Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1504038
MD5:	7497f8786c80212a680b035b87405c7e
SHA1:	85cd0a08cf47dd1728e8eda794de064df856bcff
SHA256:	6dc7e77d27a0694d782fbb4a8c68afc57cf81d448ffe32efd0452cd6901f4e4c
Tags:	exe
Infos:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of debugger detection

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sleep loop found (likely to delay execution)

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Classification

Process Tree

System is w10x64

file.exe (PID: 5232 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 7497F8786C80212A680B035B87405C7E)

msedge.exe (PID: 2828 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 5260 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=2108,i,5888293748213067249,16022808129124843531,262144 --disable-features=TranslateUI /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 4308 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7352 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=3144 --field-trial-handle=2908,i,17488071377627107958,1550055064269729580,262144 --disable-features=TranslateUI /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8852 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=5960 --field-trial-handle=2908,i,17488071377627107958,1550055064269729580,262144 --disable-features=TranslateUI /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8864 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7712 --field-trial-handle=2908,i,17488071377627107958,1550055064269729580,262144 --disable-features=TranslateUI /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 9212 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8548 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2796 --field-trial-handle=2688,i,5125173307123777852,16502443808865598765,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 6640 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=2788 --field-trial-handle=2688,i,5125173307123777852,16502443808865598765,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 5792 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7876 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=3244 --field-trial-handle=2076,i,8293865724591621169,13876514649448464305,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 8124 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=1460 --field-trial-handle=2076,i,8293865724591621169,13876514649448464305,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

cleanup

HTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 3592Host: login.live.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 503 Service UnavailableContent-Length: 326Content-Type: text/html; charset=us-asciiDate: Wed, 04 Sep 2024 11:13:58 GMTConnection: closePMUSER_FORMAT_QS: X-CDN-TraceId: 0.2aac2d17.1725448438.bd4d3d9Access-Control-Allow-Credentials: falseAccess-Control-Allow-Methods: *Access-Control-Allow-Methods: GET, OPTIONS, POSTAccess-Control-Allow-Origin: *

Source: file.exe, 00000000.00000002.3263711926.0000000001100000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3263711926.00000000010D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.c
Source: data_10.6.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection?placement=88000360&nct=1&fmt=json&ADEFAB=1&OPSYS=WIN10&locale=e
Source: data_10.6.dr	String found in binary or memory: https://azureedge.net
Source: Reporting and NEL0.6.dr	String found in binary or memory: https://bzib.nelreports.net/api/report?cat=bingbusiness
Source: Web Data.5.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Web Data.5.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Web Data.5.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Web Data.5.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Web Data.5.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: data_10.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?assetgroup=Arbit
Source: data_10.6.dr	String found in binary or memory: https://edgeassetservice.azureedge.net/assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtrac
Source: data_10.6.dr	String found in binary or memory: https://msn.com
Source: file.exe, 00000000.00000002.3263711926.0000000001100000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/signinoptions/passwordA
Source: file.exe, 00000000.00000002.3263688284.0000000000FF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/signinoptions/passwordC:
Source: Web Data.5.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Top Sites.5.dr	String found in binary or memory: https://www.office.com/
Source: Top Sites.5.dr	String found in binary or memory: https://www.office.com/Office

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 20.190.159.73:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.190.159.73:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.42.65.92:443 -> 192.168.2.5:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.5:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.5:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.5:49760 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001BEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_001BEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001BED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_001BED6A

Source: C:\Users\user\Desktop\file.exe

0_2_001BEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001AAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_001AAA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001D9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_001D9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_27a4d546-f
Source: file.exe, 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_84a7fc89-3
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_cfbd55d2-c
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_52157460-c

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001AD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_001AD5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001A1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_001A1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001AE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_001AE8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001B2046	0_2_001B2046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00148060	0_2_00148060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001A8298	0_2_001A8298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0017E4FF	0_2_0017E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0017676B	0_2_0017676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001D4873	0_2_001D4873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0016CAA0	0_2_0016CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0014CAF0	0_2_0014CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0015CC39	0_2_0015CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00176DD9	0_2_00176DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0015B119	0_2_0015B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001491C0	0_2_001491C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00161394	0_2_00161394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00161706	0_2_00161706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0016781B	0_2_0016781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00147920	0_2_00147920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0015997D	0_2_0015997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001619B0	0_2_001619B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00167A4A	0_2_00167A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00161C77	0_2_00161C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00167CA7	0_2_00167CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001CBE44	0_2_001CBE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00179EEE	0_2_00179EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00161F32	0_2_00161F32
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0014BF40	0_2_0014BF40

