ref: 01025D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 01025DCF
GetDlgItem.USER32(?,000003E9), ref: 01025DDD
GetWindowRect.USER32(00000000,?), ref: 01025DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 01025E31
GetDlgItem.USER32(?,000003EA), ref: 01025E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 01025E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 01025E67

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 6faf1a6117d570b4e4603b9aa32ebc74046d672754c1d00a0fcc436e33f7fcbd
Instruction ID: 152d405f33e426f05fb9bf38c35204dd6286ee1bc850d98a1e56467df85a8817
Opcode Fuzzy Hash: 6faf1a6117d570b4e4603b9aa32ebc74046d672754c1d00a0fcc436e33f7fcbd
Instruction Fuzzy Hash: 6F511E71A00319AFDF18DF68DD89AAE7BF9FB48300F108169F555E6294D774AE00CB60

Function 00FD8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00FD8BE8,?,00000000,?,?,?,?,00FD8BBA,00000000,?), ref: 00FD8FC5

DestroyWindow.USER32(?), ref: 00FD8C81
KillTimer.USER32(00000000,?,?,?,?,00FD8BBA,00000000,?), ref: 00FD8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 01016973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00FD8BBA,00000000,?), ref: 010169A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00FD8BBA,00000000,?), ref: 010169B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00FD8BBA,00000000), ref: 010169D4
DeleteObject.GDI32(00000000), ref: 010169E6

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: b04d44c8731998eab72e8e84516732f01e919235581339a806174416fffe5eeb
Instruction ID: 30e9dc07e8e627d2688db4b622be3dc4e554fd3125bef301a950b42bc8c33556
Opcode Fuzzy Hash: b04d44c8731998eab72e8e84516732f01e919235581339a806174416fffe5eeb
Instruction Fuzzy Hash: ED61C331511701DFDB369F18DA4872A77F6FB40362F18455EE0C28B698CB7AA882EF50

Function 00FD9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00FD9944: GetWindowLongW.USER32(?,000000EB), ref: 00FD9952

GetSysColor.USER32(0000000F), ref: 00FD9862

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 88f5cb535a0d9298f08fff5202eae91266199ff862cccb519f149edba08aa251
Instruction ID: 2aa66d14a289d063eb1ba67b2a9a8cd055d27dcee763063b30a26a33fb7344c2
Opcode Fuzzy Hash: 88f5cb535a0d9298f08fff5202eae91266199ff862cccb519f149edba08aa251
Instruction Fuzzy Hash: 5641C331508740AFEF305F789884BBA3BAAAB06731F584646F9E2872D5C7B59841FB11

Function 010296E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0100F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 01029717
LoadStringW.USER32(00000000,?,0100F7F8,00000001), ref: 01029720

Part of subcall function 00FC9CB3: _wcslen.LIBCMT ref: 00FC9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0100F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 01029742
LoadStringW.USER32(00000000,?,0100F7F8,00000001), ref: 01029745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 01029866

Strings

Error: , xrefs: 0102981D
Line %d:, xrefs: 010297A0
^ ERROR, xrefs: 010297FB
Line %d (File "%s"):, xrefs: 0102978F
%s (%d) : ==> %s: %s %s, xrefs: 0102984A

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 3ffa372f08081040bd7804bbf14dc1b069da316e974d45ad716ae412981e56cb
Instruction ID: d0d856a784c6ff3ffb637b14b5e06494febdff46d47fffb4f78be28fada4c86d
Opcode Fuzzy Hash: 3ffa372f08081040bd7804bbf14dc1b069da316e974d45ad716ae412981e56cb
Instruction Fuzzy Hash: 1D417E7290422AAADB04FBE0DE47EEE7779AF14344F504029F24172091EF796F48DB61

Function 010206DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC6B57: _wcslen.LIBCMT ref: 00FC6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 010207A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 010207BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 010207DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 01020804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0102082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 01020837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0102083C

Strings

\CLSID, xrefs: 01020724
SOFTWARE\Classes\, xrefs: 0102070E
\IPC$, xrefs: 01020784

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 8123605bb68f659bc47b044cb37d4b705b91058f7bc3df1294c30f2f391e9bd9
Instruction ID: 92d6a2426e48097662593d5c5038d8dd15865b5a0db6f358ea0d56342bb44fa4
Opcode Fuzzy Hash: 8123605bb68f659bc47b044cb37d4b705b91058f7bc3df1294c30f2f391e9bd9
Instruction Fuzzy Hash: 00413772C10229ABDF21EBA4DD86DEEB7B8FF04350B044169F981A3151EB759E04DBA0

Function 01053F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0105403B
CreateCompatibleDC.GDI32(00000000), ref: 01054042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 01054055
SelectObject.GDI32(00000000,00000000), ref: 0105405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 01054068
DeleteDC.GDI32(00000000), ref: 01054072
GetWindowLongW.USER32(?,000000EC), ref: 0105407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 01054092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 0105409E

Strings

static, xrefs: 01053FD3

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: a861da9c0dc43c12231a80d5035b5710b6e8633334526635b36aa234351eadcc
Instruction ID: d8e68cd59dc8e5821099e51a7b89c26d5c6fd02a47927798198c7b2b39b33501
Opcode Fuzzy Hash: a861da9c0dc43c12231a80d5035b5710b6e8633334526635b36aa234351eadcc
Instruction Fuzzy Hash: 70315932100315ABEF629FA8CD48FDB3BA8EF0D324F100215FA99E6090D73AD850DB64

Function 01043C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 01043C5C
CoInitialize.OLE32(00000000), ref: 01043C8A
CoUninitialize.OLE32 ref: 01043C94
_wcslen.LIBCMT ref: 01043D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 01043DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 01043ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 01043F0E
CoGetObject.OLE32(?,00000000,0105FB98,?), ref: 01043F2D
SetErrorMode.KERNEL32(00000000), ref: 01043F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 01043FC4
VariantClear.OLEAUT32(?), ref: 01043FD8

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: d29067689e8e61e7ec108c0c3f31c7f1faf87ab2ef9adbe86f17fd21fe310d29
Instruction ID: f31a65d9ff02bcd6794bb1a86086818772b40cd6851576adb90e5d41a4492093
Opcode Fuzzy Hash: d29067689e8e61e7ec108c0c3f31c7f1faf87ab2ef9adbe86f17fd21fe310d29
Instruction Fuzzy Hash: 64C143B1608316AFD710DF68C98492BBBE9FF89744F00496DF98A9B250DB31ED05CB52

Function 01037A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 01037AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 01037B8F
SHGetDesktopFolder.SHELL32(?), ref: 01037BA3
CoCreateInstance.OLE32(0105FD08,00000000,00000001,01086E6C,?), ref: 01037BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 01037C74
CoTaskMemFree.OLE32(?,?), ref: 01037CCC
SHBrowseForFolderW.SHELL32(?), ref: 01037D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 01037D7A
CoTaskMemFree.OLE32(00000000), ref: 01037D81
CoTaskMemFree.OLE32(00000000), ref: 01037DD6
CoUninitialize.OLE32 ref: 01037DDC

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 4eb2cff4fc0129ff078bf05fe54f687f29f54694bf66329b4709d721028d0250
Instruction ID: 0585d6f8629ffab73b71ea21b4011b4f3399c165381abb8405ef044db60345ef
Opcode Fuzzy Hash: 4eb2cff4fc0129ff078bf05fe54f687f29f54694bf66329b4709d721028d0250
Instruction Fuzzy Hash: C7C15B75A00209AFDB14DF64C988DAEBBF9FF48304B148498E955DB361DB35ED41CB90

Function 0105541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 01055504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01055515
CharNextW.USER32(00000158), ref: 01055544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 01055585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0105559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 010555AC

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: f15ae9baa229bc82e89d979833c312dcab570878dbbbd6c5b5ae304626bafea6
Instruction ID: 4caaddc48938b08d9bb41b27b7040c4fff8d0932ab18e2641bc1d4b553a5bb73
Opcode Fuzzy Hash: f15ae9baa229bc82e89d979833c312dcab570878dbbbd6c5b5ae304626bafea6
Instruction Fuzzy Hash: B2616034A00209ABEFA19F54CC849FF7FB9FB0A724F004145FAA5AB290D7799641DF60

Function 0101FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0101FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0101FB08
VariantInit.OLEAUT32(?), ref: 0101FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0101FB3A
VariantCopy.OLEAUT32(?,?), ref: 0101FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0101FBA1
VariantClear.OLEAUT32(?), ref: 0101FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0101FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0101FBCC
VariantClear.OLEAUT32(?), ref: 0101FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0101FBE9

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 31b1c4a3aa9bd10b4595466aa01117d514fb07db3dc2d297ea3eb4507bf31cdd
Instruction ID: f33dd4b8a5946974266e18c8b704f3b5cfac0fe32dd8c7b44c6fb620ce0b2bad
Opcode Fuzzy Hash: 31b1c4a3aa9bd10b4595466aa01117d514fb07db3dc2d297ea3eb4507bf31cdd
Instruction Fuzzy Hash: 10417175A0031A9FDB10DF68C894DEEBFB9FF48344F008059E985A7255CB39A946CFA0

Function 01029C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 01029CA1
GetAsyncKeyState.USER32(000000A0), ref: 01029D22
GetKeyState.USER32(000000A0), ref: 01029D3D
GetAsyncKeyState.USER32(000000A1), ref: 01029D57
GetKeyState.USER32(000000A1), ref: 01029D6C
GetAsyncKeyState.USER32(00000011), ref: 01029D84
GetKeyState.USER32(00000011), ref: 01029D96
GetAsyncKeyState.USER32(00000012), ref: 01029DAE
GetKeyState.USER32(00000012), ref: 01029DC0
GetAsyncKeyState.USER32(0000005B), ref: 01029DD8
GetKeyState.USER32(0000005B), ref: 01029DEA

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 2915a5143f28e70b1948031c03be679613acdbdc56a50ece31853407706ba95b
Instruction ID: 26a567332e872774f4a7bf91b81aa6c8a958fa01838cd6f6ea70f0b7537fffce
Opcode Fuzzy Hash: 2915a5143f28e70b1948031c03be679613acdbdc56a50ece31853407706ba95b
Instruction Fuzzy Hash: 4C41D5345047F969FFB2966884043B6BEE06F0134CF0480DEDAC6575C3DBA595C8C7A2

Function 0104055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 010405BC
inet_addr.WSOCK32(?), ref: 0104061C
gethostbyname.WSOCK32(?), ref: 01040628
IcmpCreateFile.IPHLPAPI ref: 01040636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 010406C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 010406E5
IcmpCloseHandle.IPHLPAPI(?), ref: 010407B9
WSACleanup.WSOCK32 ref: 010407BF

Strings

Ping, xrefs: 01040676

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 010c19a7ce09c57a028c4dcf41bc2b59fb05afe05e720a4a791cf712406929c1
Instruction ID: 2ee0e32b7438322d7c5924cde3041e351450c91a41e1ad7db047c7b6cc484e62
Opcode Fuzzy Hash: 010c19a7ce09c57a028c4dcf41bc2b59fb05afe05e720a4a791cf712406929c1
Instruction Fuzzy Hash: 4291AF759043019FD320DF19C989F5ABBE0FF44318F0485A9F6AA9B6A6C735E845CF82

Function 01048CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 01048CF3

Part of subcall function 01028E54: _wcslen.LIBCMT ref: 01028E77

_wcslen.LIBCMT ref: 01048D4E
_wcslen.LIBCMT ref: 01048D9C
_wcslen.LIBCMT ref: 01048DDC
_wcslen.LIBCMT ref: 01048E6E

Strings

cdecl, xrefs: 01048D48, 01048D4D
none, xrefs: 01048E65, 01048E6A
stdcall, xrefs: 01048DD6, 01048DDB
winapi, xrefs: 01048D96, 01048D9B

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 0c0c81302d8562f924d17fe791070c11fc8997e02ed0fac51adbd006e719d79b
Instruction ID: 94262c254dd44e50ca01705a2220f73d68e2a0edacffe26c5c1922a18bd2356a
Opcode Fuzzy Hash: 0c0c81302d8562f924d17fe791070c11fc8997e02ed0fac51adbd006e719d79b
Instruction Fuzzy Hash: 6851F3B1A000169BCB24EFADC9809BEB7E5BF54324B20867AE4A6E7285D734DD40C790

Function 0104372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 01043774
CoUninitialize.OLE32 ref: 0104377F
CoCreateInstance.OLE32(?,00000000,00000017,0105FB78,?), ref: 010437D9
IIDFromString.OLE32(?,?), ref: 0104384C
VariantInit.OLEAUT32(?), ref: 010438E4
VariantClear.OLEAUT32(?), ref: 01043936

Strings

Failed to create object, xrefs: 010437E4, 0104389A
Invalid parameter, xrefs: 01043865
NULL Pointer assignment, xrefs: 0104381E

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: dc0cf024e02d1424b52e0b43d157d1665b61f9d022fffb083ef5a5e6acc41fca
Instruction ID: 22041246f30a22d67ca3cd9d22a66e830c723a5951a5e554ff4969a5d86f3afd
Opcode Fuzzy Hash: dc0cf024e02d1424b52e0b43d157d1665b61f9d022fffb083ef5a5e6acc41fca
Instruction Fuzzy Hash: D0616CB0608311AFE321DF54C989B6ABBE8FF49714F00086DF9C59B291C774E948CB92

Function 01033388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 010333CF

Part of subcall function 00FC9CB3: _wcslen.LIBCMT ref: 00FC9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 010333F0

Strings

Error: , xrefs: 010334D1
^ ERROR , xrefs: 0103349E
"%s" (%d) : ==> %s:%s%s, xrefs: 01033504
Incorrect parameters to object property !, xrefs: 010334AB
"%s" (%d) : ==> %s:, xrefs: 01033522
Line %d (File "%s"):, xrefs: 01033443, 0103345C

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 4df17b82b60330386847a3a137bbd962ce7dd2177d564709b5d0263c17bfddc5
Instruction ID: 5565e6e7e224be49b43ef58daa33b66f1af3617cd0335cffee2ae2a60ad6bf4c
Opcode Fuzzy Hash: 4df17b82b60330386847a3a137bbd962ce7dd2177d564709b5d0263c17bfddc5
Instruction Fuzzy Hash: 8551BE3190421BAADF15EBA0CE47EEEB7B9BF14340F108169F54576091EB3A2F58DB60

Function 0102B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0102B5FC
_wcslen.LIBCMT ref: 0102B608
_wcslen.LIBCMT ref: 0102B64D
_wcslen.LIBCMT ref: 0102B68C
_wcslen.LIBCMT ref: 0102B6C7

Strings

APPEND, xrefs: 0102B6C1, 0102B6C6
KEYS, xrefs: 0102B647, 0102B64C
REMOVE, xrefs: 0102B602, 0102B607
EXISTS, xrefs: 0102B686, 0102B68B

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: eddc8079df35a4f65573129da4e551c06014d36cacaf2cf365a290b480076fe1
Instruction ID: 9fc4f7925e3779ed4af598f984ee0832a66ed6f7d97ba778ebb8645af04a2c0a
Opcode Fuzzy Hash: eddc8079df35a4f65573129da4e551c06014d36cacaf2cf365a290b480076fe1
Instruction Fuzzy Hash: 81412832A000378BCB306F7DCC945BE7BE5BF64654B1441A9E4E2D7281F639C981C390

Function 01035393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 010353A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 01035416
GetLastError.KERNEL32 ref: 01035420
SetErrorMode.KERNEL32(00000000,READY), ref: 010354A7

Strings

READONLY, xrefs: 01035452
NOTREADY, xrefs: 0103544B
READY, xrefs: 01035460, 01035468
UNKNOWN, xrefs: 01035444
INVALID, xrefs: 01035459

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: be03311f28779749e681470ab5832616e8086f68ae357d4b8c83d3d47e095870
Instruction ID: 48a6e9eba586b5d85854089bf24d31fec6088fbeca3d9e0d218ca3612a31a93a
Opcode Fuzzy Hash: be03311f28779749e681470ab5832616e8086f68ae357d4b8c83d3d47e095870
Instruction Fuzzy Hash: A431D335A002059FD715DF68C985FAA7BF8FF85309F048099E585CB2A2DB76DD42CB90

Function 01053C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 01053C79
SetMenu.USER32(?,00000000), ref: 01053C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01053D10
IsMenu.USER32(?), ref: 01053D24
CreatePopupMenu.USER32 ref: 01053D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 01053D5B
DrawMenuBar.USER32 ref: 01053D63

Strings

F, xrefs: 01053D4E
0, xrefs: 01053C54

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 47a6b2d5e9c34c4fcebc555a98073588d209fa25a8ec9b57f5dbb809fb9dc1d8
Instruction ID: 04148d6fe2c16363409217409e7db863d892b44cec3c7b792229cf55a485de64
Opcode Fuzzy Hash: 47a6b2d5e9c34c4fcebc555a98073588d209fa25a8ec9b57f5dbb809fb9dc1d8
Instruction Fuzzy Hash: 7E415C75A01309AFEB64DF94E944B9A7BF9FF49354F040068EE869B350D735A910CB60

Function 01021FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC9CB3: _wcslen.LIBCMT ref: 00FC9CBD

Part of subcall function 01023CA7: GetClassNameW.USER32(?,?,000000FF), ref: 01023CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 01022043
GetDlgCtrlID.USER32 ref: 0102204E
GetParent.USER32 ref: 0102206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0102206D
GetDlgCtrlID.USER32(?), ref: 01022076
GetParent.USER32(?), ref: 0102208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 0102208D

Strings

ListBox, xrefs: 01022002
ComboBox, xrefs: 01021FCD

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 1689a49dae17cfe0a41bf7dd0f4065c3a631c553495322c69504265e0b0266eb
Instruction ID: 781f48905ad5444b4773d9e201d680c6d42f80b03759ee0b3ed33c0bba8f35cc
Opcode Fuzzy Hash: 1689a49dae17cfe0a41bf7dd0f4065c3a631c553495322c69504265e0b0266eb
Instruction Fuzzy Hash: 0221CF71900228BBDF10AFA4CD89EEEBFB9EF19300F000459F991A7192CA7D5518DB60

Function 01053A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 01053A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 01053AA0
GetWindowLongW.USER32(?,000000F0), ref: 01053AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 01053AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 01053B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 01053BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 01053BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 01053BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 01053BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 01053C13

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: c1315efd01d67d187dd1626155eb5d4e423ad0221aba4eaff9d7f1f8f95b7e45
Instruction ID: 3ef2263a9acbe68eb9d8ddf8d6e44f88fc32209227154796f8623ba1fd012a63
Opcode Fuzzy Hash: c1315efd01d67d187dd1626155eb5d4e423ad0221aba4eaff9d7f1f8f95b7e45
Instruction Fuzzy Hash: 3A617D75A00249AFEB21DF68CC81EEE77F8FB09710F100199FA55EB291D774A941DB50

Function 0102B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0102B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0102A1E1,?,00000001), ref: 0102B165
GetWindowThreadProcessId.USER32(00000000), ref: 0102B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0102A1E1,?,00000001), ref: 0102B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0102B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0102A1E1,?,00000001), ref: 0102B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0102A1E1,?,00000001), ref: 0102B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0102A1E1,?,00000001), ref: 0102B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0102A1E1,?,00000001), ref: 0102B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0102A1E1,?,00000001), ref: 0102B21D

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: aeaaa9867708ce28470e54b8da47532f259a0a1bc3a227c6c344c2930c0078c7
Instruction ID: f84d306012f31faf402c357ace7f3b8cf80ed2afd664db6efed98c31cc15b807
Opcode Fuzzy Hash: aeaaa9867708ce28470e54b8da47532f259a0a1bc3a227c6c344c2930c0078c7
Instruction Fuzzy Hash: C431DB71110314BFEB259F28D868B7E7BEDFB86311F104005FA84DA185C7BAA940CF20

Function 00FF2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00FF2C94

Part of subcall function 00FF29C8: HeapFree.KERNEL32(00000000,00000000,?,00FFD7D1,00000000,00000000,00000000,00000000,?,00FFD7F8,00000000,00000007,00000000,?,00FFDBF5,00000000), ref: 00FF29DE
Part of subcall function 00FF29C8: GetLastError.KERNEL32(00000000,?,00FFD7D1,00000000,00000000,00000000,00000000,?,00FFD7F8,00000000,00000007,00000000,?,00FFDBF5,00000000,00000000), ref: 00FF29F0

_free.LIBCMT ref: 00FF2CA0
_free.LIBCMT ref: 00FF2CAB
_free.LIBCMT ref: 00FF2CB6
_free.LIBCMT ref: 00FF2CC1
_free.LIBCMT ref: 00FF2CCC
_free.LIBCMT ref: 00FF2CD7
_free.LIBCMT ref: 00FF2CE2
_free.LIBCMT ref: 00FF2CED
_free.LIBCMT ref: 00FF2CFB

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 19b1341ee5d380043d2940f5b5c260b134748e32f740a98fb95b9dd47378e0f4
Instruction ID: c11759ee45280e5e052465ff94ef05542455bbcebb6c2302b63b8f459a96020c
Opcode Fuzzy Hash: 19b1341ee5d380043d2940f5b5c260b134748e32f740a98fb95b9dd47378e0f4
Instruction Fuzzy Hash: DA11947654010DAFCB52EF58DC82CED3BB5BF05350F414495FA485B232D675EA50BB90

Function 00FC1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00FC1459
OleUninitialize.OLE32(?,00000000), ref: 00FC14F8
UnregisterHotKey.USER32(?), ref: 00FC16DD
DestroyWindow.USER32(?), ref: 010024B9
FreeLibrary.KERNEL32(?), ref: 0100251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0100254B

Strings

close all, xrefs: 00FC1454

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: a3c174c312a6c01943a00c79d0527fb766ac8b57d2052fb8f6307285641fd1d1
Instruction ID: 7c6ab1aa894dd855db04ab9ad1232f0f2f34dae87c09e1c11ba8fae486a649a4
Opcode Fuzzy Hash: a3c174c312a6c01943a00c79d0527fb766ac8b57d2052fb8f6307285641fd1d1
Instruction Fuzzy Hash: 5AD18D31701212CFEB1AEF14CA9AF29F7A4BF05710F14419DE58A6B292CB31AC26DF54