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00149CB3 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00160A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0015F9F2 appears 40 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal68.evad.winEXE@68/296@12/10

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001B37B5 GetLastError,FormatMessageW,

0_2_001B37B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001A10BF AdjustTokenPrivileges,CloseHandle,		0_2_001A10BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001A16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_001A16C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001B51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_001B51CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001CA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_001CA67C

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001B648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_001B648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001442A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_001442A2

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk

Jump to behavior

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

File created: C:\Users\user\AppData\Local\Temp\c6ade3c2-27b4-4a6a-858b-2290c94f7253.tmp

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Login Data.5.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: file.exe	ReversingLabs: Detection: 23%
Source: file.exe	Virustotal: Detection: 24%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=2108,i,5888293748213067249,16022808129124843531,262144 --disable-features=TranslateUI /prefetch:3
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=3144 --field-trial-handle=2908,i,17488071377627107958,1550055064269729580,262144 --disable-features=TranslateUI /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=5960 --field-trial-handle=2908,i,17488071377627107958,1550055064269729580,262144 --disable-features=TranslateUI /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7712 --field-trial-handle=2908,i,17488071377627107958,1550055064269729580,262144 --disable-features=TranslateUI /prefetch:8
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2796 --field-trial-handle=2688,i,5125173307123777852,16502443808865598765,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=2788 --field-trial-handle=2688,i,5125173307123777852,16502443808865598765,262144 /prefetch:8
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=3244 --field-trial-handle=2076,i,8293865724591621169,13876514649448464305,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=1460 --field-trial-handle=2076,i,8293865724591621169,13876514649448464305,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=2108,i,5888293748213067249,16022808129124843531,262144 --disable-features=TranslateUI /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=3144 --field-trial-handle=2908,i,17488071377627107958,1550055064269729580,262144 --disable-features=TranslateUI /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=5960 --field-trial-handle=2908,i,17488071377627107958,1550055064269729580,262144 --disable-features=TranslateUI /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7712 --field-trial-handle=2908,i,17488071377627107958,1550055064269729580,262144 --disable-features=TranslateUI /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2796 --field-trial-handle=2688,i,5125173307123777852,16502443808865598765,262144 /prefetch:3	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=2788 --field-trial-handle=2688,i,5125173307123777852,16502443808865598765,262144 /prefetch:8	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=3244 --field-trial-handle=2076,i,8293865724591621169,13876514649448464305,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=1460 --field-trial-handle=2076,i,8293865724591621169,13876514649448464305,262144 /prefetch:8

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001442DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00160A76 push ecx; ret

0_2_00160A89

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_E81D8DD3EACFA71E827377A4597DF902			Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_E81D8DD3EACFA71E827377A4597DF902			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0015F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0015F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001D1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_001D1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-97406

Source: C:\Users\user\Desktop\file.exe

Window / User API: threadDelayed 6441

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.2 %

Source: C:\Users\user\Desktop\file.exe TID: 6400

Thread sleep time: -64410s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe

Thread sleep count: Count: 6441 delay: -10

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001ADBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_001ADBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0017C2A2 FindFirstFileExW,	0_2_0017C2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001B68EE FindFirstFileW,FindClose,	0_2_001B68EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001B698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_001B698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001AD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_001AD076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001AD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_001AD3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001B9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_001B9642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001B979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_001B979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001B9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_001B9B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001B5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_001B5C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001442DE

Source: Web Data.12.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Web Data.12.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: Web Data.12.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: Web Data.12.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: Web Data.12.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: Web Data.12.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Web Data.12.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: Web Data.12.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: Web Data.12.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Web Data.12.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: Web Data.12.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Web Data.12.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Web Data.12.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: Web Data.12.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: Web Data.12.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Web Data.12.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: Web Data.12.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: Web Data.12.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: Web Data.12.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Web Data.12.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: Web Data.12.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: Web Data.12.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Web Data.12.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: Web Data.12.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: Web Data.12.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Web Data.12.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Web Data.12.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: Web Data.12.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Web Data.12.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: Web Data.12.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: Web Data.12.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Users\user\Desktop\file.exe

Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep

graph_0-97601

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001BEAA2 BlockInput,

0_2_001BEAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00172622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00172622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001442DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00164CE8 mov eax, dword ptr fs:[00000030h]

0_2_00164CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001A0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_001A0B62

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00172622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00172622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0016083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0016083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001609D5 SetUnhandledExceptionFilter,	0_2_001609D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00160C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00160C21

Source: C:\Users\user\Desktop\file.exe

0_2_001A1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00182BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00182BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001AB226 SendInput,keybd_event,

0_2_001AB226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001C22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_001C22DA