Function 01037DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 01037FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 01037FC1
GetFileAttributesW.KERNEL32(?), ref: 01037FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 01038005
SetCurrentDirectoryW.KERNEL32(?), ref: 01038017
SetCurrentDirectoryW.KERNEL32(?), ref: 01038060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 010380B0

Strings

*.*, xrefs: 01038066

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 7782e9c6ea9f09919c9d5652bbc570df94bb92c7ea881982eb9053917055e682
Instruction ID: 774cfb945afbeb9c08ce29ca94f7de0805d82a5f62e389e237269fbd9b8dcc67
Opcode Fuzzy Hash: 7782e9c6ea9f09919c9d5652bbc570df94bb92c7ea881982eb9053917055e682
Instruction Fuzzy Hash: AF819EB25043419BDB64EF18C884AAEB7ECBBC8310F14885EF9C5D7251E735D9458BA2

Function 00FC5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00FC5C7A

Part of subcall function 00FC5D0A: GetClientRect.USER32(?,?), ref: 00FC5D30
Part of subcall function 00FC5D0A: GetWindowRect.USER32(?,?), ref: 00FC5D71
Part of subcall function 00FC5D0A: ScreenToClient.USER32(?,?), ref: 00FC5D99

GetDC.USER32 ref: 010046F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 01004708
SelectObject.GDI32(00000000,00000000), ref: 01004716
SelectObject.GDI32(00000000,00000000), ref: 0100472B
ReleaseDC.USER32(?,00000000), ref: 01004733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 010047C4

Strings

U, xrefs: 01004693

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 3f235b8d1ae84e7bfb76770ce67b26c12644e073720c0e0bd57cd14d8d87f1d3
Instruction ID: f7b82be1c8d0baea46e4b1d235d77a4be5f6376b5aea324bcc95dbbd71f7d638
Opcode Fuzzy Hash: 3f235b8d1ae84e7bfb76770ce67b26c12644e073720c0e0bd57cd14d8d87f1d3
Instruction Fuzzy Hash: 4B71F331500206DFEF22CF68CA85EFA3BB5FF49360F1402A9EE959A196C3319881DF50

Function 0103359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 010335E4

Part of subcall function 00FC9CB3: _wcslen.LIBCMT ref: 00FC9CBD

LoadStringW.USER32(01092390,?,00000FFF,?), ref: 0103360A

Strings

Error: , xrefs: 010336EF
^ ERROR, xrefs: 010336C9
"%s" (%d) : ==> %s:%s%s, xrefs: 01033724
"%s" (%d) : ==> %s:, xrefs: 01033742
Line %d (File "%s"):, xrefs: 0103366B

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 0e6faf2606d1243ef1f4454aae77e6d58f404298c078e62abb5f885a8d2f5317
Instruction ID: 6d85711dc951cd5b38fd62c8ff3765965d9f15136e774fb8bc3af3769a6bbf56
Opcode Fuzzy Hash: 0e6faf2606d1243ef1f4454aae77e6d58f404298c078e62abb5f885a8d2f5317
Instruction Fuzzy Hash: 5A51B031D0421BBADF15EBA0CD86EEEBB79BF14340F048129F14576191DB351A98EF60

Function 01058B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FD9BB2

Part of subcall function 00FD912D: GetCursorPos.USER32(?), ref: 00FD9141
Part of subcall function 00FD912D: ScreenToClient.USER32(00000000,?), ref: 00FD915E
Part of subcall function 00FD912D: GetAsyncKeyState.USER32(00000001), ref: 00FD9183
Part of subcall function 00FD912D: GetAsyncKeyState.USER32(00000002), ref: 00FD919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 01058B6B
ImageList_EndDrag.COMCTL32 ref: 01058B71
ReleaseCapture.USER32 ref: 01058B77
SetWindowTextW.USER32(?,00000000), ref: 01058C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 01058C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 01058CFF

Strings

@GUI_DROPID, xrefs: 01058C51
@GUI_DRAGFILE, xrefs: 01058C9A

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: ae1c52b4e1cd4a0af6e4fd444d9ca288b684ad23cd61d86a42e1ef1920b7f88a
Instruction ID: 76f1734b0c0b372f2b2a82ac981d535890bf75e18d6037a4aaf0d9bf7bc13ea8
Opcode Fuzzy Hash: ae1c52b4e1cd4a0af6e4fd444d9ca288b684ad23cd61d86a42e1ef1920b7f88a
Instruction Fuzzy Hash: 9B51AD70208305AFE750DF24CD5AFAB7BE8FB88714F00061DF99697291CB75A944DB62

Function 0103C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0103C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0103C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0103C2CA
GetLastError.KERNEL32 ref: 0103C322
SetEvent.KERNEL32(?), ref: 0103C336
InternetCloseHandle.WININET(00000000), ref: 0103C341

Strings

, xrefs: 0103C2BB

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 1b0e70776f08aa077303c57a24a367bdc5451ad2e60db9ac715331a1da40e547
Instruction ID: 48811ce6ca4e22ef835c42542d3977be037ffddce4915a8f7fe0ccbfa99a557c
Opcode Fuzzy Hash: 1b0e70776f08aa077303c57a24a367bdc5451ad2e60db9ac715331a1da40e547
Instruction Fuzzy Hash: 1F318271600308AFF7319F65CA84AAF7BFCEB89644B04851EF4C6E3200DB35DA058B61

Function 0102989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,01003AAF,?,?,Bad directive syntax error,0105CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 010298BC
LoadStringW.USER32(00000000,?,01003AAF,?), ref: 010298C3

Part of subcall function 00FC9CB3: _wcslen.LIBCMT ref: 00FC9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 01029987

Strings

., xrefs: 0102996D
Line %d:, xrefs: 01029912
Error: , xrefs: 01029955
Line %d (File "%s"):, xrefs: 0102992D
%s (%d) : ==> %s.: %s %s, xrefs: 010298F1

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 25206b2f5672494f889329f96be01fbb59dd700bdacf85c1714736d02d23898d
Instruction ID: 25f2a527efb01c5154c6763193a25110809c81239e310b1d0403bc8730685b40
Opcode Fuzzy Hash: 25206b2f5672494f889329f96be01fbb59dd700bdacf85c1714736d02d23898d
Instruction Fuzzy Hash: AB217C3190422BABDF11AF90CD0AEEE7779BF18304F04446AF55566092EB769618DB10

Function 0102209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 010220AB
GetClassNameW.USER32(00000000,?,00000100), ref: 010220C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0102214D

Strings

details, xrefs: 010220FB
list, xrefs: 0102212F
smallicons, xrefs: 01022115
SHELLDLL_DefView, xrefs: 010220CC
largeicons, xrefs: 010220E1

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 2f45e85075fc0931fbeff21bf132dc53e357297958735a3f261d7e58e69432c6
Instruction ID: 6ca7ee579840d137d27b49355c0c767cc06e992f3138d99a69aafc2adfac9f93
Opcode Fuzzy Hash: 2f45e85075fc0931fbeff21bf132dc53e357297958735a3f261d7e58e69432c6
Instruction Fuzzy Hash: B3110A7E688316B9F71135A5DC06DEB37DCDF24724B20016AFBC4A9092FE6968116A18

Function 00FF8D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14597e59a0fd2d33f3a43a76b6f0b91e6c1b4472684cd821a9139090ada769d0
Instruction ID: 17ac4573dbd4a8b49f2a0bf3f7d1f83dcac98538d7c4c57fb1491463f07f1dd5
Opcode Fuzzy Hash: 14597e59a0fd2d33f3a43a76b6f0b91e6c1b4472684cd821a9139090ada769d0
Instruction Fuzzy Hash: DDC1F775D0824DAFDB11DFA8D841BBD7BB4BF09320F044099F654A73A2CB758941EB61

Function 00FFCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00FFCEB7
_free.LIBCMT ref: 00FFCF22
_free.LIBCMT ref: 00FFCF48
_free.LIBCMT ref: 00FFCF71
_free.LIBCMT ref: 00FFCFA9
_free.LIBCMT ref: 00FFCFDA
_free.LIBCMT ref: 00FFD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00FFD09C
_free.LIBCMT ref: 00FFD0B5

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: a2647b6f26e1cd0569072d3cb61d4d53564c42d212751d50a1c967c6bd45bf04
Instruction ID: d022b358697606af2772dc40e3bbb1e0e133f3d9fb3531e622e3052d56a0bcee
Opcode Fuzzy Hash: a2647b6f26e1cd0569072d3cb61d4d53564c42d212751d50a1c967c6bd45bf04
Instruction Fuzzy Hash: 63614772D0522DABDB31AF74998167EBBA9AF01320F04416DFB41972E5D73A9900B7A0

Function 00FD8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 01016890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 010168A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 010168B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 010168D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 010168F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00FD8874,00000000,00000000,00000000,000000FF,00000000), ref: 01016901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0101691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00FD8874,00000000,00000000,00000000,000000FF,00000000), ref: 0101692D

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 8cab751b31283e2dede9dd8a2b1aeda8fd4124e02a749d4783ae7fb62a11aa4c
Instruction ID: 11bbdc937d03782f80c8bd8da2e1c63b0bedca8f5597303306c375ce37feacc2
Opcode Fuzzy Hash: 8cab751b31283e2dede9dd8a2b1aeda8fd4124e02a749d4783ae7fb62a11aa4c
Instruction Fuzzy Hash: 1D51A170600305EFDB20CF28CC51FAA7BB6FB84360F14451AF99697290DBB5E951EB50

Function 0103C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0103C182
GetLastError.KERNEL32 ref: 0103C195
SetEvent.KERNEL32(?), ref: 0103C1A9

Part of subcall function 0103C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0103C272
Part of subcall function 0103C253: GetLastError.KERNEL32 ref: 0103C322
Part of subcall function 0103C253: SetEvent.KERNEL32(?), ref: 0103C336
Part of subcall function 0103C253: InternetCloseHandle.WININET(00000000), ref: 0103C341

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: f6e0352a39e5e653f57fc986bee02959773251396a39fdc923d6006373464bbc
Instruction ID: 5b1f618e27d04c84c56b95cd071e34ed11bd72ae17014cad035ba66ca079f3cb
Opcode Fuzzy Hash: f6e0352a39e5e653f57fc986bee02959773251396a39fdc923d6006373464bbc
Instruction Fuzzy Hash: A7318C71200745AFFB219FA9DE44A6BBBFCFF99200B04441EF99AE6604D735E414DBA0

Function 010225A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 01023A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 01023A57
Part of subcall function 01023A3D: GetCurrentThreadId.KERNEL32 ref: 01023A5E
Part of subcall function 01023A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,010225B3), ref: 01023A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 010225BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 010225DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 010225DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 010225E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 01022601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 01022605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0102260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 01022623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 01022627

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 97aae6be61dfcb4e7ebcb30617c04c8addf2205ede54d7e8f4610b8f359e7ea5
Instruction ID: 323a42cda52609bb6bfb8179a5f4ec3677e86790daec4cedc132da0dc3fe99ef
Opcode Fuzzy Hash: 97aae6be61dfcb4e7ebcb30617c04c8addf2205ede54d7e8f4610b8f359e7ea5
Instruction Fuzzy Hash: 3501D831790320BBFB2066689C8AF5A3F9DDB4EB11F100011F398AE1C4C9F624448A69

Function 01021803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,01021449,?,?,00000000), ref: 0102180C
HeapAlloc.KERNEL32(00000000,?,01021449,?,?,00000000), ref: 01021813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,01021449,?,?,00000000), ref: 01021828
GetCurrentProcess.KERNEL32(?,00000000,?,01021449,?,?,00000000), ref: 01021830
DuplicateHandle.KERNEL32(00000000,?,01021449,?,?,00000000), ref: 01021833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,01021449,?,?,00000000), ref: 01021843
GetCurrentProcess.KERNEL32(01021449,00000000,?,01021449,?,?,00000000), ref: 0102184B
DuplicateHandle.KERNEL32(00000000,?,01021449,?,?,00000000), ref: 0102184E
CreateThread.KERNEL32(00000000,00000000,01021874,00000000,00000000,00000000), ref: 01021868

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 9fce01b3726a50a5744a3818ab667b120d865c644b8f4f97b45900891fef21be
Instruction ID: 8d364d6dd7cadcd09232f5efe679a8422e67878fb5012f47330c03beec6fb9f6
Opcode Fuzzy Hash: 9fce01b3726a50a5744a3818ab667b120d865c644b8f4f97b45900891fef21be
Instruction Fuzzy Hash: 4901BBB5640308BFF720ABB5DD4DF6B7BACEB8AB11F004411FA45DB195CA759840CB24

Function 0104A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0102D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0102D501
Part of subcall function 0102D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0102D50F
Part of subcall function 0102D4DC: CloseHandle.KERNEL32(00000000), ref: 0102D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0104A16D
GetLastError.KERNEL32 ref: 0104A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0104A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0104A268
GetLastError.KERNEL32(00000000), ref: 0104A273
CloseHandle.KERNEL32(00000000), ref: 0104A2C4

Strings

SeDebugPrivilege, xrefs: 0104A18F

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 2ad0385e4334a39e509b5edc3c56f833a621ccc0db0fb6e4707b50a71034dcc2
Instruction ID: 48fca4bb565c42aa1d6958c5d9d20eb1204a153d9f87e090f53971d5292d605e
Opcode Fuzzy Hash: 2ad0385e4334a39e509b5edc3c56f833a621ccc0db0fb6e4707b50a71034dcc2
Instruction Fuzzy Hash: 2461CE70248242EFE720DF18C5D4F1ABBE5AF44318F18849CE4A68B7A3C776E945CB91

Function 01053886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 01053925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0105393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 01053954
_wcslen.LIBCMT ref: 01053999
SendMessageW.USER32(?,00001057,00000000,?), ref: 010539C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 010539F4

Strings

SysListView32, xrefs: 010538F7

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 71fc773a26352faeb3fcc048507b5997d094a1ea9e4af97972b031220567ed4c
Instruction ID: 9c35a0fbef4de49a094d20ac5a6706439e454b1f04fff4cb1dcb348baf026cb2
Opcode Fuzzy Hash: 71fc773a26352faeb3fcc048507b5997d094a1ea9e4af97972b031220567ed4c
Instruction Fuzzy Hash: AD419571A00319ABEF619F64CC45BEF7BA9FF08390F10056AF994EB281D7759980CB90

Function 0102BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0102BCFD
IsMenu.USER32(00000000), ref: 0102BD1D
CreatePopupMenu.USER32 ref: 0102BD53
GetMenuItemCount.USER32(01AF5660), ref: 0102BDA4
InsertMenuItemW.USER32(01AF5660,?,00000001,00000030), ref: 0102BDCC

Strings

0, xrefs: 0102BCA8
2, xrefs: 0102BD37

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 032592f6ff76553866af90eb4fad8fa0ab55d6e04dd31c2a8bc6dc87a4dcd636
Instruction ID: 8a8e04986d0e455715629c8a09ae17dc54ae20e3e4063c45577023371c7aadde
Opcode Fuzzy Hash: 032592f6ff76553866af90eb4fad8fa0ab55d6e04dd31c2a8bc6dc87a4dcd636
Instruction Fuzzy Hash: 1651D1706003299BEF21EFACC984BEEBFF8BF45314F14419AE5919B291E7709941CB52

Function 0102C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0102C913

Strings

info, xrefs: 0102C8B4
warning, xrefs: 0102C8FC
stop, xrefs: 0102C8E4
blank, xrefs: 0102C895
question, xrefs: 0102C8CC

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 58d7b6b527a57cb2820812f42a9d7e009c096e21f1796b6daf798ee0dafa91bd
Instruction ID: 8e1a89db48e3a874dcec79b44020ab7de005fc20e6c5a6c198def6c1ab4f2d2d
Opcode Fuzzy Hash: 58d7b6b527a57cb2820812f42a9d7e009c096e21f1796b6daf798ee0dafa91bd
Instruction Fuzzy Hash: D7113D31789357BAF7016B599D83CAE37DCDF05730B10007EF584AA182E7F96E0062A8

Function 0102DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0102DE42
gethostname.WSOCK32(?,00000100), ref: 0102DE5C
gethostbyname.WSOCK32(?), ref: 0102DE69
inet_ntoa.WSOCK32(?), ref: 0102DEAB
_strcat.LIBCMT ref: 0102DEB9
WSACleanup.WSOCK32 ref: 0102DEDE

Strings

0.0.0.0, xrefs: 0102DE87

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 339affa41d25d86f4aafdde9f0f6a05bdf48d663ddff5e0ef02fcff873e83e22
Instruction ID: 784317da60bfddd55f350039bebe27480662c81083677083a66d722db74c1b70
Opcode Fuzzy Hash: 339affa41d25d86f4aafdde9f0f6a05bdf48d663ddff5e0ef02fcff873e83e22
Instruction Fuzzy Hash: 2311E771904319ABEB30BB659C09DEF77ACDF14710F0401A9F5C5A6041EF799A819760

Function 01059F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FD9BB2

GetSystemMetrics.USER32(0000000F), ref: 01059FC7
GetSystemMetrics.USER32(0000000F), ref: 01059FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0105A224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0105A242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0105A263
ShowWindow.USER32(00000003,00000000), ref: 0105A282
InvalidateRect.USER32(?,00000000,00000001), ref: 0105A2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 0105A2CA

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: e5914ea7ddebbd0e20383ea0e8c5e24bcea0f09f28b16ea164d33d604fe02c5c
Instruction ID: b4722747d52ee339bc6092f67254f661c3f6b849ae62d2550f86313c52691653
Opcode Fuzzy Hash: e5914ea7ddebbd0e20383ea0e8c5e24bcea0f09f28b16ea164d33d604fe02c5c
Instruction Fuzzy Hash: 53B17C31600219DBEF94CF6CC9857AE7BF2FF48751F0881A9ED859B289D735A940CB60

Function 0102ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0102ED2A
_wcslen.LIBCMT ref: 0102ED3B
_wcslen.LIBCMT ref: 0102ED79
_wcslen.LIBCMT ref: 0102EDAF
_wcslen.LIBCMT ref: 0102EDDF
_wcslen.LIBCMT ref: 0102EDEF
_wcslen.LIBCMT ref: 0102EE2B
_wcslen.LIBCMT ref: 0102EE5A

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 5aef371500f81fcf66b88923c6fd3ac6a14b5f58c926128b6ffd89562d613e15
Instruction ID: cd3b670ec017e3d2cd4ee77eebb44f4918bc2dd9bb0627f3a128e369998b659b
Opcode Fuzzy Hash: 5aef371500f81fcf66b88923c6fd3ac6a14b5f58c926128b6ffd89562d613e15
Instruction Fuzzy Hash: 9E41C365C1026875CB11EBF5CC8A9CFB7A8AF45310F408466E618F3122FB38E245D3E6

Function 00FDF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0101682C,00000004,00000000,00000000), ref: 00FDF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0101682C,00000004,00000000,00000000), ref: 0101F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0101682C,00000004,00000000,00000000), ref: 0101F454

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 10be42dfbc0d2bff610dadd5dedad31f141ac1cda44bb2c626e9d162c2f6f0c5
Instruction ID: be2267c059f3dfc12497d53c7fd7bd2b09b13c9145793260495ae6dad4473b3b
Opcode Fuzzy Hash: 10be42dfbc0d2bff610dadd5dedad31f141ac1cda44bb2c626e9d162c2f6f0c5
Instruction Fuzzy Hash: BA412F31E08781BBD7358B2DCDA8F2A7B97BB45324F0C402EE1C756758C67A9488E712

Function 01052D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 01052D1B
GetDC.USER32(00000000), ref: 01052D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 01052D2E
ReleaseDC.USER32(00000000,00000000), ref: 01052D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 01052D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 01052D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,01055A65,?,?,000000FF,00000000,?,000000FF,?), ref: 01052DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 01052DE1

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: d2f58566900b3763015d9747563e1baaeaf283b1c86878ffd2d122e00c44211f
Instruction ID: a0fd4a8ae3251f9bf3310243cd61408583d61002e8e5f086aecf790648640c4a
Opcode Fuzzy Hash: d2f58566900b3763015d9747563e1baaeaf283b1c86878ffd2d122e00c44211f
Instruction Fuzzy Hash: 79316B72201314BBFB618F548D89FEB3FADEF09715F044055FE889A285C67A9850CBB4

Function 01025622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 01025637
_memcmp.LIBVCRUNTIME ref: 01025659
_memcmp.LIBVCRUNTIME ref: 01025671
_memcmp.LIBVCRUNTIME ref: 01025684
_memcmp.LIBVCRUNTIME ref: 0102569E
_memcmp.LIBVCRUNTIME ref: 010256B1
_memcmp.LIBVCRUNTIME ref: 010256C9
_memcmp.LIBVCRUNTIME ref: 010256E4

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 7178dc44c79759bf173765fcf89abaf8a0b8a45c863a877237b883b16514a8b6
Instruction ID: 1b1812e248ba600f2f477009d07f8e785921e87ce475585c71f00493e155dea5
Opcode Fuzzy Hash: 7178dc44c79759bf173765fcf89abaf8a0b8a45c863a877237b883b16514a8b6
Instruction Fuzzy Hash: 1621C271A4126ABBA26496276E86FFB339CBE14384F040024FE849B641F738ED1081A9

Function 01044FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 01045007
NULL Pointer assignment, xrefs: 0104502E, 01045383

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 031fbacd2f3e09278f7d61916f76887f1cff481db0d85fc67dc0fb0000423421
Instruction ID: 80b2b611d0bab77dd71aae9f789d97faea32cc175846759567541ce28bca34ae
Opcode Fuzzy Hash: 031fbacd2f3e09278f7d61916f76887f1cff481db0d85fc67dc0fb0000423421
Instruction Fuzzy Hash: D4D171B5A0020AAFDF10DF98CCC0AAEBBF5BF48314F1484B9E955AB291E771D945CB50

Function 01001522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,010017FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 010015CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,010017FB,00000000,00000000,?,00000000,?,?,?,?), ref: 01001651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,010017FB,?,010017FB,00000000,00000000,?,00000000,?,?,?,?), ref: 010016E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,010017FB,00000000,00000000,?,00000000,?,?,?,?), ref: 010016FB