Source: C:\Users\user\Desktop\file.exe

0_2_001A0B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001A1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_001A1663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00160698 cpuid

0_2_00160698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001B8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_001B8195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0019D27A GetUserNameW,

0_2_0019D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0017B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0017B952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_001442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_001442DE

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001C1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_001C1204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_001C1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_001C1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	15 System Information Discovery	Distributed Component Object Model	Input Capture	15 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	2 Process Injection	1 Masquerading	LSA Secrets	221 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	2 Valid Accounts	Cached Domain Credentials	22 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	22 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Link
file.exe	24%	ReversingLabs
file.exe	24%	Virustotal	Browse
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
chrome.cloudflare-dns.com	0%	Virustotal	Browse
s-part-0032.t-0009.t-msedge.net	0%	Virustotal	Browse
bzib.nelreports.net	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://bzib.nelreports.net/api/report?cat=bingbusiness	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://chrome.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.office.com/	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
https://msn.com	0%	Avira URL Cloud	safe
https://myaccount.google.com/signinoptions/passwordA	0%	Avira URL Cloud	safe
https://www.office.com/Office	0%	Avira URL Cloud	safe
https://myaccount.google.com/signinoptions/passwordC:	0%	Avira URL Cloud	safe
https://www.google.com/favicon.ico	0%	Avira URL Cloud	safe
https://www.office.com/	0%	Virustotal		Browse
https://www.office.com/Office	0%	Virustotal		Browse
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Virustotal		Browse
https://www.google.com/favicon.ico	0%	Virustotal		Browse
https://msn.com	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
chrome.cloudflare-dns.com	172.64.41.3	true	false	0%, Virustotal, Browse	unknown
s-part-0032.t-0009.t-msedge.net	13.107.246.60	true	false	0%, Virustotal, Browse	unknown
bzib.nelreports.net	unknown	unknown	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://chrome.cloudflare-dns.com/dns-query	false	URL Reputation: safe	unknown
https://www.google.com/favicon.ico	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.office.com/	Top Sites.5.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	Web Data.5.dr	false	URL Reputation: safe	unknown
https://bzib.nelreports.net/api/report?cat=bingbusiness	Reporting and NEL0.6.dr	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	Web Data.5.dr	false	URL Reputation: safe	unknown
https://msn.com	data_10.6.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Web Data.5.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://myaccount.google.com/signinoptions/passwordA	file.exe, 00000000.00000002.3263711926.0000000001100000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Web Data.5.dr	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Web Data.5.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://www.office.com/Office	Top Sites.5.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Web Data.5.dr	false	URL Reputation: safe	unknown
https://myaccount.google.com/signinoptions/passwordC:	file.exe, 00000000.00000002.3263688284.0000000000FF0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
23.200.0.42	unknown	United States	20940	AKAMAI-ASN1EU	false
142.250.65.196	unknown	United States	15169	GOOGLEUS	false
142.250.80.110	unknown	United States	15169	GOOGLEUS	false
13.107.246.60	s-part-0032.t-0009.t-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
162.159.61.3	unknown	United States	13335	CLOUDFLARENETUS	false
142.251.40.110	unknown	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
172.64.41.3	chrome.cloudflare-dns.com	United States	13335	CLOUDFLARENETUS	false
172.253.115.84	unknown	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.5

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1504038
Start date and time:	2024-09-04 13:12:04 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal68.evad.winEXE@68/296@12/10
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 42 Number of non-executed functions: 314
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 93.184.221.240, 13.107.42.16, 142.251.168.84, 204.79.197.239, 13.107.21.239, 13.107.6.158, 2.19.126.152, 2.19.126.145, 142.250.185.163, 216.58.212.163, 20.24.121.134, 192.229.221.95, 142.251.40.163, 142.251.40.227, 142.251.35.163, 142.251.41.3, 142.251.32.99
Excluded domains from analysis (whitelisted): config.edge.skype.com.trafficmanager.net, slscr.update.microsoft.com, a416.dscd.akamai.net, edgeassetservice.afd.azureedge.net, wu.azureedge.net, arc.msn.com, ocsp.digicert.com, config-edge-skype.l-0007.l-msedge.net, msedge.b.tlu.dl.delivery.mp.microsoft.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, iris-de-prod-azsc-v2-eas.eastasia.cloudapp.azure.com, www.gstatic.com, l-0007.l-msedge.net, wu-b-net.trafficmanager.net, config.edge.skype.com, edge-microsoft-com.dual-a-0036.a-msedge.net, fs.microsoft.com, accounts.google.com, bzib.nelreports.net.akamaized.net, ctldl.windowsupdate.com.delivery.microsoft.com, fonts.gstatic.com, wu.ec.azureedge.net, ctldl.windowsupdate.com, b-0005.b-msedge.net, edge.microsoft.com, business-bing-com.b-0005.b-msedge.net, fe3cr.delivery.mp.microsoft.com, l-0007.config.skype.com, edgeassetservice.azureedge.net, azureedge-t-prod.trafficmanager.net, umwatson.events.data.mi
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:13:02	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_E81D8DD3EACFA71E827377A4597DF902 "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
13:13:10	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run MicrosoftEdgeAutoLaunch_E81D8DD3EACFA71E827377A4597DF902 "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
23.200.0.42	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
162.159.61.3	Keyser & Mackay.pdf	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	CODX.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
239.255.255.250	uxMCGUELJd.exe	Get hash	malicious	Zorab	Browse
	uxMCGUELJd.exe	Get hash	malicious	Zorab	Browse
	Keyser & Mackay.pdf	Get hash	malicious	Unknown	Browse
	https://www.qrcreator.com/qr/1CFCF746	Get hash	malicious	Phisher	Browse
	Invoice for 04-09-24 fede39.admr.org.html	Get hash	malicious	Unknown	Browse
	http://elink.adityabirlacapital.net.in/vtrack?clientid=180050&ul=V1dUDgFVUQBEBUsHC1AWVRYJQFoHSh0JAFRVJlNNRFxYAExcCl5YX0pDX1ZBAxkGDA9JCwEADgcOAgRQBQFRGA==&ml=UFVTCAJUGQJEBARQVE0=&sl=JB8gRHsrGWF1YUsAD1gKX0wDUV4SQVIHDENVB1FZQFpBAFQbC1VNH1paSwM=&pp=0&ga=utm_source3DLaunch_Email26utm_campaign3DCredit_Card_Open_market_launch_mailer26utm_medium3DEmailer26utm_content*3D&fl=DhcXSEFfSh1XW1IEE0FKVQAEWVMPSlYGER9aCV8XUUZWAhdZCldQXw==&ext=ZHNhX2hhc2g9NmNkNDQ0NzUzYzFjNDUxYjhmMTk3MGQ0ZWY4ODMzNTliMWY1ZGZlMGFiNmJhZGIzNTJmNjkwZmRiZGFhNmU4NA==__;JSUlJSUlJQ!!BHlfX_zbyOAjqHI!03-Fsf1m9LHxf3kl5f_PKtZdC3BdSLEHLybwWH9XZB3yWW9-I2XfZKwh0BYYAkvEXzZMML5XJpRzc_HszKOioGrAKwTWEEqGUdfAguyCT0oq$	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	https://2b01876c-5741-4e94-bfb6-30973e4a6517.filesusr.com/ugd/45d688_e6550f66144a4c99bd218d863a7cb192.pdf?index=true	Get hash	malicious	Unknown	Browse
	http://clicktogo.click/downloads/tra5	Get hash	malicious	Unknown	Browse
	LETTER ATTACHED.pdf	Get hash	malicious	HTMLPhisher	Browse
13.107.246.60	https://protect-us.mimecast.com/s/wFHoCqxrAnt7V914iZaD1v	Get hash	malicious	Unknown	Browse	www.mimecast.com/Customers/Support/Contact-support/
13.107.246.60	http://wellsfargo.dealogic.com/clientportal/Conferences/Registration/Form/368?menuItemId=5	Get hash	malicious	Unknown	Browse	wellsfargo.dealogic.com/clientportal/Conferences/Registration/Form/368?menuItemId=5