Part of subcall function 00FF3820: RtlAllocateHeap.NTDLL(00000000,?,01091444,?,00FDFDF5,?,?,00FCA976,00000010,01091440,00FC13FC,?,00FC13C6,?,00FC1129), ref: 00FF3852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,010017FB,00000000,00000000,?,00000000,?,?,?,?), ref: 01001777
__freea.LIBCMT ref: 010017A2
__freea.LIBCMT ref: 010017AE

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 41fe0f0ead9c033af42afc9da49b04b04329d2b2242971a2bc5edf9aa1af2e99
Instruction ID: 0ef39a0bcf21ac7225295c77445786635df3057151423361b051f47cbd068ea8
Opcode Fuzzy Hash: 41fe0f0ead9c033af42afc9da49b04b04329d2b2242971a2bc5edf9aa1af2e99
Instruction Fuzzy Hash: AB91C971E042169EFB228E78CC81AFE7BF5AF49310F184599E985EB1C0D736D940C7A0

Function 01044523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 01044648
VariantInit.OLEAUT32(?), ref: 01044749
VariantClear.OLEAUT32(?), ref: 01044753
VariantClear.OLEAUT32(?), ref: 010447B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 010445D8, 01044706, 010447BE
Incorrect Object type in FOR..IN loop, xrefs: 0104472C

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 15ea1e5664f69e827f69e4f84e990a4a52995401a4e63dc90291a2d1d5c624da
Instruction ID: ac89dcf5554bd51aa06d12c8360e184950356fc9e0070afb1537bc29e4144514
Opcode Fuzzy Hash: 15ea1e5664f69e827f69e4f84e990a4a52995401a4e63dc90291a2d1d5c624da
Instruction Fuzzy Hash: 05916DB1A00219EBDF20CFA5C884FAEBBB8FF45714F108569E595EB281D7709945CFA0

Function 01031187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0103125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 01031284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 010312A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 010312D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0103135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 010313C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 01031430

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: fd5fd3c78a26f79b1a1f4543825638d8bb8915ebfa0d49f20a05b875c75a582c
Instruction ID: a220e1a2110e169b4b91a5c9571df80a5c11404d249e8e258626f621a063c77d
Opcode Fuzzy Hash: fd5fd3c78a26f79b1a1f4543825638d8bb8915ebfa0d49f20a05b875c75a582c
Instruction Fuzzy Hash: B291C4719003099FEB00DF98C884BFE7BB9FF89315F144069E591E7291DB79A941CB90

Function 00FD948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: c056724ca39866bcccba324523fc0d162fa939d6fae4446f01f843c7d748db30
Instruction ID: 21371f97ec9320ecff31838538254874637765d811a701f8beebfaff822e7fc8
Opcode Fuzzy Hash: c056724ca39866bcccba324523fc0d162fa939d6fae4446f01f843c7d748db30
Instruction Fuzzy Hash: 71915971D04209AFCB10CFE9CC84AEEBBB9FF49320F18845AE515B7255D379A941DB60

Function 01043947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0104396B
CharUpperBuffW.USER32(?,?), ref: 01043A7A
_wcslen.LIBCMT ref: 01043A8A
VariantClear.OLEAUT32(?), ref: 01043C1F

Part of subcall function 01030CDF: VariantInit.OLEAUT32(00000000), ref: 01030D1F
Part of subcall function 01030CDF: VariantCopy.OLEAUT32(?,?), ref: 01030D28
Part of subcall function 01030CDF: VariantClear.OLEAUT32(?), ref: 01030D34

Strings

Incorrect Parameter format, xrefs: 010439A6, 01043BA1
AUTOIT.ERROR, xrefs: 01043A80, 01043A85

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: fc60985956940e0bcaa4ab868d3b4a868ff52ad2fd9801146a0cddda1e7a8ff9
Instruction ID: 9c43d12a0d923884d7b2271afc15dea901fae87ffb4308d34d92575152ff717c
Opcode Fuzzy Hash: fc60985956940e0bcaa4ab868d3b4a868ff52ad2fd9801146a0cddda1e7a8ff9
Instruction Fuzzy Hash: 3A9169B4A083059FC704EF28C58196ABBE5FF88314F04886DF98A9B351DB35ED05CB92

Function 01044BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0102000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0101FF41,80070057,?,?,?,0102035E), ref: 0102002B
Part of subcall function 0102000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0101FF41,80070057,?,?), ref: 01020046
Part of subcall function 0102000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0101FF41,80070057,?,?), ref: 01020054
Part of subcall function 0102000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0101FF41,80070057,?), ref: 01020064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 01044C51
_wcslen.LIBCMT ref: 01044D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 01044DCF
CoTaskMemFree.OLE32(?), ref: 01044DDA

Strings

NULL Pointer assignment, xrefs: 01044E23, 01044E52

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 6aa9cd856bb0a04b7ed203fb862c3276e5b9c9dfd5105f9469e5718aa6f5a0ad
Instruction ID: d77a575598807d5c8e1bf439c2cb7b95234b179cc1dd36e464274dbec64d597b
Opcode Fuzzy Hash: 6aa9cd856bb0a04b7ed203fb862c3276e5b9c9dfd5105f9469e5718aa6f5a0ad
Instruction Fuzzy Hash: 219116B1D0021DAFDF24DFA4CC91EEEBBB8BF08314F104169E955A7241DB749A448F60

Function 010520FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 01052183
GetMenuItemCount.USER32(00000000), ref: 010521B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 010521DD
_wcslen.LIBCMT ref: 01052213
GetMenuItemID.USER32(?,?), ref: 0105224D
GetSubMenu.USER32(?,?), ref: 0105225B

Part of subcall function 01023A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 01023A57
Part of subcall function 01023A3D: GetCurrentThreadId.KERNEL32 ref: 01023A5E
Part of subcall function 01023A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,010225B3), ref: 01023A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 010522E3

Part of subcall function 0102E97B: Sleep.KERNELBASE ref: 0102E9F3

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 0ad8b446ba8e4a3c6813c8a7947e29d6f788ed0f9659d4cf8dcfece445fbf637
Instruction ID: 3ce57a922eca48220be17eb98896b0f7160ee81d54144a072f3bc6544d1c8876
Opcode Fuzzy Hash: 0ad8b446ba8e4a3c6813c8a7947e29d6f788ed0f9659d4cf8dcfece445fbf637
Instruction Fuzzy Hash: DF718079A00205EFCB50DF68C945AAFBBF5EF48350F148499E956EB341D738E941CB90

Function 01057E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01AF5688), ref: 01057F37
IsWindowEnabled.USER32(01AF5688), ref: 01057F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0105801E
SendMessageW.USER32(01AF5688,000000B0,?,?), ref: 01058051
IsDlgButtonChecked.USER32(?,?), ref: 01058089
GetWindowLongW.USER32(01AF5688,000000EC), ref: 010580AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 010580C3

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 05c1f238c15229d55b6313a8b724b69d2381bd51de946ba85167edbd709c8b7b
Instruction ID: 146e43f2bc98a1b03c4d4bd81f416d98f30121885eae8e92ac7aca06f3659c0f
Opcode Fuzzy Hash: 05c1f238c15229d55b6313a8b724b69d2381bd51de946ba85167edbd709c8b7b
Instruction Fuzzy Hash: C3717E34604205AFEBA1DF58C894FEBBBF9EF09300F54449AEEC597251C732A940EB20

Function 0102AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0102AEF9
GetKeyboardState.USER32(?), ref: 0102AF0E
SetKeyboardState.USER32(?), ref: 0102AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0102AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0102AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0102AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0102B020

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 234bfe5fe8380f45904b05cf7b9cf1daacd7ac0a9a3a03b52c4c79a23d813984
Instruction ID: 024ebdc7c23a0201df5d682c4a3152b71a37ef41e6ee50693691bd13be7e2b30
Opcode Fuzzy Hash: 234bfe5fe8380f45904b05cf7b9cf1daacd7ac0a9a3a03b52c4c79a23d813984
Instruction Fuzzy Hash: A451D3A06047E57DFB7742788845BBABFE95B06304F0884C9F2E9568C3D69DA8C8D760

Function 0102ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0102AD19
GetKeyboardState.USER32(?), ref: 0102AD2E
SetKeyboardState.USER32(?), ref: 0102AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0102ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0102ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0102AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0102AE38

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 3b50296a5abc039d6caf14e26b238f5a0ae39bf989178220108fef8cbe7e17cd
Instruction ID: f41307ece1156cc5ff96f970d84a89639e083c2dd257652de2495009d8a7cdf2
Opcode Fuzzy Hash: 3b50296a5abc039d6caf14e26b238f5a0ae39bf989178220108fef8cbe7e17cd
Instruction Fuzzy Hash: A351D6A16047F57EFB3792388C55BBABED85B46300F0884C8E2D657CC3DA94E889D760

Function 00FF542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(01003CD6,?,?,?,?,?,?,?,?,00FF5BA3,?,?,01003CD6,?,?), ref: 00FF5470
__fassign.LIBCMT ref: 00FF54EB
__fassign.LIBCMT ref: 00FF5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,01003CD6,00000005,00000000,00000000), ref: 00FF552C
WriteFile.KERNEL32(?,01003CD6,00000000,00FF5BA3,00000000,?,?,?,?,?,?,?,?,?,00FF5BA3,?), ref: 00FF554B
WriteFile.KERNEL32(?,?,00000001,00FF5BA3,00000000,?,?,?,?,?,?,?,?,?,00FF5BA3,?), ref: 00FF5584

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 09ddde60377197e679aacacb425d96092c12fd97b5669ffeef4446c2eb6f451e
Instruction ID: 6ebd66f48d67a48cf05a9370c2d360ead33936e95e0e457a541f10c9caa01604
Opcode Fuzzy Hash: 09ddde60377197e679aacacb425d96092c12fd97b5669ffeef4446c2eb6f451e
Instruction Fuzzy Hash: E551C3B1D007499FDB20CFA8D855AEEBBF9EF09710F18411AF655E72A1D7309A41CB60

Function 00FE2D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00FE2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00FE2D53
_ValidateLocalCookies.LIBCMT ref: 00FE2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00FE2E0C
_ValidateLocalCookies.LIBCMT ref: 00FE2E61

Strings

csm, xrefs: 00FE2DF6

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 824f54a0b3170f3b42a29db578f8d99b4d210fb8f4b6e54c42a81283c284f03e
Instruction ID: 980e30fc76dc22de51c3298eb83a282b1591a6cda5cb5228ba5faf4b810a682f
Opcode Fuzzy Hash: 824f54a0b3170f3b42a29db578f8d99b4d210fb8f4b6e54c42a81283c284f03e
Instruction Fuzzy Hash: EA41E735E00249ABCF20DF6ACC49A9EBBB9BF44324F148155F9146B392E775DA01DBD0

Function 010410B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0104304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0104307A
Part of subcall function 0104304E: _wcslen.LIBCMT ref: 0104309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 01041112
WSAGetLastError.WSOCK32 ref: 01041121
WSAGetLastError.WSOCK32 ref: 010411C9
closesocket.WSOCK32(00000000), ref: 010411F9

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 5d99a501d6d1642553feed984b07c6cb04daee13ccebcf4c58561ab330fe8906
Instruction ID: 0d450863020bb97fdde7721dc001742491c7d01e04d4a5d26837939badffbec9
Opcode Fuzzy Hash: 5d99a501d6d1642553feed984b07c6cb04daee13ccebcf4c58561ab330fe8906
Instruction Fuzzy Hash: D741F675600204AFEB109F28C985BAABBE9FF45324F048069FC959B295C775BD81CBE0

Function 0102CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0102DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0102CF22,?), ref: 0102DDFD

Part of subcall function 0102DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0102CF22,?), ref: 0102DE16

lstrcmpiW.KERNEL32(?,?), ref: 0102CF45
MoveFileW.KERNEL32(?,?), ref: 0102CF7F
_wcslen.LIBCMT ref: 0102D005
_wcslen.LIBCMT ref: 0102D01B
SHFileOperationW.SHELL32(?), ref: 0102D061

Strings

\*.*, xrefs: 0102CFF3

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 0f4f1206bf16d8418db907b39b581c6ea6ddc4b0968584d94d4a6c2f42e45f2e
Instruction ID: 5688414898bbea0a180a10835d01b389cc37ef12d627df8130ab68b88075e96f
Opcode Fuzzy Hash: 0f4f1206bf16d8418db907b39b581c6ea6ddc4b0968584d94d4a6c2f42e45f2e
Instruction Fuzzy Hash: F34128719452295FEF52EBA4DA81EDE77F8AF18380F1000E6D589EB141EA35A644CB50

Function 01052DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 01052E1C
GetWindowLongW.USER32(?,000000F0), ref: 01052E4F
GetWindowLongW.USER32(?,000000F0), ref: 01052E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 01052EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 01052EE0
GetWindowLongW.USER32(?,000000F0), ref: 01052EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 01052F0B

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 8d86cc4ed8457abe852cf242d27827e809daf7e69f2db55d276c260069ea3fd3
Instruction ID: 76bccba61c4628aa52693b5f63795d9ca253704de5b17014be7daeed66a17428
Opcode Fuzzy Hash: 8d86cc4ed8457abe852cf242d27827e809daf7e69f2db55d276c260069ea3fd3
Instruction Fuzzy Hash: EA31F830604251EFEBA2CF58DD84F6637E5FF59720F1501A4F9908B2A6C776B840EB51

Function 01027726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 01027769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0102778F
SysAllocString.OLEAUT32(00000000), ref: 01027792
SysAllocString.OLEAUT32(?), ref: 010277B0
SysFreeString.OLEAUT32(?), ref: 010277B9
StringFromGUID2.OLE32(?,?,00000028), ref: 010277DE
SysAllocString.OLEAUT32(?), ref: 010277EC

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: fa14d5e3a52f6b429462286b50e88784493e7cbab30159df49788da5bcd3877e
Instruction ID: 9a98645b1aa4ed39562b1fe76f06b239c37be4f77a92d1f539d45cce9428896f
Opcode Fuzzy Hash: fa14d5e3a52f6b429462286b50e88784493e7cbab30159df49788da5bcd3877e
Instruction Fuzzy Hash: 9621B076600329AFEF10DEACCC88CBB77ECFB092647048065FA45DB255DA74DC418B60

Function 010277FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 01027842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 01027868
SysAllocString.OLEAUT32(00000000), ref: 0102786B
SysAllocString.OLEAUT32 ref: 0102788C
SysFreeString.OLEAUT32 ref: 01027895
StringFromGUID2.OLE32(?,?,00000028), ref: 010278AF
SysAllocString.OLEAUT32(?), ref: 010278BD

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: adafb4d7ec3865639d3db1008121faa0475c09330b5fe903acd4cb7eff5e8b2e
Instruction ID: 5df3af677189a333bfa61c0ccc42861fee8c2374a75a5c9510912a625c709224
Opcode Fuzzy Hash: adafb4d7ec3865639d3db1008121faa0475c09330b5fe903acd4cb7eff5e8b2e
Instruction Fuzzy Hash: 2121A131604224AFEB159FACDC88DBB77ECEB093607008125F955CB295EAB4DC41CB74

Function 010305A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 010305C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 01030601

Strings

nul, xrefs: 01030639

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 76266996ae1ee7c50ba95b5db1e619693ab2887be42e0f044685e667052526f0
Instruction ID: 308e2c9878d4942387fbd0b01c8f75959240a3a12335119d46d3e33c135bbb74
Opcode Fuzzy Hash: 76266996ae1ee7c50ba95b5db1e619693ab2887be42e0f044685e667052526f0
Instruction Fuzzy Hash: 62217F755013059BEB209F6DC804A9A7BECAFC9B24F200A59F9E1E72DCD7719550DB10

Function 010304D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 010304F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0103052E

Strings

nul, xrefs: 01030567

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 622dabdefa120b6bb370741c0df7e5d4e1e7878291e2eb3a577aa7a2fda1355d
Instruction ID: 51844d149b8d3e07aac192eb9b087ef19ae5774bc8025f7d220c60337446c2f9
Opcode Fuzzy Hash: 622dabdefa120b6bb370741c0df7e5d4e1e7878291e2eb3a577aa7a2fda1355d
Instruction Fuzzy Hash: F021AB70601305EBEB208F2DD804A9B7BECAF84760F204A58F9E1D62D8D7709540CB20

Function 010540AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00FC604C
Part of subcall function 00FC600E: GetStockObject.GDI32(00000011), ref: 00FC6060
Part of subcall function 00FC600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00FC606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 01054112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0105411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0105412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 01054139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 01054145

Strings

Msctls_Progress32, xrefs: 010540E3

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: c5f55fce36b23097cf60c7d0452861bf73f645aca57f4137652a3d551ffcce35
Instruction ID: 7ab4a15ccf73bfa0533fec486c28eb5def585b5dde7dc4132665620872b699a2
Opcode Fuzzy Hash: c5f55fce36b23097cf60c7d0452861bf73f645aca57f4137652a3d551ffcce35
Instruction Fuzzy Hash: 8611B2B224021ABEEF219E65CC85EE77F9DEF08798F004111BA58E6050C6769C61DBA4

Function 00FFD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00FFD7A3: _free.LIBCMT ref: 00FFD7CC

_free.LIBCMT ref: 00FFD82D

Part of subcall function 00FF29C8: HeapFree.KERNEL32(00000000,00000000,?,00FFD7D1,00000000,00000000,00000000,00000000,?,00FFD7F8,00000000,00000007,00000000,?,00FFDBF5,00000000), ref: 00FF29DE
Part of subcall function 00FF29C8: GetLastError.KERNEL32(00000000,?,00FFD7D1,00000000,00000000,00000000,00000000,?,00FFD7F8,00000000,00000007,00000000,?,00FFDBF5,00000000,00000000), ref: 00FF29F0

_free.LIBCMT ref: 00FFD838
_free.LIBCMT ref: 00FFD843
_free.LIBCMT ref: 00FFD897
_free.LIBCMT ref: 00FFD8A2
_free.LIBCMT ref: 00FFD8AD
_free.LIBCMT ref: 00FFD8B8

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 9de7b4f6082d016ce59511fa0de5f8da0c18a91d7f817d19722c6b279839e9c0
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 1C115172580B0CAAD531BFB0CC47FEB7BED6F00700F400825B399AA0B2DA69B505B650

Function 0102DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0102DA74
LoadStringW.USER32(00000000), ref: 0102DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0102DA91
LoadStringW.USER32(00000000), ref: 0102DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0102DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0102DAB9

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 4c1d0eeedc9440b7d5f8272c4c2ea3fde19adc5f6cb70ab192f2e3ec7340ebb5
Instruction ID: b05c91d3122f162a0875518ea9dc9c48f4ea91aa625d604b2e3cbd1633c8b0d9
Opcode Fuzzy Hash: 4c1d0eeedc9440b7d5f8272c4c2ea3fde19adc5f6cb70ab192f2e3ec7340ebb5
Instruction Fuzzy Hash: 470162F25003187FF751ABA49E89EEB376CE708305F404496F786E2041EA759E848F74

Function 0103096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(01AEE338,01AEE338), ref: 0103097B
EnterCriticalSection.KERNEL32(01AEE318,00000000), ref: 0103098D
TerminateThread.KERNEL32(?,000001F6), ref: 0103099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 010309A9
CloseHandle.KERNEL32(?), ref: 010309B8
InterlockedExchange.KERNEL32(01AEE338,000001F6), ref: 010309C8
LeaveCriticalSection.KERNEL32(01AEE318), ref: 010309CF

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 6dc5cff37530c15df33a912915050f927ae9576065552ea50cdb346a258ef332
Instruction ID: c7c822fdf70a4c5ca7e6ef8755b82e0f6e2bd127865c82af2aa914965a58ef83
Opcode Fuzzy Hash: 6dc5cff37530c15df33a912915050f927ae9576065552ea50cdb346a258ef332
Instruction Fuzzy Hash: 5FF01D31442702BBF7615B94EF88ADB7A6DFF41742F401016F24250898CB7A9465CF90

Function 01041C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 01041DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 01041DE1
WSAGetLastError.WSOCK32 ref: 01041DF2
htons.WSOCK32(?,?,?,?,?), ref: 01041EDB
inet_ntoa.WSOCK32(?), ref: 01041E8C

Part of subcall function 010239E8: _strlen.LIBCMT ref: 010239F2

Part of subcall function 01043224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0103EC0C), ref: 01043240

_strlen.LIBCMT ref: 01041F35

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 3c7136984471086bce42bdc6ce9c6f874c0107b1f40d44fcecee4edd72327566
Instruction ID: 6d6fb260d99fa20f5f55efb6fb9ba5eddc31bc610b72ffb7f32ab47c789b2754
Opcode Fuzzy Hash: 3c7136984471086bce42bdc6ce9c6f874c0107b1f40d44fcecee4edd72327566
Instruction Fuzzy Hash: 29B1E470204301AFD324DF24C885F2A7BE5AF95318F54859CF5965B2E2CB35ED86CB91

Function 00FC5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00FC5D30
GetWindowRect.USER32(?,?), ref: 00FC5D71
ScreenToClient.USER32(?,?), ref: 00FC5D99
GetClientRect.USER32(?,?), ref: 00FC5ED7
GetWindowRect.USER32(?,?), ref: 00FC5EF8

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: bb80e12d6d94adcb3d27e1d4e39105cc89c081ce219998a94f17a6d0b9e52a18
Instruction ID: 9ad9ab4ee54f3c96dc367451108c16a0915e3aaac04c079fc576306d5498b101
Opcode Fuzzy Hash: bb80e12d6d94adcb3d27e1d4e39105cc89c081ce219998a94f17a6d0b9e52a18
Instruction Fuzzy Hash: A1B15A35A0074ADBEB14CFA8C581BEEB7F1FF48310F14841AE9A9D7250DB34AA91DB54

Function 00FF01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00FF00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FF00D6
__allrem.LIBCMT ref: 00FF00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FF010B
__allrem.LIBCMT ref: 00FF0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FF0140

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: df71b17c2ba2a5636abf643135a9e3dba29a5334d18f6972d526577056c5dcaf
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: D8812772A00B4A9BE7209F29CC41B7A73E8AF41330F24463AF651D62E2EF74D904A750

Function 00FF61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00FE82D9,00FE82D9,?,?,?,00FF644F,00000001,00000001,8BE85006), ref: 00FF6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00FF644F,00000001,00000001,8BE85006,?,?,?), ref: 00FF62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00FF63D8
__freea.LIBCMT ref: 00FF63E5