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0032.t-0009.t-msedge.net	Invoice for 04-09-24 fede39.admr.org.html	Get hash	malicious	Unknown	Browse	13.107.246.60
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.60
	https://github.com/Azure/review-checklists/releases/latest/download/review_checklist.xlsm	Get hash	malicious	Unknown	Browse	13.107.246.60
	https://monttrek.com.pe/.1111/api/aHR0cHM6Ly9nb29nbGUuY29t&sig=ZDUxNjU0ZTllNzZkYTAxNWE4OTNkZTAyM2ZkZDA1MGViMGIzY2UyOTU1MzY1NGMyNjFlOTExM2ZiMzA5MzdmMg&exp=MTcyNDIzOTUzMQ	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.60
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.60
	https://www.google.com/url?q=https://google.com/url?hl%3Den%26q%3Dhttps://google.com/url?q%3DJFt7SBpfnkz37NXTPycl%26rct%3DecYm4gDyqlWjNVTtaSh7%26sa%3Dt%26esrc%3DyN3TRjFzCWurgbW1vOG4%26source%3DzcMGnUNgngXYWBYW2c3r%26cd%3DqBH0Ch4Gn8VGtKfHcUPR%26cad%3D0q4c3js52qUrSH6rI5Ux%26ved%3DxpZpiH8kwVo72kkPvwUH%26uact%3DhzYhur4iRKYoiuCfwC6s%26url%3Damp%252Fareaazul.com.mx%252F.beans%252F&source=gmail&ust=1725454484963000&usg=AOvVaw2xy0LT_ByjSLCoEqCzpyxV#e3YsAE-SURELILYZmFiM3NtcF9wY0BnbG9iYWxmb3VuZHJpZXMuY29t	Get hash	malicious	HTMLPhisher	Browse	13.107.246.60
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.60
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.60
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.60
chrome.cloudflare-dns.com	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	CODX.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	CODX.exe	Get hash	malicious	Unknown	Browse	162.159.61.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASN1EU	Keyser & Mackay.pdf	Get hash	malicious	Unknown	Browse	2.19.97.184
	5f6e1d6f-b37d-088f-385d-3429ea199fbb.eml	Get hash	malicious	Unknown	Browse	2.16.164.96
	file.exe	Get hash	malicious	Unknown	Browse	23.219.161.132
	file.exe	Get hash	malicious	Unknown	Browse	23.219.161.132
	file.exe	Get hash	malicious	Unknown	Browse	23.219.161.132
	file.exe	Get hash	malicious	Unknown	Browse	23.219.161.132
	file.exe	Get hash	malicious	Unknown	Browse	23.200.0.42
	file.exe	Get hash	malicious	Unknown	Browse	23.44.133.57
	file.exe	Get hash	malicious	Unknown	Browse	23.44.133.57
	https://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=lTCgUqihHkmFBEet2SbJL2ghryGY169Ih8KbdC_V2rZUQUFOTzhQMTZVVVI2V1RWNjNGNFhXRjdWVy4u&d=DwMFAg	Get hash	malicious	Unknown	Browse	173.222.108.211
CLOUDFLARENETUS	PO0004092024.scr	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	rDocumentPurchaseOrder202998.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	z17invoice.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	PRODUCT LIST.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Keyser & Mackay.pdf	Get hash	malicious	Unknown	Browse	104.17.24.14
	QUOTATION_SEPQTRA071244#U00faPDF.scr	Get hash	malicious	FormBook	Browse	188.114.96.3
	AUG 2024 SOA.exe	Get hash	malicious	FormBook	Browse	172.67.182.66
	QUOTATION_SEPQTRA071244#U00faPDF.scr	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://www.qrcreator.com/qr/1CFCF746	Get hash	malicious	Phisher	Browse	104.17.25.14
	Invoice for 04-09-24 fede39.admr.org.html	Get hash	malicious	Unknown	Browse	104.22.21.144
CLOUDFLARENETUS	PO0004092024.scr	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	rDocumentPurchaseOrder202998.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	z17invoice.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	PRODUCT LIST.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Keyser & Mackay.pdf	Get hash	malicious	Unknown	Browse	104.17.24.14
	QUOTATION_SEPQTRA071244#U00faPDF.scr	Get hash	malicious	FormBook	Browse	188.114.96.3
	AUG 2024 SOA.exe	Get hash	malicious	FormBook	Browse	172.67.182.66
	QUOTATION_SEPQTRA071244#U00faPDF.scr	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://www.qrcreator.com/qr/1CFCF746	Get hash	malicious	Phisher	Browse	104.17.25.14
	Invoice for 04-09-24 fede39.admr.org.html	Get hash	malicious	Unknown	Browse	104.22.21.144
MICROSOFT-CORP-MSN-AS-BLOCKUS	Keyser & Mackay.pdf	Get hash	malicious	Unknown	Browse	20.190.159.71
	Invoice for 04-09-24 fede39.admr.org.html	Get hash	malicious	Unknown	Browse	13.107.253.42
	_PDF__838754.msi	Get hash	malicious	Metamorfo	Browse	102.37.159.106
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.60
	http://link.dpd.pt/l/YCaldMErXu	Get hash	malicious	Unknown	Browse	20.93.211.47
	14995c3f-496f-5fa2-8b87-4fdbc38ec4be.eml	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	20.189.173.10
	5f6e1d6f-b37d-088f-385d-3429ea199fbb.eml	Get hash	malicious	Unknown	Browse	51.105.71.137
	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.57
	https://github.com/Azure/review-checklists/releases/latest/download/review_checklist.xlsm	Get hash	malicious	Unknown	Browse	13.107.246.60
	file.exe	Get hash	malicious	Unknown	Browse	13.107.253.72