Part of subcall function 00FF3820: RtlAllocateHeap.NTDLL(00000000,?,01091444,?,00FDFDF5,?,?,00FCA976,00000010,01091440,00FC13FC,?,00FC13C6,?,00FC1129), ref: 00FF3852

__freea.LIBCMT ref: 00FF63EE
__freea.LIBCMT ref: 00FF6413

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 3657f03c8ccd5bb9a61cdcf1e61a1c9a34078c92edbb1c2a490b09c55786d422
Instruction ID: 242523f8bdc59ce8eb3a35639bc8eac4d0eb21e2b2707d4f9f9f0e879e04db7d
Opcode Fuzzy Hash: 3657f03c8ccd5bb9a61cdcf1e61a1c9a34078c92edbb1c2a490b09c55786d422
Instruction Fuzzy Hash: 2C51E472A0021AABEF258E64CC81EBF77A9EF55760F154229FE05D7260DF38DC44E660

Function 0104BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC9CB3: _wcslen.LIBCMT ref: 00FC9CBD

Part of subcall function 0104C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0104B6AE,?,?), ref: 0104C9B5
Part of subcall function 0104C998: _wcslen.LIBCMT ref: 0104C9F1
Part of subcall function 0104C998: _wcslen.LIBCMT ref: 0104CA68
Part of subcall function 0104C998: _wcslen.LIBCMT ref: 0104CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0104BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0104BD25
RegCloseKey.ADVAPI32(00000000), ref: 0104BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0104BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0104BDF3
RegCloseKey.ADVAPI32(?), ref: 0104BDFF

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: f00d649b266fff4ee3a5c4ab514096f93ccfbea36ba8211ddeb668a60d0255ac
Instruction ID: 91e8daccb695ddc013b552c41720e0a753b824bc4c5ec2f362f165359407d3e9
Opcode Fuzzy Hash: f00d649b266fff4ee3a5c4ab514096f93ccfbea36ba8211ddeb668a60d0255ac
Instruction Fuzzy Hash: F7819170108341AFD754EF24C9C5E2ABBE5FF84308F1489ACF5954B2A2DB36E945CB92

Function 0101F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0101F7B9
SysAllocString.OLEAUT32(00000001), ref: 0101F860
VariantCopy.OLEAUT32(0101FA64,00000000), ref: 0101F889
VariantClear.OLEAUT32(0101FA64), ref: 0101F8AD
VariantCopy.OLEAUT32(0101FA64,00000000), ref: 0101F8B1
VariantClear.OLEAUT32(?), ref: 0101F8BB

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 390579252f748b284909ae2380e6a4c0c59c6739fcf3a91b28dd6d304e18d0fe
Instruction ID: 8bae87679104a89594adb95f3b9d6cd9775e00a3d76a8604395782515680d156
Opcode Fuzzy Hash: 390579252f748b284909ae2380e6a4c0c59c6739fcf3a91b28dd6d304e18d0fe
Instruction Fuzzy Hash: 7151E931500322BADF20BB65D885B6DB3EAEF45310F144497E946DF299DB7C8C48CB56

Function 0103910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00FC7620: _wcslen.LIBCMT ref: 00FC7625

Part of subcall function 00FC6B57: _wcslen.LIBCMT ref: 00FC6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 010394E5
_wcslen.LIBCMT ref: 01039506
_wcslen.LIBCMT ref: 0103952D
GetSaveFileNameW.COMDLG32(00000058), ref: 01039585

Strings

X, xrefs: 01039412

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: f494c71e205ed4801b308feeca6d4b9b7a4a074ca1004b29b8ed8d8b40dd6c64
Instruction ID: a78f3887bcbaecf7f1116aaf85a3cbc7f7ffaff01860813437abb272eaebf5b0
Opcode Fuzzy Hash: f494c71e205ed4801b308feeca6d4b9b7a4a074ca1004b29b8ed8d8b40dd6c64
Instruction Fuzzy Hash: 97E1AF315083418FD724EF24C982F6AB7E4BF84314F04896DF9899B2A2DB75ED44CB92

Function 00FD920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00FD9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FD9BB2

BeginPaint.USER32(?,?,?), ref: 00FD9241
GetWindowRect.USER32(?,?), ref: 00FD92A5
ScreenToClient.USER32(?,?), ref: 00FD92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00FD92D3
EndPaint.USER32(?,?,?,?,?), ref: 00FD9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 010171EA

Part of subcall function 00FD9339: BeginPath.GDI32(00000000), ref: 00FD9357

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: f82ad2e58da6317fd998d9df3994ddf13fa66357a91d5148c38cf8fc36cb8886
Instruction ID: d7cb8de7fa64e7ecdbd2ba102a67fbc83fe1a1ec1981a25690f9d6c020377caf
Opcode Fuzzy Hash: f82ad2e58da6317fd998d9df3994ddf13fa66357a91d5148c38cf8fc36cb8886
Instruction Fuzzy Hash: 6741C231108301AFD721DF58C884FBA7BA9FB45330F08066AF994872E5C77A9845EB61

Function 010307EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0103080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 01030847
EnterCriticalSection.KERNEL32(?), ref: 01030863
LeaveCriticalSection.KERNEL32(?), ref: 010308DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 010308F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 01030921

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 3843e49126dda1effa90a55336334386cd13a213ec1f679dec85122bda2427dd
Instruction ID: ec1929d558a3b3195518caee25230c116c36b33ca0a923eaf6740c765874b817
Opcode Fuzzy Hash: 3843e49126dda1effa90a55336334386cd13a213ec1f679dec85122bda2427dd
Instruction Fuzzy Hash: E6419A31900205EBEF15DF54DC85AAAB7B9FF44300F1480A6FD449A29BDB35DE64DBA0

Function 010581DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0101F3AB,00000000,?,?,00000000,?,0101682C,00000004,00000000,00000000), ref: 0105824C
EnableWindow.USER32(?,00000000), ref: 01058272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 010582D1
ShowWindow.USER32(?,00000004), ref: 010582E5
EnableWindow.USER32(?,00000001), ref: 0105830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0105832F

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 00d3ab9a75f53bb98cf8e58b58577003804cd9a50f6f7c899f85d6477b36c514
Instruction ID: eea3dc3a7a2716eb73ba5f0f1c9fb37955c1df7de2b0509184eacaa568558a08
Opcode Fuzzy Hash: 00d3ab9a75f53bb98cf8e58b58577003804cd9a50f6f7c899f85d6477b36c514
Instruction Fuzzy Hash: 0A41B934601745AFEFA2CF1AC499BE67FE0FB09754F1481A6EE988B167C3366441CB50

Function 010422DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 010422E8

Part of subcall function 0103E4EC: GetWindowRect.USER32(?,?), ref: 0103E504

GetDesktopWindow.USER32 ref: 01042312
GetWindowRect.USER32(00000000), ref: 01042319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 01042355
GetCursorPos.USER32(?), ref: 01042381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 010423DF

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 88305eb74b1e2168aebe21187662beda93bc50d9c4df88d802621ab978b79b80
Instruction ID: f48f9bb7081130830021525666b9ea11066c879d7dabdd5d876b772fd7de3f75
Opcode Fuzzy Hash: 88305eb74b1e2168aebe21187662beda93bc50d9c4df88d802621ab978b79b80
Instruction Fuzzy Hash: 8631AFB2604315ABD721DF54D844A9BBBE9FF88714F004A29F9C597181DB35EA08CB92

Function 01024C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 01024C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 01024CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 01024CEA
_wcslen.LIBCMT ref: 01024D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 01024D10
_wcsstr.LIBVCRUNTIME ref: 01024D1A

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: dc0f5a6e23f168fa73d2800fa5b3c47bca846be3a6985a2f5684ab95c59635c3
Instruction ID: 08c06b2daed4a189d128964c82e57a538dcaf29f29074cba74dbd8870c2efbd8
Opcode Fuzzy Hash: dc0f5a6e23f168fa73d2800fa5b3c47bca846be3a6985a2f5684ab95c59635c3
Instruction Fuzzy Hash: 412129326042147BFB666B39EC49E7F7BDCDF49750F10407AF849CA192EA75D90097A0

Function 0103581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FC3A97,?,?,00FC2E7F,?,?,?,00000000), ref: 00FC3AC2

_wcslen.LIBCMT ref: 0103587B
CoInitialize.OLE32(00000000), ref: 01035995
CoCreateInstance.OLE32(0105FCF8,00000000,00000001,0105FB68,?), ref: 010359AE
CoUninitialize.OLE32 ref: 010359CC

Strings

.lnk, xrefs: 01035876, 010358C1, 01035985

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: dcdc67553acdbc418475a6a21ca35d867513c48a6a19e8bd826e26cc9c863392
Instruction ID: f0e32dfe3233a86e6ea245aae3bde374afa6e1d5753e6c63be5e30582e6ef9f1
Opcode Fuzzy Hash: dcdc67553acdbc418475a6a21ca35d867513c48a6a19e8bd826e26cc9c863392
Instruction Fuzzy Hash: ACD155756083019FC714DF18C984A2ABBE9EF89710F14889DF8899B361DB35ED45CF92

Function 0102175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 01020FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 01020FCA
Part of subcall function 01020FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 01020FD6
Part of subcall function 01020FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 01020FE5
Part of subcall function 01020FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 01020FEC
Part of subcall function 01020FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 01021002

GetLengthSid.ADVAPI32(?,00000000,01021335), ref: 010217AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 010217BA
HeapAlloc.KERNEL32(00000000), ref: 010217C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 010217DA
GetProcessHeap.KERNEL32(00000000,00000000,01021335), ref: 010217EE
HeapFree.KERNEL32(00000000), ref: 010217F5

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 9794241e490cc0a11d9f44b8861b75a73041acc0e154672abab3cf821170619d
Instruction ID: 57310ed7d7966720eef19297455f624e27117aeeb4e1fe1425ad4b831675edb0
Opcode Fuzzy Hash: 9794241e490cc0a11d9f44b8861b75a73041acc0e154672abab3cf821170619d
Instruction Fuzzy Hash: AA117C31500315EFEB649FA8CD49BAF7BF9FB86255F144098F5C197204D73AA944CB60

Function 010214CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 010214FF
OpenProcessToken.ADVAPI32(00000000), ref: 01021506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 01021515
CloseHandle.KERNEL32(00000004), ref: 01021520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0102154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 01021563

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 71966ec241ff33e4879e28f9eeeecf0d2a841a8e01afbfcac084da0c163b5e3c
Instruction ID: d2ba6aafdb6ae4b2004fbc802fdb504019b56e3f5b998ba4759b2f0f089a91a7
Opcode Fuzzy Hash: 71966ec241ff33e4879e28f9eeeecf0d2a841a8e01afbfcac084da0c163b5e3c
Instruction Fuzzy Hash: 1411267250035DABEF218FA8DE49BDE7BADFF08744F0441A5FA45A2060C3768E64DB60

Function 00FE3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00FE3379,00FE2FE5), ref: 00FE3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00FE339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00FE33B7
SetLastError.KERNEL32(00000000,?,00FE3379,00FE2FE5), ref: 00FE3409

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: b4f9436e4ab5ed42cd13bb8953d6a901b7541bb7b62c59c3193a37535b60a4c7
Instruction ID: 734f81a275b0dfcaa7c3f46efe9cd7b7efd5e29e6f507158c16ca2fa9457a736
Opcode Fuzzy Hash: b4f9436e4ab5ed42cd13bb8953d6a901b7541bb7b62c59c3193a37535b60a4c7
Instruction Fuzzy Hash: 3C014533A0D3512EB73226767D8DEAB2AA4DB023B43300229F050831E1EF1A0E027A64

Function 00FF2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00FF5686,01003CD6,?,00000000,?,00FF5B6A,?,?,?,?,?,00FEE6D1,?,01088A48), ref: 00FF2D78
_free.LIBCMT ref: 00FF2DAB
_free.LIBCMT ref: 00FF2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00FEE6D1,?,01088A48,00000010,00FC4F4A,?,?,00000000,01003CD6), ref: 00FF2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00FEE6D1,?,01088A48,00000010,00FC4F4A,?,?,00000000,01003CD6), ref: 00FF2DEC
_abort.LIBCMT ref: 00FF2DF2

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 8cf661e0c12f1d969d0e558010df84190091156ee501125289e8f62b8b7d8b0b
Instruction ID: c735035285cc46b94544d7aea0e83b5861626b441550afdbc9a096437459c066
Opcode Fuzzy Hash: 8cf661e0c12f1d969d0e558010df84190091156ee501125289e8f62b8b7d8b0b
Instruction Fuzzy Hash: 14F02832945B0C27D7B23638BC16E7F3569AFC27B0F240419FB64921B6EF2D89017220

Function 01058A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00FD9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00FD9693
Part of subcall function 00FD9639: SelectObject.GDI32(?,00000000), ref: 00FD96A2
Part of subcall function 00FD9639: BeginPath.GDI32(?), ref: 00FD96B9
Part of subcall function 00FD9639: SelectObject.GDI32(?,00000000), ref: 00FD96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 01058A4E
LineTo.GDI32(?,00000003,00000000), ref: 01058A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 01058A70
LineTo.GDI32(?,00000000,00000003), ref: 01058A80
EndPath.GDI32(?), ref: 01058A90
StrokePath.GDI32(?), ref: 01058AA0

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 28a06ee15a76ec42216631e4d2243519298fc779712fbfe2509346c3e06eb7f6
Instruction ID: 502803efbeb40fc7acfd72f54a848111b39607c9fa55b8e885de5a3c2a6256bd
Opcode Fuzzy Hash: 28a06ee15a76ec42216631e4d2243519298fc779712fbfe2509346c3e06eb7f6
Instruction Fuzzy Hash: A0110C76000209BFEF119F94DC88EAA7F6DEB05360F048052BE5595164C7769D55DB60

Function 010251FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 01025218
GetDeviceCaps.GDI32(00000000,00000058), ref: 01025229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 01025230
ReleaseDC.USER32(00000000,00000000), ref: 01025238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0102524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 01025261

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: ee64a29462e2d860398059447dec4755873b50cd67aa0eec5206b93b00ba65d1
Instruction ID: a63a5569d5de01474af6f8eaee31b7264083630e4bdc15467f38b5817c104133
Opcode Fuzzy Hash: ee64a29462e2d860398059447dec4755873b50cd67aa0eec5206b93b00ba65d1
Instruction Fuzzy Hash: 6501DF71A00318BBFB109BA98D49A8FBFBCEF49711F044065FA44A7280D6709800CBA0

Function 00FC1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00FC1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00FC1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00FC1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00FC1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00FC1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00FC1C22

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: c59284d87521344cbe18fec0e6e660684ce94e8a2f3035b2debf312b90052779
Instruction ID: 483108af15139658b71231cc0a5633f331f14e5b3b2a2298e007be33a836bc9b
Opcode Fuzzy Hash: c59284d87521344cbe18fec0e6e660684ce94e8a2f3035b2debf312b90052779
Instruction Fuzzy Hash: DA0167B0902B5ABDE3008F6A8C85B53FFA8FF19354F00411BA15C4BA42C7F5A864CBE5

Function 0102EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0102EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0102EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0102EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0102EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0102EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0102EB75

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: c7d33f0ef32762573887e55351bcaef8327c7bfabda26e6c5e877125d7a40b2b
Instruction ID: e0dfb2b683a48d167a7d4b0bed1f7fa567d7b45e6d37463baa3f8bb8a7d05605
Opcode Fuzzy Hash: c7d33f0ef32762573887e55351bcaef8327c7bfabda26e6c5e877125d7a40b2b
Instruction Fuzzy Hash: 89F01772240358BBE7315A629D0EEAB7A7CEBCAB11F000158FA41D108596AA6A0187B5

Function 01017439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 01017452
SendMessageW.USER32(?,00001328,00000000,?), ref: 01017469
GetWindowDC.USER32(?), ref: 01017475
GetPixel.GDI32(00000000,?,?), ref: 01017484
ReleaseDC.USER32(?,00000000), ref: 01017496
GetSysColor.USER32(00000005), ref: 010174B0

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 4acee088de893e75e7f59ba18179b7659cdc37e3694e18df98709a9fb2435d30
Instruction ID: 7196ee9c779686d78b51f571518489cb393fefba8f4a878ddbf9a73294e49462
Opcode Fuzzy Hash: 4acee088de893e75e7f59ba18179b7659cdc37e3694e18df98709a9fb2435d30
Instruction Fuzzy Hash: EF018B31440305EFEB615FA4DD08BAA7BB9FB08321F544060F996A3195CF3A1E41EB20

Function 01021874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0102187F
UnloadUserProfile.USERENV(?,?), ref: 0102188B
CloseHandle.KERNEL32(?), ref: 01021894
CloseHandle.KERNEL32(?), ref: 0102189C
GetProcessHeap.KERNEL32(00000000,?), ref: 010218A5
HeapFree.KERNEL32(00000000), ref: 010218AC

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: e51634a98a067ecf12216797e654c0ae46096a648504afea5696292a97f31e09
Instruction ID: 20b34753ca39154b797830b7d7628cf7d0369afc976a8ba6481ce60b9df8c183
Opcode Fuzzy Hash: e51634a98a067ecf12216797e654c0ae46096a648504afea5696292a97f31e09
Instruction Fuzzy Hash: BAE0E536004705BBEB115FA1EE0C90BBF7DFF4AB22B108220F26681468CB37A4A0DB54

Function 0102C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC7620: _wcslen.LIBCMT ref: 00FC7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0102C6EE
_wcslen.LIBCMT ref: 0102C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0102C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0102C7CA

Strings

0, xrefs: 0102C6AF

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: b8dddacb82d4fe0471c7e2845d7429d25ba71b446e5b6f4ea6cf7b3968d5b4b1
Instruction ID: 063d94e9acfb0351e32b462428497c3ff32f2b35cb25c68c2fe07ce76b6cfc04
Opcode Fuzzy Hash: b8dddacb82d4fe0471c7e2845d7429d25ba71b446e5b6f4ea6cf7b3968d5b4b1
Instruction Fuzzy Hash: DA5110316043219BF7A19E28CA88B6F7BE8BF49314F040A6DFAD6D3191DB74D804DB52

Function 0104AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0104AEA3

Part of subcall function 00FC7620: _wcslen.LIBCMT ref: 00FC7625

GetProcessId.KERNEL32(00000000), ref: 0104AF38
CloseHandle.KERNEL32(00000000), ref: 0104AF67

Strings

@, xrefs: 0104AE72
<, xrefs: 0104AE6B

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 5c8221eed06ea1f1057eafc5bda4bef56398e601c6986ac796defcae2430c4f3
Instruction ID: de4d0db9efe5dc4f06de8fa8ddcc9664b9da5e154165d9efd261185f4252f137
Opcode Fuzzy Hash: 5c8221eed06ea1f1057eafc5bda4bef56398e601c6986ac796defcae2430c4f3
Instruction Fuzzy Hash: 5C716A70A00215DFDB14EF55C985A9EBBF0AF08314F0484ADE896AB392C779ED45DB90

Function 0102719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 01027206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0102723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0102724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 010272CF

Strings

DllGetClassObject, xrefs: 01027242

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 41e6b2fef641df680cd0464140a6ca68112a828002808d2cde80e2c992d3fe56
Instruction ID: c99e8303c3fa96d11b7f6697ae16dc79b1f4cc309cc30d5f7c2f5740defd9baf
Opcode Fuzzy Hash: 41e6b2fef641df680cd0464140a6ca68112a828002808d2cde80e2c992d3fe56
Instruction Fuzzy Hash: 59419D71A00214EFDB25CF54C884A9A7FA9EF56310F1180ADFD459F20AD7B1D948CBA0

Function 01053D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01053E35
IsMenu.USER32(?), ref: 01053E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 01053E92
DrawMenuBar.USER32 ref: 01053EA5

Strings

0, xrefs: 01053D89

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 924b3dfafd2e4ee44d58d0b5c32227537e21c5314f7ec3a0ecf2371a13666297
Instruction ID: f98ec4545df8d801d33a9c7a82dc05466b634fcddabc8a7185076c93e96dda66
Opcode Fuzzy Hash: 924b3dfafd2e4ee44d58d0b5c32227537e21c5314f7ec3a0ecf2371a13666297
Instruction Fuzzy Hash: 69416A75A00209AFEB60DF94D884EABBBF9FF48394F044069ED859B280D735A940DF60

Function 01021DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC9CB3: _wcslen.LIBCMT ref: 00FC9CBD

Part of subcall function 01023CA7: GetClassNameW.USER32(?,?,000000FF), ref: 01023CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 01021E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 01021E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 01021EA9

Part of subcall function 00FC6B57: _wcslen.LIBCMT ref: 00FC6B6A

Strings

ListBox, xrefs: 01021E25
ComboBox, xrefs: 01021DF0

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 35af84b5e4898e8594af4407c2376e93c3ccb909d840e1a6bd45a476f99567e8
Instruction ID: ed54a79a4ece3b30d4e819c4c306ebe7cb5103052ec60b052c8850c95a139910
Opcode Fuzzy Hash: 35af84b5e4898e8594af4407c2376e93c3ccb909d840e1a6bd45a476f99567e8
Instruction Fuzzy Hash: C3214771A00209BEEF14AB64DD4ADFFBBBDEF45350B04412DF4A1A71D1DB7849099720

Function 01052F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 01052F8D
LoadLibraryW.KERNEL32(?), ref: 01052F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 01052FA9
DestroyWindow.USER32(?), ref: 01052FB1

Strings

SysAnimate32, xrefs: 01052F68

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 21827b8f34af6cca360be30991fc336b0e92354f8ca7164a5b2ca96c9f237cf6
Instruction ID: e459080fe17f927b5ef1be49b9bed3527cfbdacc21ec4236f0e5fbb15bfa108f
Opcode Fuzzy Hash: 21827b8f34af6cca360be30991fc336b0e92354f8ca7164a5b2ca96c9f237cf6
Instruction Fuzzy Hash: F621AC72204209EBEFA14F68EC80EBB37ADEF49364F100628FE90E6195D771DC519B60

Function 00FE4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00FE4D1E,00FF28E9,?,00FE4CBE,00FF28E9,010888B8,0000000C,00FE4E15,00FF28E9,00000002), ref: 00FE4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00FE4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00FE4D1E,00FF28E9,?,00FE4CBE,00FF28E9,010888B8,0000000C,00FE4E15,00FF28E9,00000002,00000000), ref: 00FE4DC3

Strings

mscoree.dll, xrefs: 00FE4D86
CorExitProcess, xrefs: 00FE4D98

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: d2447e4764cca6ef97856cec0b4d1b1cca145e7f4677b966a5bb0115bcf3cfad
Instruction ID: 75205dadc6882e6b83a6a044db012e6e4891e6ae68338a04932ee0b03256b92b
Opcode Fuzzy Hash: d2447e4764cca6ef97856cec0b4d1b1cca145e7f4677b966a5bb0115bcf3cfad
Instruction Fuzzy Hash: FAF0C230A40308BBEB209F91DD09BEEBFB8EF04761F0000A8F845A6244CF795E40DB90

Function 00FC4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00FC4EDD,?,01091418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FC4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00FC4EAE
FreeLibrary.KERNEL32(00000000,?,?,00FC4EDD,?,01091418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FC4EC0

Strings

kernel32.dll, xrefs: 00FC4E94
Wow64DisableWow64FsRedirection, xrefs: 00FC4EA8

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 54c3c0ebce581eaf1aaf12baa6837f627fe9c78c34493ecb4432749434b39ad1
Instruction ID: b611a9c48ae69e4139ca5dbfa411d59ada8ebd1baf1b73eab8831a1247728669
Opcode Fuzzy Hash: 54c3c0ebce581eaf1aaf12baa6837f627fe9c78c34493ecb4432749434b39ad1
Instruction Fuzzy Hash: 82E08635E027235BA33117256D29F5B765CAF82F72B060119FC40E6104DB64DC0191A4

Function 00FC4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,01003CDE,?,01091418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FC4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00FC4E74
FreeLibrary.KERNEL32(00000000,?,?,01003CDE,?,01091418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FC4E87

Strings

kernel32.dll, xrefs: 00FC4E5B
Wow64RevertWow64FsRedirection, xrefs: 00FC4E6E

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 5ace5556140b1853d7e4375761caf99af4646a185eb0cd869d87baa578d56f55
Instruction ID: 3876b4c2099c19a884ed68a0c8e0f31a2b157ae2341fe1dfed36ece977c81b54
Opcode Fuzzy Hash: 5ace5556140b1853d7e4375761caf99af4646a185eb0cd869d87baa578d56f55
Instruction Fuzzy Hash: 13D0C2319027225767321B297E29F8B3A1CAF82F213060118BC80A6108CF25CD01D2E4

Function 01032947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 01032C05
DeleteFileW.KERNEL32(?), ref: 01032C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 01032C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 01032CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 01032CC0

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: a3c4505fce83e682374ad2266f0c96f7c22520a973fbe30a9e9b1eecdf36033f
Instruction ID: 259824f4a40111fec46d3365509e9c90407258818950f2b836d1f8032a3459e3
Opcode Fuzzy Hash: a3c4505fce83e682374ad2266f0c96f7c22520a973fbe30a9e9b1eecdf36033f
Instruction Fuzzy Hash: 34B14F71D0011DABDF25DBA4CD85EDEBBBDEF48350F0040AAF649E6141EB35AA448F61

Function 0104A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0104A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0104A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0104A468
CloseHandle.KERNEL32(?), ref: 0104A63D

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: d22a315ee756fad79118a49eca86f3584e33f872147cf8d733ee7ebf7e287cab
Instruction ID: 0488a6ee5f56698a9f116e73317a0096c94f61d726e9babfb24dc7dc877cface
Opcode Fuzzy Hash: d22a315ee756fad79118a49eca86f3584e33f872147cf8d733ee7ebf7e287cab
Instruction Fuzzy Hash: AFA1B2B16043019FE720DF28C982F2AB7E5AF88714F04885DF59A9B392DB74EC41CB91

Function 00FFBB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,01063700), ref: 00FFBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0109121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00FFBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,01091270,000000FF,?,0000003F,00000000,?), ref: 00FFBC36
_free.LIBCMT ref: 00FFBB7F

Part of subcall function 00FF29C8: HeapFree.KERNEL32(00000000,00000000,?,00FFD7D1,00000000,00000000,00000000,00000000,?,00FFD7F8,00000000,00000007,00000000,?,00FFDBF5,00000000), ref: 00FF29DE
Part of subcall function 00FF29C8: GetLastError.KERNEL32(00000000,?,00FFD7D1,00000000,00000000,00000000,00000000,?,00FFD7F8,00000000,00000007,00000000,?,00FFDBF5,00000000,00000000), ref: 00FF29F0

_free.LIBCMT ref: 00FFBD4B

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 78430b1956cf74e60b573bc594d7d0b4e4a57741754a0f5e5383cc47ed7e901a
Instruction ID: 3151a3e4a1ea65eba5608690f760db01b8417d7e6c7722cffdbfafeac5a98dcb
Opcode Fuzzy Hash: 78430b1956cf74e60b573bc594d7d0b4e4a57741754a0f5e5383cc47ed7e901a
Instruction Fuzzy Hash: 2A510871D0420DEFDB20EF65DC819BEB7BCBF40320B1002AAE690D71A4EB355E40AB50

Function 0102E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0102DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0102CF22,?), ref: 0102DDFD

Part of subcall function 0102DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0102CF22,?), ref: 0102DE16

Part of subcall function 0102E199: GetFileAttributesW.KERNEL32(?,0102CF95), ref: 0102E19A

lstrcmpiW.KERNEL32(?,?), ref: 0102E473
MoveFileW.KERNEL32(?,?), ref: 0102E4AC
_wcslen.LIBCMT ref: 0102E5EB
_wcslen.LIBCMT ref: 0102E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0102E650

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: fc6ed514a044b27fc52e35cfb618499202c459a1f1d5439ac55dede4ebc1fcfb
Instruction ID: fbefee0a29097a927267ba84e455a386e341e54f531986227a952f9d98dec506
Opcode Fuzzy Hash: fc6ed514a044b27fc52e35cfb618499202c459a1f1d5439ac55dede4ebc1fcfb
Instruction Fuzzy Hash: C65181B24083955BD764EBA4CC819DF77ECAF84340F40492EE6C9D3191EF74A2888766

Function 0104B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC9CB3: _wcslen.LIBCMT ref: 00FC9CBD

Part of subcall function 0104C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0104B6AE,?,?), ref: 0104C9B5
Part of subcall function 0104C998: _wcslen.LIBCMT ref: 0104C9F1
Part of subcall function 0104C998: _wcslen.LIBCMT ref: 0104CA68
Part of subcall function 0104C998: _wcslen.LIBCMT ref: 0104CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0104BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0104BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0104BB63
RegCloseKey.ADVAPI32(?,?), ref: 0104BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0104BBB3

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: e9e68b0d9d3136ceecd07125299f3f192e93b9bdbe9f015f761622f2b79f2703
Instruction ID: 8c997f1514071a69452c306752793deb9f62c57c23df586d59bf35d5f0025307
Opcode Fuzzy Hash: e9e68b0d9d3136ceecd07125299f3f192e93b9bdbe9f015f761622f2b79f2703
Instruction Fuzzy Hash: C061B171208201AFD314DF14C9D5E2ABBE5FF84308F5489ACF5994B292CB75ED45CB92

Function 01028BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 01028BCD
VariantClear.OLEAUT32 ref: 01028C3E
VariantClear.OLEAUT32 ref: 01028C9D
VariantClear.OLEAUT32(?), ref: 01028D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 01028D3B

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: b4c36d5f9561daeb8a1c798823c0ac79e9c0da20542011c9506d83895a267153
Instruction ID: 36edb270ceac6da0f1f0a02a21a01363adec490a87d12bdcff4f6ef4ca282f72
Opcode Fuzzy Hash: b4c36d5f9561daeb8a1c798823c0ac79e9c0da20542011c9506d83895a267153
Instruction Fuzzy Hash: F5515AB5A00219EFDB14DF68C884AAABBF8FF89310F15855AE945DB314E734E911CF90

Function 01038AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 01038BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 01038BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 01038C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 01038C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 01038C5F

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: e4ffec86d82779ce6a536521461f822d77c6b6e394081761239056a239737b30
Instruction ID: ea2eb0e494e14672a383a9df86922596e5aecf0d87be436f2c4c90f98eb02cc8
Opcode Fuzzy Hash: e4ffec86d82779ce6a536521461f822d77c6b6e394081761239056a239737b30
Instruction Fuzzy Hash: 71516835A002199FDB00DF64C981E6ABBF5FF48314F088499E849AB362CB39ED41DF90

Function 01048EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 01048F40
GetProcAddress.KERNEL32(00000000,?), ref: 01048FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 01048FEC
GetProcAddress.KERNEL32(00000000,?), ref: 01049032
FreeLibrary.KERNEL32(00000000), ref: 01049052

Part of subcall function 00FDF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,01031043,?,7529E610), ref: 00FDF6E6
Part of subcall function 00FDF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0101FA64,00000000,00000000,?,?,01031043,?,7529E610,?,0101FA64), ref: 00FDF70D

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 09e93c8422cd33b2c2627f7931ebdf7d9e1c48d159c395fb4261b8c8a878bf1b
Instruction ID: 4b7f992931857017d478aed608090e349aeb1558192706010a45a82c2b4400d6
Opcode Fuzzy Hash: 09e93c8422cd33b2c2627f7931ebdf7d9e1c48d159c395fb4261b8c8a878bf1b
Instruction Fuzzy Hash: 7B516974604205DFC711EF68C585DAEBBF1FF49314B0884A9E94A9B362DB35ED85CB80

Function 01056B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 01056C33
SetWindowLongW.USER32(?,000000EC,?), ref: 01056C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 01056C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0103AB79,00000000,00000000), ref: 01056C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 01056CC7

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: f0263340b95ee0b540d5f7f52067775a0a7710d3a3eb08d3eb554bff981581ef
Instruction ID: 0f06b903666d9b5ff385603a40b38a702da9d3020213dea862018a54e16cda12
Opcode Fuzzy Hash: f0263340b95ee0b540d5f7f52067775a0a7710d3a3eb08d3eb554bff981581ef
Instruction Fuzzy Hash: 6541C535A04208AFE7A5CF6CC959FBB7FE8EB09360F840258ED95A7291C373AD40C650

Function 00FF2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00FF20C3
_free.LIBCMT ref: 00FF20E3

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1a8eed09a4e8888141d04b25cd3cbc52040150e46bafcde02a75ddc74c51c3d5
Instruction ID: 8c57f22a2c6a7e2645df6a220866abae0c275933b4ab97703d0b14916a0ca378
Opcode Fuzzy Hash: 1a8eed09a4e8888141d04b25cd3cbc52040150e46bafcde02a75ddc74c51c3d5
Instruction Fuzzy Hash: F441E433E002089FCB20DF78C880A6DB7B5EF89324F154569E615EB3A1DB31AD01EB80

Function 00FD912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00FD9141
ScreenToClient.USER32(00000000,?), ref: 00FD915E
GetAsyncKeyState.USER32(00000001), ref: 00FD9183
GetAsyncKeyState.USER32(00000002), ref: 00FD919D

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 10343cc3b29f4ecf0c7cc66f4a9eab4bdf5db7023c97a0e0669709fb909940c6
Instruction ID: 044a94601c816fc27f02cf4e853ee734562ef4909876ad6971dd61849b0329d3
Opcode Fuzzy Hash: 10343cc3b29f4ecf0c7cc66f4a9eab4bdf5db7023c97a0e0669709fb909940c6
Instruction Fuzzy Hash: 3841B43190820BFBDF199FA8C844BEEB776FF05324F244216E465A32D4C7746990DB51

Function 01033874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 010338CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 01033922
TranslateMessage.USER32(?), ref: 0103394B
DispatchMessageW.USER32(?), ref: 01033955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 01033966

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 81f1fd8b8a77171f6b411398d4422467cb951aed67bbf60c3b21974bfb630fd7
Instruction ID: 36885ac89db7fc8daa7b1a8ac5323a10a0d7f69e1f744bcb2c2a192556ad6c5f
Opcode Fuzzy Hash: 81f1fd8b8a77171f6b411398d4422467cb951aed67bbf60c3b21974bfb630fd7
Instruction Fuzzy Hash: D731E670604342EEFB76CB389499BB73BECBB85314F04459AD5E2CA0C5E3799085CB11

Function 01021901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 01021915
PostMessageW.USER32(00000001,00000201,00000001), ref: 010219C1
Sleep.KERNEL32(00000000,?,?,?), ref: 010219C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 010219DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 010219E2

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 9b43d79f1f7c8d8d4dcd9d9cda32fe75f73678573107cf7c19a7717bb0db474c
Instruction ID: ac73d9a9987f7da5e803d0d00c2e4bd04044b254b5cc04a961eacdda21b4b746
Opcode Fuzzy Hash: 9b43d79f1f7c8d8d4dcd9d9cda32fe75f73678573107cf7c19a7717bb0db474c
Instruction Fuzzy Hash: 3931D171A00329EFDB10CFACD988ADE7BB5EB05315F104269F9A1A72C1C770AA44CB90

Function 01055706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 01055745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0105579D
_wcslen.LIBCMT ref: 010557AF
_wcslen.LIBCMT ref: 010557BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 01055816

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 3f929f67bb1c351c0e6931ecb7608c2c207d5774944ca2f798f7cf66bc983b60
Instruction ID: 69eb7900ce9aad227cb2baf9dce8faca9be687f0142404a8ae7a73bb45fae150
Opcode Fuzzy Hash: 3f929f67bb1c351c0e6931ecb7608c2c207d5774944ca2f798f7cf66bc983b60
Instruction Fuzzy Hash: 6821B931A002189BDB608FA4DC44AEF7BBCFF04324F004156EE99EB180D7749585CF50

Function 01040930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 01040951
GetForegroundWindow.USER32 ref: 01040968
GetDC.USER32(00000000), ref: 010409A4
GetPixel.GDI32(00000000,?,00000003), ref: 010409B0
ReleaseDC.USER32(00000000,00000003), ref: 010409E8

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 8bfedec35270704c1dd543fc98fa96114bbf6e67285ec7070553c7c2d22a4e9a
Instruction ID: 554c472f67d6db4023bde53eb5815b8f22993ab465bffb57dd04901aca4ddd3d
Opcode Fuzzy Hash: 8bfedec35270704c1dd543fc98fa96114bbf6e67285ec7070553c7c2d22a4e9a
Instruction Fuzzy Hash: 1A218179600214AFE714EF65C985AAFBBE9EF48700F04846CE98AA7755CB35AD04CB60

Function 00FFCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00FFCDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00FFCDE9

Part of subcall function 00FF3820: RtlAllocateHeap.NTDLL(00000000,?,01091444,?,00FDFDF5,?,?,00FCA976,00000010,01091440,00FC13FC,?,00FC13C6,?,00FC1129), ref: 00FF3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00FFCE0F
_free.LIBCMT ref: 00FFCE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00FFCE31

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: d2c5451e6b5bdfde33b3b39ec19b5e4d2bcda421a9551ed8f1d5d99abb62fd64
Instruction ID: 83f4bb5e290e63caba2530735bb2d16845394acd8dc267c2b07387d679b0e633
Opcode Fuzzy Hash: d2c5451e6b5bdfde33b3b39ec19b5e4d2bcda421a9551ed8f1d5d99abb62fd64
Instruction Fuzzy Hash: F301D872E0232D7F333115766D48DBF796DDEC6BA13150129FA05C7210DAA58D01A2F0

Function 00FD9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00FD9693
SelectObject.GDI32(?,00000000), ref: 00FD96A2
BeginPath.GDI32(?), ref: 00FD96B9
SelectObject.GDI32(?,00000000), ref: 00FD96E2

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 87eaa5fa18d3e23f1cbb504209ad8a964330b1e9b86ee760b89b4bac0a344714
Instruction ID: 71db9292ea3ec811aa7c1c44e91f531367788f0782f3d09a67925543df449371
Opcode Fuzzy Hash: 87eaa5fa18d3e23f1cbb504209ad8a964330b1e9b86ee760b89b4bac0a344714
Instruction Fuzzy Hash: A421D731915306EFDB219FA4D9047AE3BB9BB01375F144217F490A32D8D3BA9881DF94

Function 01025711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 01025726
_memcmp.LIBVCRUNTIME ref: 01025744
_memcmp.LIBVCRUNTIME ref: 01025757
_memcmp.LIBVCRUNTIME ref: 0102576F
_memcmp.LIBVCRUNTIME ref: 01025787

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: c0bee49b0996ae542609da0140424df80d30464be760a0971e74fee1834b3eed
Instruction ID: 705e089556986a285d88d997e1d33234931ae83f91d0fa2634a497f718159894
Opcode Fuzzy Hash: c0bee49b0996ae542609da0140424df80d30464be760a0971e74fee1834b3eed
Instruction Fuzzy Hash: 4501B57168126AFFE3489517AE82FFB739CBB513A4F004064FD449E202F774ED1092A8

Function 00FF2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00FEF2DE,00FF3863,01091444,?,00FDFDF5,?,?,00FCA976,00000010,01091440,00FC13FC,?,00FC13C6), ref: 00FF2DFD
_free.LIBCMT ref: 00FF2E32
_free.LIBCMT ref: 00FF2E59
SetLastError.KERNEL32(00000000,00FC1129), ref: 00FF2E66
SetLastError.KERNEL32(00000000,00FC1129), ref: 00FF2E6F

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: a22e00b1f9f055a7511d0f254bb3a4cdb1d044197c957612c6f3f4aa18393c23
Instruction ID: 2053b9150a0e5a7a0791731a718b0979a08fb658ed7e7d6a7b643956d3be0353
Opcode Fuzzy Hash: a22e00b1f9f055a7511d0f254bb3a4cdb1d044197c957612c6f3f4aa18393c23
Instruction Fuzzy Hash: 8101F97264570C67D76226746D85D3F396DFFC17717340029FBA1A22B6EA6D8D017120

Function 0102000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0101FF41,80070057,?,?,?,0102035E), ref: 0102002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0101FF41,80070057,?,?), ref: 01020046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0101FF41,80070057,?,?), ref: 01020054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0101FF41,80070057,?), ref: 01020064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0101FF41,80070057,?,?), ref: 01020070

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 775016a7bd9606ccbb0320c5774ec06b66a7b607d8a7611f24f2b9c73165178e
Instruction ID: 49618d706205f9e141dea2c8120205237df195ada79a64bab336dd8c921ea490
Opcode Fuzzy Hash: 775016a7bd9606ccbb0320c5774ec06b66a7b607d8a7611f24f2b9c73165178e
Instruction Fuzzy Hash: 82018F76600315BFFB204F68DD84BBA7EEDEB44661F144124FA85D2218E77ADD408BA0

Function 010210F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 01021114
GetLastError.KERNEL32(?,00000000,00000000,?,?,01020B9B,?,?,?), ref: 01021120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,01020B9B,?,?,?), ref: 0102112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,01020B9B,?,?,?), ref: 01021136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0102114D

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 069303b0cfb008f26f1a1da742977bf44db4ed8064cfcdd712fc59ec456bfd54
Instruction ID: e043b3620bbb0da30e958fc9349c01ea1a824777dcd92ad0185cf534fe5804cc
Opcode Fuzzy Hash: 069303b0cfb008f26f1a1da742977bf44db4ed8064cfcdd712fc59ec456bfd54
Instruction Fuzzy Hash: E2016D75100315BFEB214F68DD4DA6B3FAEEF85260B200454F981D3340DA36DC00CB60

Function 01020FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 01020FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 01020FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 01020FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 01020FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 01021002

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 6ce9dfb5377d41418ef63570257862cce71599f0e3f29da56aec1fed4a6fa1d1
Instruction ID: 6b16d2dc145114adc28b87a22d66f864c82c4f98f8dac4887774af0d24e4b9a4
Opcode Fuzzy Hash: 6ce9dfb5377d41418ef63570257862cce71599f0e3f29da56aec1fed4a6fa1d1
Instruction Fuzzy Hash: 09F06D35200315ABEB214FA9DD8DF5B3FADEF8A762F104454FA86C7241CA7AD850CB60

Function 01021014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0102102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 01021036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 01021045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0102104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 01021062

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: a06c0d99acdc47571163ecbef9a2cda89288fb81a47933765e8a7a72fc9e7da3
Instruction ID: 029c6e9390a17db2386c57b52ad61555f1b5ff1565eae185d527ca8bcbdf85ae
Opcode Fuzzy Hash: a06c0d99acdc47571163ecbef9a2cda89288fb81a47933765e8a7a72fc9e7da3
Instruction Fuzzy Hash: E8F06235200355ABEB225FA9ED49F5B3FADEF8A661F100414FA85C7240CA79D950CB60

Function 0103030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0103017D,?,010332FC,?,00000001,01002592,?), ref: 01030324
CloseHandle.KERNEL32(?,?,?,?,0103017D,?,010332FC,?,00000001,01002592,?), ref: 01030331
CloseHandle.KERNEL32(?,?,?,?,0103017D,?,010332FC,?,00000001,01002592,?), ref: 0103033E
CloseHandle.KERNEL32(?,?,?,?,0103017D,?,010332FC,?,00000001,01002592,?), ref: 0103034B
CloseHandle.KERNEL32(?,?,?,?,0103017D,?,010332FC,?,00000001,01002592,?), ref: 01030358
CloseHandle.KERNEL32(?,?,?,?,0103017D,?,010332FC,?,00000001,01002592,?), ref: 01030365

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 5729b76d801c71698209bda207b0cc9fd31279ae19a4cdd116c2de0c1f89cbfb
Instruction ID: 7884c833a2d4ac1f258922a9c438a62bae0cb33c0ba16df69804613aff4bf91c
Opcode Fuzzy Hash: 5729b76d801c71698209bda207b0cc9fd31279ae19a4cdd116c2de0c1f89cbfb
Instruction Fuzzy Hash: 7C019072801B159FD7309F6AD880413FBF9BF902153158A7EE29652931C371A954CF80