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
1138de370e523e824bbca92d049a3777	http://clicktogo.click/downloads/tra5	Get hash	malicious	Unknown	Browse	23.1.237.91
	LETTER ATTACHED.pdf	Get hash	malicious	HTMLPhisher	Browse	23.1.237.91
	https://url.au.m.mimecastprotect.com/s/PfBWC4QZ15ukx20VsOfYC4BNEn?domain=incleecl.com	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://www.google.com/url?q=https://google.com/url?hl%3Den%26q%3Dhttps://google.com/url?q%3DJFt7SBpfnkz37NXTPycl%26rct%3DecYm4gDyqlWjNVTtaSh7%26sa%3Dt%26esrc%3DyN3TRjFzCWurgbW1vOG4%26source%3DzcMGnUNgngXYWBYW2c3r%26cd%3DqBH0Ch4Gn8VGtKfHcUPR%26cad%3D0q4c3js52qUrSH6rI5Ux%26ved%3DxpZpiH8kwVo72kkPvwUH%26uact%3DhzYhur4iRKYoiuCfwC6s%26url%3Damp%252Fareaazul.com.mx%252F.beans%252F&source=gmail&ust=1725454484963000&usg=AOvVaw2xy0LT_ByjSLCoEqCzpyxV#e3YsAE-SURELILYZmFiM3NtcF9wY0BnbG9iYWxmb3VuZHJpZXMuY29t	Get hash	malicious	HTMLPhisher	Browse	23.1.237.91
	https://sites.google.com/view/wcmb?usp=sharing	Get hash	malicious	Unknown	Browse	23.1.237.91
	http://www.conchtech.com/	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://www.nyar-messenger.com/wp-content/87627428349820389/2FA.html	Get hash	malicious	Unknown	Browse	23.1.237.91
	http://www.swit.as/1e	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://swit.as/1e	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://850705.formstack.com/forms/23outlook	Get hash	malicious	Unknown	Browse	23.1.237.91
28a2c9bd18a11de089ef85a160da29e4	uxMCGUELJd.exe	Get hash	malicious	Zorab	Browse	20.190.159.73 184.28.90.27 20.12.23.50
	uxMCGUELJd.exe	Get hash	malicious	Zorab	Browse	20.190.159.73 184.28.90.27 20.12.23.50
	Invoice for 04-09-24 fede39.admr.org.html	Get hash	malicious	Unknown	Browse	20.190.159.73 184.28.90.27 20.12.23.50
	http://elink.adityabirlacapital.net.in/vtrack?clientid=180050&ul=V1dUDgFVUQBEBUsHC1AWVRYJQFoHSh0JAFRVJlNNRFxYAExcCl5YX0pDX1ZBAxkGDA9JCwEADgcOAgRQBQFRGA==&ml=UFVTCAJUGQJEBARQVE0=&sl=JB8gRHsrGWF1YUsAD1gKX0wDUV4SQVIHDENVB1FZQFpBAFQbC1VNH1paSwM=&pp=0&ga=utm_source3DLaunch_Email26utm_campaign3DCredit_Card_Open_market_launch_mailer26utm_medium3DEmailer26utm_content*3D&fl=DhcXSEFfSh1XW1IEE0FKVQAEWVMPSlYGER9aCV8XUUZWAhdZCldQXw==&ext=ZHNhX2hhc2g9NmNkNDQ0NzUzYzFjNDUxYjhmMTk3MGQ0ZWY4ODMzNTliMWY1ZGZlMGFiNmJhZGIzNTJmNjkwZmRiZGFhNmU4NA==__;JSUlJSUlJQ!!BHlfX_zbyOAjqHI!03-Fsf1m9LHxf3kl5f_PKtZdC3BdSLEHLybwWH9XZB3yWW9-I2XfZKwh0BYYAkvEXzZMML5XJpRzc_HszKOioGrAKwTWEEqGUdfAguyCT0oq$	Get hash	malicious	Unknown	Browse	20.190.159.73 184.28.90.27 20.12.23.50
	file.exe	Get hash	malicious	Unknown	Browse	20.190.159.73 184.28.90.27 20.12.23.50
	https://2b01876c-5741-4e94-bfb6-30973e4a6517.filesusr.com/ugd/45d688_e6550f66144a4c99bd218d863a7cb192.pdf?index=true	Get hash	malicious	Unknown	Browse	20.190.159.73 184.28.90.27 20.12.23.50
	http://clicktogo.click/downloads/tra5	Get hash	malicious	Unknown	Browse	20.190.159.73 184.28.90.27 20.12.23.50
	LETTER ATTACHED.pdf	Get hash	malicious	HTMLPhisher	Browse	20.190.159.73 184.28.90.27 20.12.23.50
	http://link.dpd.pt/l/YCaldMErXu	Get hash	malicious	Unknown	Browse	20.190.159.73 184.28.90.27 20.12.23.50
	https://u45162702.ct.sendgrid.net/asm/?user_id=45162702&data=qk9Ed40wRjliFyjNOXzrp-edj4bGqnqOoGmbCOucXSNoMDAwdTAwMPfzRhHkL4KIfojbuJoa3th4HnOnqfcoi8Hj8SJd_q2gRsHEdCZKARk7AIZBePNYQTrsAcbXOTe7yHAvJvVYx-iVQCHJax5W55TA-c7uY7F6RdJXwEk5-eLW0_mo5-JTIA3fhiwWmg1l6sIyM0A3E1z3DaWUpP_18KmcKbVJp5aWRE_Zgg7ANZ_bQPb_yU4ihV_DF-mBEE7Ul7lO0NoOfMEfWUt0_FyoghWD0DiMGpIvYhIQjruu2c1N1EmegclqzEGWtn9JAqFEQFVRSQN1hAp4mrVyv87P18QaofRvHnnO3DhbHHwf7mE4j_15poa3FsHxOg2qmbqbhoyvAORmjTMc8OAv3RfGTovRJDSRfKoNWB2GBRtTKWQ1rVLWtsJ-D9bbfYCSVOG48EvflUnCB0wXpbi5axTiKIIeUGzjvxxuLo0EJJyvFVQ8RC7bTLu0qdLN5qplAbhc0wfR7xLfXb8hyPxo4IbrYG5tJxqSUXg0HDgOg5xfvlclO3Re16rKa5t_TKMx-kl0Bb8qfryjXQQflTvnib2sjXeaOkf7fp8OJzMFItnnhqXzWepNtftYDUh0FoZzW4pACoxlYNscIhhyyaDB8pHRuRlCvazR4SaiPk2-D7SC9zelq-OgnOJayucQeULZEapxxWfSY99-VaaLGMZVGfHb69kMhII3q_8F2LTUjtukKwrxT3qfJdSgq4JsG87pz_xGRrRO9WgkKLFbC0BdP_sxFzcv6k0q4eryODf5vJpYV7c2urvrBexEgovGBJi8Hf5lJQQH8K8_QmTGdfhnHv1f6S-A1RO-aIODwhKM2PRRwdl_g5C-jqJ5x52pLnpVZLUZzraZeo5zUEdfpt938oM8P6qqpnjcy7nRc4mKUb9iNNlAj6Ry8O1n36gh0NWMutpaXUnCJZe4DoTOtIPlSrm0CHiZFMNSxn-JcsVfoB3WkUDraSadTvxUk0cz1zlMcoamBIURIM3twQyOqeHJkD9uVUzlCwgdXnepMYnMtsDXAZbyMqM2W4R1TsDDM_V9g0Wk71sCuhgVt98=	Get hash	malicious	Unknown	Browse	20.190.159.73 184.28.90.27 20.12.23.50
a0e9f5d64349fb13191bc781f81f42e1	_PDF__838754.msi	Get hash	malicious	Metamorfo	Browse	20.42.65.92
	84eja4LTuy.exe	Get hash	malicious	LummaC	Browse	20.42.65.92
	aaUBt1z89S.exe	Get hash	malicious	LummaC	Browse	20.42.65.92
	Rk2M6XaLsK.exe	Get hash	malicious	LummaC	Browse	20.42.65.92
	Setup.exe	Get hash	malicious	LummaC	Browse	20.42.65.92
	https://github.com/Azure/review-checklists/releases/latest/download/review_checklist.xlsm	Get hash	malicious	Unknown	Browse	20.42.65.92
	Update.js	Get hash	malicious	Unknown	Browse	20.42.65.92
	update (2).js	Get hash	malicious	Unknown	Browse	20.42.65.92
	SecuriteInfo.com.PUA.2144FlashPlayer.25693.13640.exe	Get hash	malicious	Unknown	Browse	20.42.65.92
	SecuriteInfo.com.PUA.2144FlashPlayer.25693.13640.exe	Get hash	malicious	Unknown	Browse	20.42.65.92