Function 00FFD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00FFD752

Part of subcall function 00FF29C8: HeapFree.KERNEL32(00000000,00000000,?,00FFD7D1,00000000,00000000,00000000,00000000,?,00FFD7F8,00000000,00000007,00000000,?,00FFDBF5,00000000), ref: 00FF29DE
Part of subcall function 00FF29C8: GetLastError.KERNEL32(00000000,?,00FFD7D1,00000000,00000000,00000000,00000000,?,00FFD7F8,00000000,00000007,00000000,?,00FFDBF5,00000000,00000000), ref: 00FF29F0

_free.LIBCMT ref: 00FFD764
_free.LIBCMT ref: 00FFD776
_free.LIBCMT ref: 00FFD788
_free.LIBCMT ref: 00FFD79A

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ff3bc7ab6b073c6d27c7731dd02710ec16d1091ef968dd97757ca232c6a9f97e
Instruction ID: cfe5b4b556f802e2732c2a8865657f32a76bc1c0d85f5b014c94c1115560ad0f
Opcode Fuzzy Hash: ff3bc7ab6b073c6d27c7731dd02710ec16d1091ef968dd97757ca232c6a9f97e
Instruction Fuzzy Hash: A5F0313399420DAB8675FA58F9C5C6A77FEBF047207940809F284DB525CB29FC406674

Function 01025C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 01025C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 01025C6F
MessageBeep.USER32(00000000), ref: 01025C87
KillTimer.USER32(?,0000040A), ref: 01025CA3
EndDialog.USER32(?,00000001), ref: 01025CBD

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 8d1e4f79ef9215617b04075c971318f9c64c3d4278eeec3c4356e16cfa081f8d
Instruction ID: 8e2df1f8f233a0dd0ddf045d7b2f62c181a6bd319df1785eb67cb8aa91361425
Opcode Fuzzy Hash: 8d1e4f79ef9215617b04075c971318f9c64c3d4278eeec3c4356e16cfa081f8d
Instruction Fuzzy Hash: 89014F30500718AEFB315B14DE4EFE67BA8BB04B05F040659E6C2A24D1EBB5AA84CB94

Function 00FF22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00FF22BE

Part of subcall function 00FF29C8: HeapFree.KERNEL32(00000000,00000000,?,00FFD7D1,00000000,00000000,00000000,00000000,?,00FFD7F8,00000000,00000007,00000000,?,00FFDBF5,00000000), ref: 00FF29DE
Part of subcall function 00FF29C8: GetLastError.KERNEL32(00000000,?,00FFD7D1,00000000,00000000,00000000,00000000,?,00FFD7F8,00000000,00000007,00000000,?,00FFDBF5,00000000,00000000), ref: 00FF29F0

_free.LIBCMT ref: 00FF22D0
_free.LIBCMT ref: 00FF22E3
_free.LIBCMT ref: 00FF22F4
_free.LIBCMT ref: 00FF2305

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 24e9867c0b110ed3124d9ac301a08b9282c34e8cb0ba75abbf296904f713c89f
Instruction ID: 75d89c3b5bc6d2d2633fd6345f69076680c9b498495b2d29f3233b7fc11d33f5
Opcode Fuzzy Hash: 24e9867c0b110ed3124d9ac301a08b9282c34e8cb0ba75abbf296904f713c89f
Instruction Fuzzy Hash: 4DF03AB19941268B9672BF58F82186C3B78BF18770700054AF5D4D72BDC77E0921BBA4

Function 00FD95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00FD95D4
StrokeAndFillPath.GDI32(?,?,010171F7,00000000,?,?,?), ref: 00FD95F0
SelectObject.GDI32(?,00000000), ref: 00FD9603
DeleteObject.GDI32 ref: 00FD9616
StrokePath.GDI32(?), ref: 00FD9631

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: ea526617203c95f48f53449e1aeddf87dbba1333ded96d8446ba345867cd10a6
Instruction ID: f80e624da2290eee8142b708211cd28c7f2fcb9617d255131c3866dc4e674be7
Opcode Fuzzy Hash: ea526617203c95f48f53449e1aeddf87dbba1333ded96d8446ba345867cd10a6
Instruction Fuzzy Hash: 90F08C30109305ABEB324FA5EA0C7653B66FB01372F088314F4A5551E8CB7A8991EF20

Function 00FF0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00FF10F9
__freea.LIBCMT ref: 00FF1117

Part of subcall function 00FF1537: _free.LIBCMT ref: 00FF154F

Strings

am/pm, xrefs: 00FF117A
a/p, xrefs: 00FF11DE

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 85fdf72daf1dae6a87564b34e0e871f471321f03e0c2560f677e67fc458ccba5
Instruction ID: 72a914e65cc5cf7e90d6e2360b7f7b494bf4834d24f85fcb85d6548846b4ccb1
Opcode Fuzzy Hash: 85fdf72daf1dae6a87564b34e0e871f471321f03e0c2560f677e67fc458ccba5
Instruction Fuzzy Hash: 48D1F132D0420ECADB289F68C855BFAB7B5FF05720F280159EB01AB671D7759D80EB91

Function 01047B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00FE0242: EnterCriticalSection.KERNEL32(0109070C,01091884,?,?,00FD198B,01092518,?,?,?,00FC12F9,00000000), ref: 00FE024D
Part of subcall function 00FE0242: LeaveCriticalSection.KERNEL32(0109070C,?,00FD198B,01092518,?,?,?,00FC12F9,00000000), ref: 00FE028A

Part of subcall function 00FC9CB3: _wcslen.LIBCMT ref: 00FC9CBD

Part of subcall function 00FE00A3: __onexit.LIBCMT ref: 00FE00A9

__Init_thread_footer.LIBCMT ref: 01047BFB

Part of subcall function 00FE01F8: EnterCriticalSection.KERNEL32(0109070C,?,?,00FD8747,01092514), ref: 00FE0202
Part of subcall function 00FE01F8: LeaveCriticalSection.KERNEL32(0109070C,?,00FD8747,01092514), ref: 00FE0235

Strings

5, xrefs: 01047C78
Variable must be of type 'Object'., xrefs: 01047C3A
G, xrefs: 01047C7F

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 5044f0d6198c39bf3f5b6e1772780f0a4bf61bd72b0c5eccf242f7d56b8a23a7
Instruction ID: c9e2164b68d1e774368cbbd3842d1076a03a47fe38ffc55b5f9706e7d0ca3808
Opcode Fuzzy Hash: 5044f0d6198c39bf3f5b6e1772780f0a4bf61bd72b0c5eccf242f7d56b8a23a7
Instruction Fuzzy Hash: 68918EB1A00209EFCB15EF98D990DADBBB1FF44304F0480ADF9865B291DB71AE45DB51

Function 01022716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0102B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,010221D0,?,?,00000034,00000800,?,00000034), ref: 0102B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 01022760

Part of subcall function 0102B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,010221FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0102B3F8

Part of subcall function 0102B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0102B355
Part of subcall function 0102B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,01022194,00000034,?,?,00001004,00000000,00000000), ref: 0102B365
Part of subcall function 0102B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,01022194,00000034,?,?,00001004,00000000,00000000), ref: 0102B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 010227CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0102281A

Strings

@, xrefs: 01022832

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 4e2d67942afb958d3c53ee9e712a54eee62b4f3f2dbe662dcd6aa37c0b1e2986
Instruction ID: 2ff18934a30ca6a78b7bc4e93f5192b1116fb8e91c737d5ed05faaab454efa2c
Opcode Fuzzy Hash: 4e2d67942afb958d3c53ee9e712a54eee62b4f3f2dbe662dcd6aa37c0b1e2986
Instruction Fuzzy Hash: 08412F72900229AFDB10DFA4CD85FDEBBB8EF19700F108095EA95B7180DA716E45CB61

Function 00FF172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00FF1769
_free.LIBCMT ref: 00FF1834
_free.LIBCMT ref: 00FF183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00FF1760, 00FF1767, 00FF1796, 00FF17CE

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-517116171
Opcode ID: 9df92f6a055baba808c5350048e08a5f0f20f4df1974a71b263d1f85dcb87b21
Instruction ID: 2075f4d73c826e748305919f1afbdd421ed24eab342bef83316e25a03a0c72ad
Opcode Fuzzy Hash: 9df92f6a055baba808c5350048e08a5f0f20f4df1974a71b263d1f85dcb87b21
Instruction Fuzzy Hash: 0B318172E0021CEBDB21EB999D81DAEBBBCFF85360F1441A6F60497221D6754A40EB90

Function 0102C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0102C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0102C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,01091990,01AF5660), ref: 0102C395

Strings

0, xrefs: 0102C2DF

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 21cbbf032f2fe9ac569abe3a71c5172b4c1ead7f77f906ea0ec3ba2cc6efad80
Instruction ID: 932fd176a538bfd145a14d7148d12cf9d1caed34f5065f29ab7843383e3990ec
Opcode Fuzzy Hash: 21cbbf032f2fe9ac569abe3a71c5172b4c1ead7f77f906ea0ec3ba2cc6efad80
Instruction Fuzzy Hash: 4041B1712043529FE720DF29D944B6EBBE8AF85310F008A5EF9E5972D1D774EA04CB52

Function 01054416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0105CC08,00000000,?,?,?,?), ref: 010544AA
GetWindowLongW.USER32 ref: 010544C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 010544D7

Strings

SysTreeView32, xrefs: 0105447C

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: c7feb06b12c225732fc9be489bee18b4429d30318f59d59cc39aa6c79f027d64
Instruction ID: bb06c91960bfbaa25c410d36341b863104c9563076216457b68ab5e3e589c7bf
Opcode Fuzzy Hash: c7feb06b12c225732fc9be489bee18b4429d30318f59d59cc39aa6c79f027d64
Instruction Fuzzy Hash: 65319E31244205ABEFA18E78DC45BDB7BA9EB08338F204715FDB5E21D1EB74E8909B50

Function 0104304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0104335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,01043077,?,?), ref: 01043378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0104307A
_wcslen.LIBCMT ref: 0104309B
htons.WSOCK32(00000000,?,?,00000000), ref: 01043106

Strings

255.255.255.255, xrefs: 01043095, 0104309A

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 3421f1a6d43b1c57787d0d44edd3389d98b6a78ea19bd3033320f47d1f5649de
Instruction ID: 5bec164fb2ef510cd8dd5896452e8b6de167e3a13e271a85ead86bc06ed7f792
Opcode Fuzzy Hash: 3421f1a6d43b1c57787d0d44edd3389d98b6a78ea19bd3033320f47d1f5649de
Instruction Fuzzy Hash: 5F31EFB52042119FDB20CF28C5C5EAA7BF0FF14318F2491A9E9958F3A2CB72E941C760

Function 01053EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 01053F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 01053F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 01053F78

Strings

SysMonthCal32, xrefs: 01053F0B

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 0449927e36fb89c5e63b3ace5555b906815477471a23d3ae8ce5e568062b90b7
Instruction ID: 06ab2fb12e775e9ea2de5201e8d2733815b938335bde68ab92d50bd7ae7a8691
Opcode Fuzzy Hash: 0449927e36fb89c5e63b3ace5555b906815477471a23d3ae8ce5e568062b90b7
Instruction Fuzzy Hash: 85219F32640219BBEF229E54CC46FEB3BB9FB48754F110254FE95AB1C0D6B5A850DBA0

Function 01054653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 01054705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 01054713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0105471A

Strings

msctls_updown32, xrefs: 01054684

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 9cb0a9cda91d15954b9cb040c5652300088b93ed98701c73f6114b79e4012803
Instruction ID: 1d4e5d2bb6ba4fe52ee7f0981309364fa1e87d3b45bdf5a37cade5141f6f83dd
Opcode Fuzzy Hash: 9cb0a9cda91d15954b9cb040c5652300088b93ed98701c73f6114b79e4012803
Instruction Fuzzy Hash: 1F218CB5604209AFEB51DF68DCC1DAB37EDEB4A3A4B000049FA40DB251DB75EC51CB60

Function 010295AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0102961D

Strings

#notrayicon, xrefs: 010295B7
#requireadmin, xrefs: 010295D9
#OnAutoItStartRegister, xrefs: 010295F3

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 9789a856cc0b79f5ccb7474aa4d6c833bffe4cc75825fd05effa0cc492424339
Instruction ID: fc1cb6f1615fb8270d207ed4b9ae83ef3b34fe7bff00954eb7638a93d72049a7
Opcode Fuzzy Hash: 9789a856cc0b79f5ccb7474aa4d6c833bffe4cc75825fd05effa0cc492424339
Instruction Fuzzy Hash: D621AD3220423166E330BB29DC06FBB73DD9F95308F40402AFAC99B042EB58A941D3D1

Function 010537B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 01053840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 01053850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 01053876

Strings

Listbox, xrefs: 0105380F

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 445ae687424112b40bc90dfb38b8901873ae6871d80b429a6ff34dd828b53559
Instruction ID: a45aabc3409b209e67772be77693ad3c7118574fd750f2033cb9fef94fba0380
Opcode Fuzzy Hash: 445ae687424112b40bc90dfb38b8901873ae6871d80b429a6ff34dd828b53559
Instruction Fuzzy Hash: 1B21C232600218BBEF628E69CC45FBB37AEFF89790F108154FD909B190C676DC5287A0

Function 010349F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 01034A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 01034A5C
SetErrorMode.KERNEL32(00000000,?,?,0105CC08), ref: 01034AD0

Strings

%lu, xrefs: 01034A6F

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: f1ec5e98b3a26af9f77a6649fdc55a4342af8f1f3c6a3416cc2b70674ae6047b
Instruction ID: 5878fce4d41e3be044c3b470a421674c57d96c8aa98b4be13f0690141eae28eb
Opcode Fuzzy Hash: f1ec5e98b3a26af9f77a6649fdc55a4342af8f1f3c6a3416cc2b70674ae6047b
Instruction Fuzzy Hash: 7E315E71A00209AFDB10DF54C985EAA7BF8EF48308F1480A9E949DF252D775ED46CB61

Function 010541EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0105424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 01054264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 01054271

Strings

msctls_trackbar32, xrefs: 01054226

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 7ae7705aeb16db7a903e6b66cb8ce6bdbb28850fc3a3e9dfb30adb743840aea6
Instruction ID: c88558bb840f3568a585a652880a106d19109d9b477f517bb18787fbf7f4f156
Opcode Fuzzy Hash: 7ae7705aeb16db7a903e6b66cb8ce6bdbb28850fc3a3e9dfb30adb743840aea6
Instruction Fuzzy Hash: 7511C631240348BEEF615E69CC46FEB3BACEF85B64F114514FE95E6090D271D8519B24

Function 01022F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC6B57: _wcslen.LIBCMT ref: 00FC6B6A

Part of subcall function 01022DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 01022DC5
Part of subcall function 01022DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 01022DD6
Part of subcall function 01022DA7: GetCurrentThreadId.KERNEL32 ref: 01022DDD
Part of subcall function 01022DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 01022DE4

GetFocus.USER32 ref: 01022F78

Part of subcall function 01022DEE: GetParent.USER32(00000000), ref: 01022DF9

GetClassNameW.USER32(?,?,00000100), ref: 01022FC3
EnumChildWindows.USER32(?,0102303B), ref: 01022FEB

Strings

%s%d, xrefs: 01022FFF

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 09d92d404c98d90540864b93d3f1c40ef5ef360e474cf10b07f70ca5fe1f88bd
Instruction ID: 7e4952978d914b6301455869c4a395c666c96c15059a7a269833931186906646
Opcode Fuzzy Hash: 09d92d404c98d90540864b93d3f1c40ef5ef360e474cf10b07f70ca5fe1f88bd
Instruction Fuzzy Hash: 3811D2716002166BDF50BFB48DD5EEE37AAAF98304F044079FD499B242DE3899098B70

Function 01055882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 010558C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 010558EE
DrawMenuBar.USER32(?), ref: 010558FD

Strings

0, xrefs: 0105588F

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: f9805f4cf8896764070cc4c4e4f083f8085c3467dd3d69ba513d29eb5c14b2cb
Instruction ID: 1dd77153000ad00130a6ac6b7b6de0376c3faaba2fb4673c87f4f1933ce12a6d
Opcode Fuzzy Hash: f9805f4cf8896764070cc4c4e4f083f8085c3467dd3d69ba513d29eb5c14b2cb
Instruction Fuzzy Hash: B2016131500218AFDB619F55DC44BAFBBB9FB45364F048099E889D6251DB348A84DF61

Function 0101D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0101D3BF
FreeLibrary.KERNEL32 ref: 0101D3E5

Strings

X64, xrefs: 0101D2A8
GetSystemWow64DirectoryW, xrefs: 0101D3B9

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: d7ed90a4c88483248fbe65d84a97ea4b3c379c573aade55f8c2c05c19f54bede
Instruction ID: b6dfd4901c6b8ff6e9a1d4726e2b34e6ca786d8105251167d40b9e8a623aff27
Opcode Fuzzy Hash: d7ed90a4c88483248fbe65d84a97ea4b3c379c573aade55f8c2c05c19f54bede
Instruction Fuzzy Hash: 3AF05C7200531197E7B452548C9C9AE3718BF12715F44C18AE0D3F104DCB3CC540C785

Function 0102007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8ea02057f1d6a30876e026698e005257b356104e48ac8180fce1b5fb07204a8
Instruction ID: 0be4515f94894a95ba8bd3b87cb365e250b41f67b7cd48a451182c11181d5197
Opcode Fuzzy Hash: d8ea02057f1d6a30876e026698e005257b356104e48ac8180fce1b5fb07204a8
Instruction Fuzzy Hash: E3C15B75A0021AEFDB14CFA8C884AAEBBB9FF48704F208599F545EB255D731ED41CB90

Function 00FF3E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00FF3F0B
__alldvrm.LIBCMT ref: 00FF410C
__alldvrm.LIBCMT ref: 00FF412E

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 2b7027e846b0f6f2f0bc2e31333edb290ec2d9565d66f1d30de4da68da649eef
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: A8A15972D0038A9FEB26DF18C8917BFBBE4EF61360F14416DE6859B2A1C638A941D750

Function 0104342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 01043459
CoUninitialize.OLE32 ref: 01043463
VariantInit.OLEAUT32(?), ref: 0104346E
VariantClear.OLEAUT32(?), ref: 0104371B

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: a2cfc0b9437dc35485a4fb7fd11c44ef9c77a577c1256525d5b6846c31e76420
Instruction ID: 368889bcebccb9c232afd57efd910653a6b9d96022c1082003f9aa9ae1d6716a
Opcode Fuzzy Hash: a2cfc0b9437dc35485a4fb7fd11c44ef9c77a577c1256525d5b6846c31e76420
Instruction Fuzzy Hash: D7A137752043119FD710EF28C985A2ABBE5FF88314F08885DF98A9B361DB35ED01DB91

Function 01020436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0105FC08,?), ref: 010205F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0105FC08,?), ref: 01020608
CLSIDFromProgID.OLE32(?,?,00000000,0105CC40,000000FF,?,00000000,00000800,00000000,?,0105FC08,?), ref: 0102062D
_memcmp.LIBVCRUNTIME ref: 0102064E

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 497965705cadaef097f8ae0f0781ec86a54b8c01d7717c07b43586492d41f4d3
Instruction ID: ced5567843407ee112d180f357f685bed23cf182342c689d18a3009ad9bc2e97
Opcode Fuzzy Hash: 497965705cadaef097f8ae0f0781ec86a54b8c01d7717c07b43586492d41f4d3
Instruction Fuzzy Hash: 25815071A00219EFCB04DF94C988EEEB7B9FF89315F204598F546AB254DB71AE05CB60

Function 01001391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 010014C0

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 16f4e7bbcc624e7e38a175060307fa565d2244ab36bf163ae5a356292f90efd2
Instruction ID: 6a91ccc7e237350db23c32672a40b31e5b8034d3b18d9b90e40751d17e4e44a4
Opcode Fuzzy Hash: 16f4e7bbcc624e7e38a175060307fa565d2244ab36bf163ae5a356292f90efd2
Instruction Fuzzy Hash: F0414631A00205ABFB23AABD8C45BBE3AE4EF41330F154265F658971E2EF79C4416262

Function 01056278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 010562E2
ScreenToClient.USER32(?,?), ref: 01056315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 01056382

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: f3eeabe7fce9bb70d79d3acbab7432df873b0add823de7b7d481e6a8e0d3f658
Instruction ID: 5fc9d20a75f183dc8af542d1b241d03fc14bea7e21bf80b713219b8c9ce26f9f
Opcode Fuzzy Hash: f3eeabe7fce9bb70d79d3acbab7432df873b0add823de7b7d481e6a8e0d3f658
Instruction Fuzzy Hash: D5515C70A00209EFDFA1CF58D980AAF7BF5FB45360F508199F9959B292D732E981CB50

Function 01041AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 01041AFD
WSAGetLastError.WSOCK32 ref: 01041B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 01041B8A
WSAGetLastError.WSOCK32 ref: 01041B94

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 523e3bbc49d36204cfa832cf857e87874d2089ae518867c0d81bf65e184ab8c4
Instruction ID: e4cb7a9ca8c49f5e35b1a517a4c62c4f1450491dddf1b88055fcf5c0fbba57a5
Opcode Fuzzy Hash: 523e3bbc49d36204cfa832cf857e87874d2089ae518867c0d81bf65e184ab8c4
Instruction Fuzzy Hash: AF41B2746003016FE720AF24C986F2A7BE5AB44718F54849CFA5A9F3C2D676ED818B90

Function 00FFB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fce14e6c8cafb1f75b4031ec118ba4a736ec5ed3e97d914e410b5da28e9559c
Instruction ID: 64117a5a64c19083e338ed2d629bb6943907866e0835a3db4990418b31168776
Opcode Fuzzy Hash: 3fce14e6c8cafb1f75b4031ec118ba4a736ec5ed3e97d914e410b5da28e9559c
Instruction Fuzzy Hash: 96410B76900748AFD724DF38CC41BBA7BA9EF84720F10452AF251DB691D77599019B90

Function 010356D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 01035783
GetLastError.KERNEL32(?,00000000), ref: 010357A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 010357CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 010357FA

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 1b484912ae6a401dde589ccb686ef490d13793cfd00427af1a97614fea848075
Instruction ID: fe1c1b41a3ff22f704ceade936c011008234925befbc3e0839f21a69175582d1
Opcode Fuzzy Hash: 1b484912ae6a401dde589ccb686ef490d13793cfd00427af1a97614fea848075
Instruction Fuzzy Hash: 7B414F39600611DFCB11EF15C945A5EBBE5EF89320B188888E84A6B366CB35FD01DF91