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3335
Entropy (8bit):	5.607208238512797
Encrypted:	false
SSDEEP:	96:0q8NkC1flhuI2WkBzZvdnA4oJkpchSDS4S4SDSNI4a:/8NbfhqI4IkpU
MD5:	12B04F168AF9899CEA7BB7EE005031CC
SHA1:	5B0E5926AC128D8AF4FB0A8B3A65CE2F3A6CFAC5
SHA-256:	BA5F1398BD3EDF5547A5FE3ABF36828DEA77E718A5C406ED28066B2E6D8173D4
SHA-512:	70D4980528F0CDFBB4EEA0E2A41444FDB052E3EA2984D5034E214F74C0E525866FCB35A0FC5EC2A3B395EF258CB719DF12B959D01EEB8B9FF120EBFA8253B3A8
Malicious:	false
Preview:	{"dual_engine":{"ie_to_edge":{"redirection_mode":0}},"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false},"tab_stabs":{"closed_without_unfreeze_never_unfrozen":0,"closed_without_unfreeze_previously_unfrozen":0,"discard_without_unfreeze_never_unfrozen":0,"discard_without_unfreeze_previously_unfrozen":0},"tab_stats":{"frozen_daily":0,"unfrozen_daily":0}},"hardware_acceleration_mode_previous":true,"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABwOEytpCIMRZi1E0KfXQnYEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAAyCPSvPPSr08WLeAROze3a6Sabtk62mlV7n4midIaLWAAAAAAOgAAAAAIAACAAAADw7aeN5JiWRYL+GuUKSL2AU7ADs2RRDVn8X/1ZSTijxTAAAAB1xKeo8SoDrP4ex0ecDPS+z8CZppZo5OUDHTvaq3Y7mdedJBjeJ1ql5zhqOCbE6g9AAAAAy4QUaAAiGqNtmLMsf2CbhHhfS0iH9CqlrjGn+0okjWt2q/j+7Zo55d5HuUTElK9y7OfJWTc5um+cCwbYxA5xlQ=="},"policy":{"last_statist