Function 00FFD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00FE6D71,00000000,00000000,00FE82D9,?,00FE82D9,?,00000001,00FE6D71,8BE85006,00000001,00FE82D9,00FE82D9), ref: 00FFD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00FFD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00FFD9AB
__freea.LIBCMT ref: 00FFD9B4

Part of subcall function 00FF3820: RtlAllocateHeap.NTDLL(00000000,?,01091444,?,00FDFDF5,?,?,00FCA976,00000010,01091440,00FC13FC,?,00FC13C6,?,00FC1129), ref: 00FF3852

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 7c62f54f5a8de592c0e94589bbf6ffb18401886169a6a0a57e3b2dc770f66687
Instruction ID: 95f72d93f5b0d77c6d0ba962940be430b4958368d00eb7fc78f532c981e887db
Opcode Fuzzy Hash: 7c62f54f5a8de592c0e94589bbf6ffb18401886169a6a0a57e3b2dc770f66687
Instruction Fuzzy Hash: E631CE72A0020EABDB259FA5DC45EBE7BA6EF41760F050168FD04D6160EB79CD50EBA0

Function 0102AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0102AAAC
SetKeyboardState.USER32(00000080), ref: 0102AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0102AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0102AB88

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 7c9c10074833e02d3242985475d368452044fda7086bd36f84ff0dde66d71398
Instruction ID: a0225fc4290b8eca5e7a3b2a1e1b556d79d9620eb2e80f081cd7ed1188fb4fe6
Opcode Fuzzy Hash: 7c9c10074833e02d3242985475d368452044fda7086bd36f84ff0dde66d71398
Instruction Fuzzy Hash: EE312A30B40328EEFF368A68C808BFE7BEAAF44310F04469AE5C5579D2DB758585C761

Function 010552C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 01055352
GetWindowLongW.USER32(?,000000F0), ref: 01055375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 01055382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 010553A8

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 25df0896bd9a1899cc8938fd4415a52a2aed18be82e6fe8c311760f3de133bb2
Instruction ID: 75d9220f64e9d5312b9a40fc3f2db3631ab8a75c69c2fff6ea8951b67a38564c
Opcode Fuzzy Hash: 25df0896bd9a1899cc8938fd4415a52a2aed18be82e6fe8c311760f3de133bb2
Instruction Fuzzy Hash: 4731C434A55208EFFBF48E58CC05BEA3BA5AB04350F48C151FED9961D2C7B5AA80DB52

Function 01057674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0105769A
GetWindowRect.USER32(?,?), ref: 01057710
PtInRect.USER32(?,?,01058B89), ref: 01057720
MessageBeep.USER32(00000000), ref: 0105778C

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: f09d56f59c9ff5a3f38d71bd459fbc3da64c5a7386018102f806a79267300f0e
Instruction ID: 92597dc3a88f82dcd8e082462c71cd736eab5585e7cafac1fc1f805499611316
Opcode Fuzzy Hash: f09d56f59c9ff5a3f38d71bd459fbc3da64c5a7386018102f806a79267300f0e
Instruction Fuzzy Hash: 9B41BF34601209EFDB92CF58E498EAA7BF4FF49314F4440E8E9949B255C331E941DF90

Function 010516DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 010516EB

Part of subcall function 01023A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 01023A57
Part of subcall function 01023A3D: GetCurrentThreadId.KERNEL32 ref: 01023A5E
Part of subcall function 01023A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,010225B3), ref: 01023A65

GetCaretPos.USER32(?), ref: 010516FF
ClientToScreen.USER32(00000000,?), ref: 0105174C
GetForegroundWindow.USER32 ref: 01051752

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: e8b09edd048a90120d70e915cd38147c59c728113f29a21cbe6bc7cc7bc87b01
Instruction ID: 74d5596b3c1afd704519a167e9108fd4e795d8607ad56c0d76387b92443108b9
Opcode Fuzzy Hash: e8b09edd048a90120d70e915cd38147c59c728113f29a21cbe6bc7cc7bc87b01
Instruction Fuzzy Hash: C7313D75D00249AFDB00EFA9C981DAEBBFDFF48204B5080AEE455E7201DB359E45CBA0

Function 0102DF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00FC7620: _wcslen.LIBCMT ref: 00FC7625

_wcslen.LIBCMT ref: 0102DFCB
_wcslen.LIBCMT ref: 0102DFE2
_wcslen.LIBCMT ref: 0102E00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0102E018

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 087b3c68ec53e03c6107818ebb100fea3c680d356171d43035c45f5f763bcc95
Instruction ID: 95201a1699ac5e59035073880438aead9c692ea35cef33e9dd9c81587580b677
Opcode Fuzzy Hash: 087b3c68ec53e03c6107818ebb100fea3c680d356171d43035c45f5f763bcc95
Instruction Fuzzy Hash: 3C21D371900224AFCB219FA8DD81BAEB7F8EF45710F1440A9F944BB246D6789E418BA1

Function 0102D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0102D501
Process32FirstW.KERNEL32(00000000,?), ref: 0102D50F
Process32NextW.KERNEL32(00000000,?), ref: 0102D52F
CloseHandle.KERNEL32(00000000), ref: 0102D5DC

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 87785cd84a07750652cd7b855da0f3c8726dd876c64c514e965dd427adf097ca
Instruction ID: 4ac19863c4035e404f2df8e501405690e7404e1df3513f453d907ed129bda6dd
Opcode Fuzzy Hash: 87785cd84a07750652cd7b855da0f3c8726dd876c64c514e965dd427adf097ca
Instruction Fuzzy Hash: B5319E710083019FD311EF54C986EAFBBE8EF99344F54092DF581821A1EBB5A948CBA2

Function 01058FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FD9BB2

GetCursorPos.USER32(?), ref: 01059001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,01017711,?,?,?,?,?), ref: 01059016
GetCursorPos.USER32(?), ref: 0105905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,01017711,?,?,?), ref: 01059094

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 165e5bd2c6c2dfdc839487b4c4f87bfb2c87773b7afd48686e2383070e96c7cd
Instruction ID: 9cb118b69f2858dfe64353258ea2cbfc61af8ae51feef5f4e46cb83b6f38884d
Opcode Fuzzy Hash: 165e5bd2c6c2dfdc839487b4c4f87bfb2c87773b7afd48686e2383070e96c7cd
Instruction Fuzzy Hash: 51219135600118FFEB658F98C858EEB7BF9FB49364F044495FA8547251C3369990EB60

Function 0102D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0105CB68), ref: 0102D2FB
GetLastError.KERNEL32 ref: 0102D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0102D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0105CB68), ref: 0102D376

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: c047456eb4460d8440e0a095579aed3bd29f15526f4fecf3062275dbbf764add
Instruction ID: 1344b874547442a1576d1a4ef7a4fc1fd9ad3a15001eb148874b79e7d709b27e
Opcode Fuzzy Hash: c047456eb4460d8440e0a095579aed3bd29f15526f4fecf3062275dbbf764add
Instruction Fuzzy Hash: 3221D1705083129F9310DF68C9858AF7BE8EE56364F108A5DF4D9C7291D731DD49CB92

Function 01021571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 01021014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0102102A
Part of subcall function 01021014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 01021036
Part of subcall function 01021014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 01021045
Part of subcall function 01021014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0102104C
Part of subcall function 01021014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 01021062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 010215BE
_memcmp.LIBVCRUNTIME ref: 010215E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01021617
HeapFree.KERNEL32(00000000), ref: 0102161E

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: c1cb4f38e629f7c7f297ea23309b30e65607bdb136d445d24408a1464e6fc85f
Instruction ID: 4aaed2ca57ea1de82ab5bc9df9d8903ce51dbf1e67dfd44da2d91b179c47b79e
Opcode Fuzzy Hash: c1cb4f38e629f7c7f297ea23309b30e65607bdb136d445d24408a1464e6fc85f
Instruction Fuzzy Hash: 27219031E00219EFDF10CFA8C948BEEBBF8EF44354F184499E585A7240D735AA05CB50

Function 01052782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0105280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 01052824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 01052832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 01052840

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: d075b4d61a0012dcc0d4b8d7141a7573d085e16f16092c1ee393b11436418eb3
Instruction ID: 969c488644234ff1612b2d200b38514a0113b624c96965310aeeb23e8eb14cff
Opcode Fuzzy Hash: d075b4d61a0012dcc0d4b8d7141a7573d085e16f16092c1ee393b11436418eb3
Instruction Fuzzy Hash: D321F135205211EFE754DB24C845FAB7B99EF45328F148158F8A68B6D2C776EC82C7D0

Function 0103CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0103CE89
GetLastError.KERNEL32(?,00000000), ref: 0103CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0103CEFE

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: bdd58702b5b516df6bf66be87b0dd4ee23bd6a40b143a8bac5a7e6810c677641
Instruction ID: 44b7f7579f2d4e06348de63256a94043e59647406c2f26f0fb0a2c3fe8bfac48
Opcode Fuzzy Hash: bdd58702b5b516df6bf66be87b0dd4ee23bd6a40b143a8bac5a7e6810c677641
Instruction Fuzzy Hash: 6721BD715003059FF730DF69CA48BABBBFCEB80354F10445EE686E2142E775EA048B60

Function 010278F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 01028D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0102790A,?,000000FF,?,01028754,00000000,?,0000001C,?,?), ref: 01028D8C
Part of subcall function 01028D7D: lstrcpyW.KERNEL32(00000000,?), ref: 01028DB2
Part of subcall function 01028D7D: lstrcmpiW.KERNEL32(00000000,?,0102790A,?,000000FF,?,01028754,00000000,?,0000001C,?,?), ref: 01028DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,01028754,00000000,?,0000001C,?,?,00000000), ref: 01027923
lstrcpyW.KERNEL32(00000000,?), ref: 01027949
lstrcmpiW.KERNEL32(00000002,cdecl,?,01028754,00000000,?,0000001C,?,?,00000000), ref: 01027984

Strings

cdecl, xrefs: 0102797B

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: d8729430ea854891552c3236cd56787a13853f106cc3852cd0d5c75d69bf7120
Instruction ID: 9f66daf7eea92931e9821e607a35c2677ff5576a14c3dc461593b09c14d85b08
Opcode Fuzzy Hash: d8729430ea854891552c3236cd56787a13853f106cc3852cd0d5c75d69bf7120
Instruction Fuzzy Hash: 4C11293A300312ABDB256F38C844D7B77E9FF55350B00402AF986CB364EB329801C751

Function 01057CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 01057D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 01057D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 01057D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0103B7AD,00000000), ref: 01057D6B

Part of subcall function 00FD9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FD9BB2

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 6aa202f2e4f395b91c94108beebf1694692ab58a051640b7a280bc0d67b50cea
Instruction ID: 15fb8d309dce822ab707f8654a5ec2c256ccb40bfd056269c540bc355ccd2e8a
Opcode Fuzzy Hash: 6aa202f2e4f395b91c94108beebf1694692ab58a051640b7a280bc0d67b50cea
Instruction Fuzzy Hash: 3B11F032200615AFDBA09F2CCC04A6B3BA9FB45370B514324FDB5C72E0D7328950EB60

Function 01055660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 010556BB
_wcslen.LIBCMT ref: 010556CD
_wcslen.LIBCMT ref: 010556D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 01055816

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 1bd50cc5b6b2fc972b0336d0cf3676c078ababbcfc0c3386a102632e1a637890
Instruction ID: 1951424a5522d1f7367a65529bb7afd98e7c3932238886d7b7cf6391b552d276
Opcode Fuzzy Hash: 1bd50cc5b6b2fc972b0336d0cf3676c078ababbcfc0c3386a102632e1a637890
Instruction Fuzzy Hash: 7B11B17160020996EFA09FA5DC85AEF7BBCFF05764B00406AFE95D6081EB749640CFB0

Function 00FF1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b577ea4a5336fe58e94fb5bbe37f0b19b4488d1be7559db51e842f0172434dd
Instruction ID: 937ae52759bccefeb728a6163fed1d97d0d43bd02996e3abe81b1c76373d7e84
Opcode Fuzzy Hash: 9b577ea4a5336fe58e94fb5bbe37f0b19b4488d1be7559db51e842f0172434dd
Instruction Fuzzy Hash: A801ADB260A61EBEF72125786CC0F3B762DEF423B8B340329F721A11E5DB658C007264

Function 01021A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 01021A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 01021A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 01021A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 01021A8A

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4189b309e5a76ac91201e5b46e8f98ace0ddba22304051c9ed3839c94d0bd66c
Instruction ID: ff4a8a493b0f23d017302b36c77e9dbaffa0023c145c5dd4c44da214b08c8f70
Opcode Fuzzy Hash: 4189b309e5a76ac91201e5b46e8f98ace0ddba22304051c9ed3839c94d0bd66c
Instruction Fuzzy Hash: F9110C3AD00229FFEB11DBA5C985FADFBB8FB08750F200091E644B7290D6716E51DB94

Function 0102E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0102E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0102E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0102E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0102E24D

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: f9ea8a2516c003674340cc0f445045619a2605dd3e8e5cca68ab7f656b50fb85
Instruction ID: 19767be8447e59052059ec416c8d4a70fa739453ac8cb91361acf3b851964a2e
Opcode Fuzzy Hash: f9ea8a2516c003674340cc0f445045619a2605dd3e8e5cca68ab7f656b50fb85
Instruction Fuzzy Hash: 0D110C71A04359BFD7119FA8DD09A9F7FACEB46220F008255F955E3284D2B589048760

Function 00FED1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00FECFF9,00000000,00000004,00000000), ref: 00FED218
GetLastError.KERNEL32 ref: 00FED224
__dosmaperr.LIBCMT ref: 00FED22B
ResumeThread.KERNEL32(00000000), ref: 00FED249

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: a0a906d888b03a6a9feae11351f587239bd0c1452d511eb86f41f039444e9b57
Instruction ID: 81b0b14119ce1ade1e71acfa9d3b4be365ea80f3cc04aadcae8f3cc528956beb
Opcode Fuzzy Hash: a0a906d888b03a6a9feae11351f587239bd0c1452d511eb86f41f039444e9b57
Instruction Fuzzy Hash: 2201F936805288BBD7215BA7DC05BAF7B6DDF81730F104259FA25925D0DF75C901E7A0

Function 00FC600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00FC604C
GetStockObject.GDI32(00000011), ref: 00FC6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00FC606A

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: d3b6800dd71f4fb2895a796615c03272c5c64b961f93071839f1ddc207d10459
Instruction ID: 72f97511b8928669d90ae0f5f50cb3a71bde366d758f9ceb99b4658fb9ad0cdc
Opcode Fuzzy Hash: d3b6800dd71f4fb2895a796615c03272c5c64b961f93071839f1ddc207d10459
Instruction Fuzzy Hash: C3118E7250560ABFEF224F948D45FEA7B6DFF08364F000115FA04A2000C7369C60ABA0

Function 00FE3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00FE3B56

Part of subcall function 00FE3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00FE3AD2
Part of subcall function 00FE3AA3: ___AdjustPointer.LIBCMT ref: 00FE3AED

_UnwindNestedFrames.LIBCMT ref: 00FE3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00FE3B7C
CallCatchBlock.LIBVCRUNTIME ref: 00FE3BA4

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 825e645a79ac3ece8169eb8bd2b9bb841a3d90a7b004d782c84c51b6eb440ce7
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 54014032500189BBDF125E96CC4ADEB3F6DFF88754F044058FE4896121C736E961EBA0

Function 00FF3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00FC13C6,00000000,00000000,?,00FF301A,00FC13C6,00000000,00000000,00000000,?,00FF328B,00000006,FlsSetValue), ref: 00FF30A5
GetLastError.KERNEL32(?,00FF301A,00FC13C6,00000000,00000000,00000000,?,00FF328B,00000006,FlsSetValue,01062290,FlsSetValue,00000000,00000364,?,00FF2E46), ref: 00FF30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00FF301A,00FC13C6,00000000,00000000,00000000,?,00FF328B,00000006,FlsSetValue,01062290,FlsSetValue,00000000), ref: 00FF30BF

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 490e0acce2951e960d81eca62ebae9fc92611ae47bde9cd0752e64fe68f818ed
Instruction ID: ee839804e09a3a17c0992c15271db26ffd4542258e3810f8f482ae826047071b
Opcode Fuzzy Hash: 490e0acce2951e960d81eca62ebae9fc92611ae47bde9cd0752e64fe68f818ed
Instruction Fuzzy Hash: A001473270132AABDB304A789C44E777B9CEF05BB4B100621FA45E3254DF26DA01D7E0

Function 01027464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0102747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 01027497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 010274AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 010274CA

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: d9a39f48b92bd5da6b08e0daf04a04bd3f6bcdabd479b32c4a02181bf0e42304
Instruction ID: 7556b7f3a5663cf406e144fc6d14467fa2bdd21451dc824e94253858fc94a8b4
Opcode Fuzzy Hash: d9a39f48b92bd5da6b08e0daf04a04bd3f6bcdabd479b32c4a02181bf0e42304
Instruction Fuzzy Hash: FE118BB5201320ABF7308F14DD08FA67FFCEB00B04F008569E696D6181DBB5E904CBA1

Function 0102B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0102ACD3,?,00008000), ref: 0102B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0102ACD3,?,00008000), ref: 0102B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0102ACD3,?,00008000), ref: 0102B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0102ACD3,?,00008000), ref: 0102B126

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 41b710229045498fe8d2c086e41581933501d69b05225a73cf4e7345f68cae6c
Instruction ID: fb33b0d7d1e937f922553ee362e5017bfaad3eb9243538435023be46324feaee
Opcode Fuzzy Hash: 41b710229045498fe8d2c086e41581933501d69b05225a73cf4e7345f68cae6c
Instruction Fuzzy Hash: 58113931C01629E7DF11AFE4E9986EEBFB8FF0A711F504086E981B2285CB3996508B55

Function 01057E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 01057E33
ScreenToClient.USER32(?,?), ref: 01057E4B
ScreenToClient.USER32(?,?), ref: 01057E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 01057E8A

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 4066c0b740e7ae955e46f5a6b9751c24b9ca1fe3610084a0b223e03a3f8fe276
Instruction ID: e568d8caa0eba89b78b4cf4b64daced9c4eae3c38b3658fac0352487cdefa7a7
Opcode Fuzzy Hash: 4066c0b740e7ae955e46f5a6b9751c24b9ca1fe3610084a0b223e03a3f8fe276
Instruction Fuzzy Hash: 7F1142B9D0020AAFDB51CF98C584AEEBBF9FF08310F509066E955E3214D735AA54DF90

Function 01022DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 01022DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 01022DD6
GetCurrentThreadId.KERNEL32 ref: 01022DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 01022DE4

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 260dfbdfd573fb5f368c6ec1a7b8305734f0ba2320755eca3cc79f3630907840
Instruction ID: 0e7c5c3577205f400a5fbc757875344ff7bb0714b850363c8c621912150291eb
Opcode Fuzzy Hash: 260dfbdfd573fb5f368c6ec1a7b8305734f0ba2320755eca3cc79f3630907840
Instruction Fuzzy Hash: 39E092721013347BE7302AB69D0DFEB3EACEF47BA1F000015F245D50809AAAD540C7B0

Function 01058863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00FD9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00FD9693
Part of subcall function 00FD9639: SelectObject.GDI32(?,00000000), ref: 00FD96A2
Part of subcall function 00FD9639: BeginPath.GDI32(?), ref: 00FD96B9
Part of subcall function 00FD9639: SelectObject.GDI32(?,00000000), ref: 00FD96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 01058887
LineTo.GDI32(?,?,?), ref: 01058894
EndPath.GDI32(?), ref: 010588A4
StrokePath.GDI32(?), ref: 010588B2

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: e9694a11348cabed0155245296ab43b4f821a0eac7eab300386823e10652c3c5
Instruction ID: f572d8dd77a1b462a595137e8a792507b533477bfaec4c1637ede9a3f07d33ab
Opcode Fuzzy Hash: e9694a11348cabed0155245296ab43b4f821a0eac7eab300386823e10652c3c5
Instruction Fuzzy Hash: C2F09A36001319BAEB222E94AD09FCB3F5DAF06320F048001FE91610C5C3BA5110CBA9

Function 00FD98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00FD98CC
SetTextColor.GDI32(?,?), ref: 00FD98D6
SetBkMode.GDI32(?,00000001), ref: 00FD98E9
GetStockObject.GDI32(00000005), ref: 00FD98F1

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 72b96a4842e01d3b19c37d29bd6070caca7da94282854eeefea9bdeeba8c96cb
Instruction ID: d49cabd6abcf88491c97ae853327cc0aa9056cf820c501841a6239c1f1409b0b
Opcode Fuzzy Hash: 72b96a4842e01d3b19c37d29bd6070caca7da94282854eeefea9bdeeba8c96cb
Instruction Fuzzy Hash: C1E06531244380AAEB315B78A909BD93F55AB02335F088219F7F9540D5C7764240DB11

Function 0102162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 01021634
OpenThreadToken.ADVAPI32(00000000,?,?,?,010211D9), ref: 0102163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,010211D9), ref: 01021648
OpenProcessToken.ADVAPI32(00000000,?,?,?,010211D9), ref: 0102164F

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 1e51ec227962b63eedc36be0268cf6ce6774e20619723c89ba9527f75ac8142b
Instruction ID: 3156863338a1c52399aef8c244be26271891a64f410ee9b7c87bba6b37bfb90e
Opcode Fuzzy Hash: 1e51ec227962b63eedc36be0268cf6ce6774e20619723c89ba9527f75ac8142b
Instruction Fuzzy Hash: D7E08671602321ABE7701FA49F0DB4B3BBDEF45B91F144848F2C5C9084D6394040C750

Function 0101D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0101D858
GetDC.USER32(00000000), ref: 0101D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0101D882
ReleaseDC.USER32(?), ref: 0101D8A3

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 9c4535fa121db15e342185bbb6d2ccb7a22d4e23201f1ebc0cf08d07dfcdd019
Instruction ID: 15bc655d60e8b96ee5da7f22c36bab3f2bacd7c387c8efb1b5a28d87e672d415
Opcode Fuzzy Hash: 9c4535fa121db15e342185bbb6d2ccb7a22d4e23201f1ebc0cf08d07dfcdd019
Instruction Fuzzy Hash: 2EE075B5800305DFDB519FA0960CA6EBBBAEB48711B149459E88AE7248C73D5A41EF60