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\0b015a5a-2a37-46e1-b868-16ded29eb6a9.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2958
Entropy (8bit):	5.591119841956172
Encrypted:	false
SSDEEP:	48:YuBqDPEFMsFiHC0aflhuVjuxkHB+SdrxnvBDYO2wRpFaJkXZckwlRWBB0:Xq8NkC1flhuIoBzZvdnjpQJkpcJaq
MD5:	241EC0C5D394EA90856C95932ABDEFE6
SHA1:	73F6F7B2474AB07674ACEFE4C91E813D72BF83D8
SHA-256:	09FCCAE26B62FDB061D82E4733528D31A3EB335BD11CC40D8D9621D91CCD147A
SHA-512:	511525FD4B75D2E5AB250A14B07298183B07C15C68F68CB67B9DCD8E6226B16A447772DD8E024624CCD73BFB213AD139CA19A5DCCBD356CA26ABC3B77B69E28B
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false},"tab_stabs":{"closed_without_unfreeze_never_unfrozen":0,"closed_without_unfreeze_previously_unfrozen":0,"discard_without_unfreeze_never_unfrozen":0,"discard_without_unfreeze_previously_unfrozen":0},"tab_stats":{"frozen_daily":0,"unfrozen_daily":0}},"hardware_acceleration_mode_previous":true,"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABwOEytpCIMRZi1E0KfXQnYEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAAyCPSvPPSr08WLeAROze3a6Sabtk62mlV7n4midIaLWAAAAAAOgAAAAAIAACAAAADw7aeN5JiWRYL+GuUKSL2AU7ADs2RRDVn8X/1ZSTijxTAAAAB1xKeo8SoDrP4ex0ecDPS+z8CZppZo5OUDHTvaq3Y7mdedJBjeJ1ql5zhqOCbE6g9AAAAAy4QUaAAiGqNtmLMsf2CbhHhfS0iH9CqlrjGn+0okjWt2q/j+7Zo55d5HuUTElK9y7OfJWTc5um+cCwbYxA5xlQ=="},"policy":{"last_statistics_update":"13369921972154889"},"profile":{"info_ca

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\19ab92a7-1013-420a-8120-53b21d3fc5d7.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4235
Entropy (8bit):	5.494232505370863
Encrypted:	false
SSDEEP:	96:0q8NkGS1flhuI58rh/cI9URoDotobLJBzZvdnA4oJkpchSDS4S4SDSNI4a:/8NBSfhUeoDUoI4IkpU
MD5:	4A417F32C4F6EDF75DC77A01A55B1A4A
SHA1:	2460531AAC381BD9C316DA35109D63E93BE48215
SHA-256:	D58EA571A3E83A25BEBE7FDFA18E4234DEC8BF7BEF70D26FE3912D857BF07C12
SHA-512:	A21431BFDC834EFEB4BBFF353C78DB