Function 0101D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0101D86C
GetDC.USER32(00000000), ref: 0101D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0101D882
ReleaseDC.USER32(?), ref: 0101D8A3

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: b0555acbffb9704454f755d726630b6d7756ac5a0f549585164f7bed5d4d652a
Instruction ID: 51bd1eaeaf72a3cddfd219a381250ad2eaa6c50df360bc5e162ab0302453b3ca
Opcode Fuzzy Hash: b0555acbffb9704454f755d726630b6d7756ac5a0f549585164f7bed5d4d652a
Instruction Fuzzy Hash: 4DE09A75800305DFDF619FA0D60C66EBBB9FB48711B149449F98AE7244C73D6A01EF60

Function 01034D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC7620: _wcslen.LIBCMT ref: 00FC7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 01034ED4

Strings

LPT, xrefs: 01034DFB
*, xrefs: 01034E10

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 57ae428b2a68c0f6e25a1630b53183563887973bc0a155a006cd9ac0b8c2217c
Instruction ID: 9e4a14efe0b6cd8b61fa12fe0e552a471dc1c933236c38d8aaa83225324a7678
Opcode Fuzzy Hash: 57ae428b2a68c0f6e25a1630b53183563887973bc0a155a006cd9ac0b8c2217c
Instruction Fuzzy Hash: 04918075A042049FDB54DF58C985EAABBF5AF84304F1880DDE84A9F362C735EE85CB90

Function 00FEE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00FEE30D

Strings

pow, xrefs: 00FEE2E5, 00FEE302

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 47724aa1c1fdffc776c215996fe294be900f83be8ca12d6087e66c47f299c9dc
Instruction ID: 1ddb1af5322fb23a6bce1e37a10ecda1969eb4e980617507546ed0e4466336db
Opcode Fuzzy Hash: 47724aa1c1fdffc776c215996fe294be900f83be8ca12d6087e66c47f299c9dc
Instruction Fuzzy Hash: 8C517B71E0C34A96CB217B15DD013BEBB94AF40760F304969E1D5822FDEB398C95BB46

Function 00FDE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00FDE1B1

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: f45562dfcf8fe15be206995c4b3c7fc23444ddbfef288f1c49212406896ba117
Instruction ID: 60e231c61417d205b777ea0a363f523e4493360f597326640877587207e16bf3
Opcode Fuzzy Hash: f45562dfcf8fe15be206995c4b3c7fc23444ddbfef288f1c49212406896ba117
Instruction Fuzzy Hash: 3A514735900246DFEB16EF28C881AFE7BE5FF55320F28405AEC919B2C4D6389D42D750

Function 00FDF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00FDF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00FDF2BB

Strings

@, xrefs: 00FDF2AF

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 8e47e6b51d5272b6399c29aad1a824b49db464f11ae452f7d52c774c214f65f2
Instruction ID: 84d1cf6604af647f4f7511df386aab529ccf9db8e751df33870c4c7772703f95
Opcode Fuzzy Hash: 8e47e6b51d5272b6399c29aad1a824b49db464f11ae452f7d52c774c214f65f2
Instruction Fuzzy Hash: 705145719087459BD320AF10DD86BAFBBFCFB84300F81885DF1D942195EB758529CBA6

Function 01045745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 010457E0
_wcslen.LIBCMT ref: 010457EC

Strings

CALLARGARRAY, xrefs: 010457E6, 010457EB

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: c688cec6426239c4248df58cc2f1bef6e2f725716be1ddd91bc49ee7df3a5aac
Instruction ID: 7e90b540e21a4f9c8b9b890081438c9dec5d17a151cb1233e7c4bd126e19839e
Opcode Fuzzy Hash: c688cec6426239c4248df58cc2f1bef6e2f725716be1ddd91bc49ee7df3a5aac
Instruction Fuzzy Hash: ED41C171E002099FDB04EFA8CC81DAEBBF5FF59320F24406DE545A7292EB349981CB90

Function 0103D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0103D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0103D13A

Strings

|, xrefs: 0103D10B

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: a7eae823f96ab16de34f172c191b1b04c70f78d5b38685c683d60c66ecfd3043
Instruction ID: a225bb67ae1237cbd97527c5bc1f32956697b400263118e58025ac8b06743ea7
Opcode Fuzzy Hash: a7eae823f96ab16de34f172c191b1b04c70f78d5b38685c683d60c66ecfd3043
Instruction Fuzzy Hash: BB315B71D0020AABDF15EFA5CD85EEEBFB9FF04300F000059F815A6162E735AA16DB64

Function 0105356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 01053621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0105365C

Strings

static, xrefs: 010535BC

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 14f9e1efa19be0d4e6c4e5d4472e960a6a50a775869728e6f5e4e19524a78dcd
Instruction ID: 4adc91bc32dfacbfd1d744c85ef9336eaa3f5003585661819fc8093083b74245
Opcode Fuzzy Hash: 14f9e1efa19be0d4e6c4e5d4472e960a6a50a775869728e6f5e4e19524a78dcd
Instruction Fuzzy Hash: AC319C71100204AEEB609F28DC80FFB73A9FF88764F00961DFDA5DB280DA35A881D760

Function 01054537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0105461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 01054634

Strings

', xrefs: 0105458E

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 123cfb7bb9f4d5ffd276a281955c4793b2fafb7e8ea73a703c51868e2192af7a
Instruction ID: 56bd8f6c4b85106946d9d294c8196892faa71d758ea697d5f884e1aa182eabea
Opcode Fuzzy Hash: 123cfb7bb9f4d5ffd276a281955c4793b2fafb7e8ea73a703c51868e2192af7a
Instruction Fuzzy Hash: C3311774A0120AAFDB54CF69C990BDA7BB5FB49304F104069EE44EB342E771A981CF90

Function 010531EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0105327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01053287

Strings

Combobox, xrefs: 01053249

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 9fa5a79bd3268555ed6eb49c26403ff8b633f4eb113b458f56930169d09b8fc4
Instruction ID: e0b075fbc0b67f98ddd3a3e392f306492e28c87e6aa9065ee36007dcbca4a28f
Opcode Fuzzy Hash: 9fa5a79bd3268555ed6eb49c26403ff8b633f4eb113b458f56930169d09b8fc4
Instruction Fuzzy Hash: F011D3713046096FFFA29E58DC80EBB379AFB483E4F104128F9949B291D6359C51C760

Function 01053710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00FC600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00FC604C
Part of subcall function 00FC600E: GetStockObject.GDI32(00000011), ref: 00FC6060
Part of subcall function 00FC600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00FC606A

GetWindowRect.USER32(00000000,?), ref: 0105377A
GetSysColor.USER32(00000012), ref: 01053794

Strings

static, xrefs: 01053757

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 844d6ad5b1c8cbf3f848e72dd41343fac47ecd3acf73530b3d1d9fbad84ddd63
Instruction ID: 9d6903e199f3e38eeae655cb1b7349c318d13b587e466e990d81ac697b2079f8
Opcode Fuzzy Hash: 844d6ad5b1c8cbf3f848e72dd41343fac47ecd3acf73530b3d1d9fbad84ddd63
Instruction Fuzzy Hash: 5C111472A1020AAFEB51DFA8CD45AEB7BF8FB08354F004919FD95E6240E735E8519B60

Function 0103CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0103CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0103CDA6

Strings

<local>, xrefs: 0103CD66

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 877c53072525ebb01a1cc2c56e492c645359ecede46d5acbb51ebcb8fdced824
Instruction ID: 7d31d5bda6ea4cc715ac8b96465062ee388f3c8180b2d8e793d225095acce127
Opcode Fuzzy Hash: 877c53072525ebb01a1cc2c56e492c645359ecede46d5acbb51ebcb8fdced824
Instruction Fuzzy Hash: 821106752056357AE7746A6A8D4CEE7BEACEF826A4F00421BB189E3080D7749440C6F0

Function 01053429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 010534AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 010534BA

Strings

edit, xrefs: 0105348F

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: fe484f55ae5fd69bdccaf423cb6c30460fca1a813c9fd458d6aa4617c8e7ec49
Instruction ID: d000aacf263fb67dea5b2c890bbdc0862d54ed6ff5792826728276958d8abeb4
Opcode Fuzzy Hash: fe484f55ae5fd69bdccaf423cb6c30460fca1a813c9fd458d6aa4617c8e7ec49
Instruction Fuzzy Hash: 2E116075100204ABEFA24E68DC44AAB3BAAFB053B4F504714FDA19B1D4CB75EC919B50

Function 01026C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00FC9CB3: _wcslen.LIBCMT ref: 00FC9CBD

CharUpperBuffW.USER32(?,?,?), ref: 01026CB6
_wcslen.LIBCMT ref: 01026CC2

Strings

STOP, xrefs: 01026CBC, 01026CC1

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: ea4f1e708ff5fa52a6ea553c3a78ab45ba8fcf6c736be6e73f35052baf5f1ee0
Instruction ID: 6cd907147fe7b0e6cd9d67e4565e7db9f5cf4a4a67284764b4a04f7d8a29709c
Opcode Fuzzy Hash: ea4f1e708ff5fa52a6ea553c3a78ab45ba8fcf6c736be6e73f35052baf5f1ee0
Instruction Fuzzy Hash: FE010032E0453B8BCB21BEBDCC819BF37E5EB51710B500568ECA293182EA37E540C650

Function 01021CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC9CB3: _wcslen.LIBCMT ref: 00FC9CBD

Part of subcall function 01023CA7: GetClassNameW.USER32(?,?,000000FF), ref: 01023CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 01021D4C

Strings

ListBox, xrefs: 01021D16
ComboBox, xrefs: 01021CEB

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: f4cb2c35526f74d420271be935e411be3591bcb7a3e2cb7b59128b1145ff2c66
Instruction ID: 85538b4ba73f47aa759c7ef6d396e449cfba4d242c7ac5804e56ba3774070cf8
Opcode Fuzzy Hash: f4cb2c35526f74d420271be935e411be3591bcb7a3e2cb7b59128b1145ff2c66
Instruction Fuzzy Hash: F801243160423AABDB08FFA4CD15EFE77A8FB16350B00061DE8B25B2C0EA7458088760

Function 01021BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC9CB3: _wcslen.LIBCMT ref: 00FC9CBD

Part of subcall function 01023CA7: GetClassNameW.USER32(?,?,000000FF), ref: 01023CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 01021C46

Strings

ListBox, xrefs: 01021C10
ComboBox, xrefs: 01021BE5

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 548d0a026023daebc0a96359b998934c5406b339d95409f8f1c326ea96ad939b
Instruction ID: 4a9427492305424466535668c068654922339b6e993bd600b93aa64a40eee678
Opcode Fuzzy Hash: 548d0a026023daebc0a96359b998934c5406b339d95409f8f1c326ea96ad939b
Instruction Fuzzy Hash: 2E01F77564412D76DB04FB90CE56EFF77E89B15340F60001DE596772C1EA74AA0C87B1

Function 01021C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC9CB3: _wcslen.LIBCMT ref: 00FC9CBD

Part of subcall function 01023CA7: GetClassNameW.USER32(?,?,000000FF), ref: 01023CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 01021CC8

Strings

ListBox, xrefs: 01021C94
ComboBox, xrefs: 01021C69

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 7261e9d0aaf923fccc2e69a3751d78fa0b0873e1464d5cac7f0726eec7eae58c
Instruction ID: 6fda4b11eb6a781259c2bd7a93a52e8657367168d0510fafc3e3b1adef84eac1
Opcode Fuzzy Hash: 7261e9d0aaf923fccc2e69a3751d78fa0b0873e1464d5cac7f0726eec7eae58c
Instruction Fuzzy Hash: 9C01F77560412D66DB04FB95CF16EFF77E89B21340F200029E88167281EA749A0886B1

Function 01021D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC9CB3: _wcslen.LIBCMT ref: 00FC9CBD

Part of subcall function 01023CA7: GetClassNameW.USER32(?,?,000000FF), ref: 01023CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 01021DD3

Strings

ListBox, xrefs: 01021DA0
ComboBox, xrefs: 01021D75

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 8877745b7404110bda3b5a2530d1c54b34712176ed01b0d0148163ed82347b35
Instruction ID: 1e82599e2a0345f3890bba8069ba4271c2284b8e903c815e28248f0b934d3531
Opcode Fuzzy Hash: 8877745b7404110bda3b5a2530d1c54b34712176ed01b0d0148163ed82347b35
Instruction Fuzzy Hash: 6FF0F471A4422AA6DB14FBA4CD56FFF77A8AB15340F440919F8A2672C1DAB459088660

Function 0104747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 01047493
_wcslen.LIBCMT ref: 010474B9

Strings

3, 3, 16, 1, xrefs: 01047483

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: dc23df5a3aa6533c9e9364ab113377e5e84a3b8e1905228795ad6af18806660a
Instruction ID: 5fa4a54618d0c90ddaa0a6c84d4af2a447515d26ad0afad629481e97e073c280
Opcode Fuzzy Hash: dc23df5a3aa6533c9e9364ab113377e5e84a3b8e1905228795ad6af18806660a
Instruction Fuzzy Hash: 9BE0E582201260119271227A9CC197F7AC9CFC9650710187EFAC1D226BEF98DD9193A1

Function 01020B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 01020B23

Strings

AutoIt, xrefs: 01020B17
Error allocating memory., xrefs: 01020B1C

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: f21da27a2e62af3b05931b254069e021c3171bb6c001ba24dd487ee9e086624d
Instruction ID: 132fd5660598f2e06f188c1892db140ad443d2bd37211c9d47ea4369ec2f04e1
Opcode Fuzzy Hash: f21da27a2e62af3b05931b254069e021c3171bb6c001ba24dd487ee9e086624d
Instruction Fuzzy Hash: 37E0D8322483183AE32436957D07F8A7F99CF05F50F10046FFBD4995C38ADA245056A9

Function 00FE0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00FDF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00FE0D71,?,?,?,00FC100A), ref: 00FDF7CE

IsDebuggerPresent.KERNEL32(?,?,?,00FC100A), ref: 00FE0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00FC100A), ref: 00FE0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00FE0D7F

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 92f6a3014a5e69148d917280b7cad7180f90a0c1e9f653f24b9c9bb79a3b483c
Instruction ID: 854a77d4cbf756e132a794ce2e77fd408b379fa165dc1c8dfe8cc6a09df2b012
Opcode Fuzzy Hash: 92f6a3014a5e69148d917280b7cad7180f90a0c1e9f653f24b9c9bb79a3b483c
Instruction Fuzzy Hash: 82E06D702003428BE3709FB9D9047477BE4AB00B44F04892DE8C6C7649DFF9E484EBA1

Function 01033017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0103302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 01033044

Strings

aut, xrefs: 01033038

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: db54db0deb40060f6351e5eef9913fe7100a0ec347ec2db07230211fffc2d911
Instruction ID: f800613fce6b01a7c2a6997e20b75fca0c1d7660673eda02de417f03809dfac5
Opcode Fuzzy Hash: db54db0deb40060f6351e5eef9913fe7100a0ec347ec2db07230211fffc2d911
Instruction Fuzzy Hash: 82D05E7250032867EF30A6A5AD4EFCB7A6CDB04690F0002A1B6D9D6085EAB59984CBD0

Function 0101D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0101D220

Strings

%.3d, xrefs: 0101D22B
X64, xrefs: 0101D2A8

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 3595ebcdc7a68bba01fb36bd9c25862bcd1cd98fe8d409000044f89b3381712a
Instruction ID: fa9f08f8cc9e98da81bbfea1be00e0d5d7a2ccf45b4abf387c66e2ebdaa68063
Opcode Fuzzy Hash: 3595ebcdc7a68bba01fb36bd9c25862bcd1cd98fe8d409000044f89b3381712a
Instruction Fuzzy Hash: 6FD01271808219E9CB50A6D0CC4D9FEB37CEB69251F448453F996D2008D62CD5085761

Function 01052322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0105232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0105233F

Part of subcall function 0102E97B: Sleep.KERNELBASE ref: 0102E9F3

Strings

Shell_TrayWnd, xrefs: 01052325

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: e7252efa286ee7a992fb172b99fd4603db8e4547baeb1f0b68ff0b6a74e9493e
Instruction ID: 81b893d32ef10140d9a8b9c75513a6d08fccadaa3d1d9d654dcaf9978acf7e27
Opcode Fuzzy Hash: e7252efa286ee7a992fb172b99fd4603db8e4547baeb1f0b68ff0b6a74e9493e
Instruction Fuzzy Hash: E8D0A932394310B6E374B270DD1EFC7BA08AB00B00F000906B2C5AA2C4C8B5A8008B50

Function 01052356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0105236C
PostMessageW.USER32(00000000), ref: 01052373

Part of subcall function 0102E97B: Sleep.KERNELBASE ref: 0102E9F3

Strings

Shell_TrayWnd, xrefs: 01052365

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 13ed44ae7ac615ec7ed33ef057d4c7432ad676d3ea83d9dde458e815c7431100
Instruction ID: cb789051877291da15be4da0751e92d6abb9d11aff9a773c79edf04c1cfa7cc3
Opcode Fuzzy Hash: 13ed44ae7ac615ec7ed33ef057d4c7432ad676d3ea83d9dde458e815c7431100
Instruction Fuzzy Hash: 9DD0A9323C03107AF374B270DD0EFC7B608AB04B00F000906B2C1AA2C4C8B5A8008B54

Function 00FFBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00FFBE93
GetLastError.KERNEL32 ref: 00FFBEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00FFBEFC

Memory Dump Source

Source File: 00000000.00000002.3258094059.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true

Associated: 00000000.00000002.3258074985.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.000000000105C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258168666.0000000001082000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258234876.000000000108C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3258258451.0000000001094000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fc0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 074daf692e9f5b5270e59c5a61d1b43ee77bb4cef407082c4b3ff00e54046dcf
Instruction ID: 3820e9930ccfaf98ed5b3abba6279468c2a5e13fd75a1f329e3a027032420541
Opcode Fuzzy Hash: 074daf692e9f5b5270e59c5a61d1b43ee77bb4cef407082c4b3ff00e54046dcf
Instruction Fuzzy Hash: 6A41E635A0424AAFDF218FA5CC44BBA7BA9EF41730F144169FA59971F1DB318D00EB60

Source: Joe Sandbox View	IP Address: 23.219.161.132 23.219.161.132
Source: Joe Sandbox View	IP Address: 162.159.61.3 162.159.61.3
Source: Joe Sandbox View	IP Address: 13.107.253.72 13.107.253.72
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250

Source: global traffic	HTTP traffic detected: GET /assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtractionDomainsConfig HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: EntityExtractionDomainsConfigSec-Mesh-Client-Edge-Version: 117.0.2045.47Sec-Mesh-Client-Edge-Channel: stableSec-Mesh-Client-OS: WindowsSec-Mesh-Client-OS-Version: 10.0.19045Sec-Mesh-Client-Arch: x86_64Sec-Mesh-Client-WebView: 0Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/arbitration_priority_list/4.0.5/asset?assetgroup=ArbitrationService HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: ArbitrationServiceSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1Host: play.google.comConnection: keep-aliveAccept: /Access-Control-Request-Method: POSTAccess-Control-Request-Headers: x-goog-authuserOrigin: https://accounts.google.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Sec-Fetch-Mode: corsSec-Fetch-Site: same-siteSec-Fetch-Dest: emptyReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9
Source: global traffic	HTTP traffic detected: OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1Host: play.google.comConnection: keep-aliveAccept: /Access-Control-Request-Method: POSTAccess-Control-Request-Headers: x-goog-authuserOrigin: https://accounts.google.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Sec-Fetch-Mode: corsSec-Fetch-Site: same-siteSec-Fetch-Dest: emptyReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.2045.47"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9
Source: global traffic	HTTP traffic detected: OPTIONS /api/report?cat=bingbusiness HTTP/1.1Host: bzib.nelreports.netConnection: keep-aliveOrigin: https://business.bing.comAccess-Control-Request-Method: POSTAccess-Control-Request-Headers: content-typeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8

Source: global traffic	HTTP traffic detected: GET /assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtractionDomainsConfig HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: EntityExtractionDomainsConfigSec-Mesh-Client-Edge-Version: 117.0.2045.47Sec-Mesh-Client-Edge-Channel: stableSec-Mesh-Client-OS: WindowsSec-Mesh-Client-OS-Version: 10.0.19045Sec-Mesh-Client-Arch: x86_64Sec-Mesh-Client-WebView: 0Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/arbitration_priority_list/4.0.5/asset?assetgroup=ArbitrationService HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: ArbitrationServiceSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.2045.47"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=xX6G8uuRM2u6AlD&MD=BgroDaC4 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=xX6G8uuRM2u6AlD&MD=BgroDaC4 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: global traffic	DNS traffic detected: DNS query: bzib.nelreports.net
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.238
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.238
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.238
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.238
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.238
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.238
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.132
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.132
Source: unknown	TCP traffic detected without corresponding DNS query: 142.251.40.132
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.238
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.238
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.238
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.238
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.238
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.238
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.238
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.238
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.238
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.238
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.238
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.238
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.238
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.238
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.238
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.65.238

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\181e7a48-4bbb-49fc-8f3d-eb4edb9aa855.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\21f7f7fa-d606-4f5c-8831-6a45facb1eaf.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\7b75617e-35c2-414d-bd8b-ed6ff7a699ba.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\93d3c154-e712-44a0-af9c-b2d83d333c13.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\9db65b5a-4064-4623-bd75-01a0d0f3769b.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Ad Blocking\790d8427-4272-4e53-84eb-01819387a6c9.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Ad Blocking\blocklist (copy)

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics-spare.pma (copy)

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics-spare.pma.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics\BrowserMetrics-66D80838-F24.pma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics\BrowserMetrics-66D80839-1C34.pma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\throttle_store.dat

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\4001e162-da3e-420c-9af3-a3bc908adedc.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\567670c6-b425-4648-a17d-e86f221c4831.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\7a57b088-952c-4bf2-b111-8ccd155e55e2.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db\000001.dbtmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db\000003.log

Windows Analysis Report
file.exe

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre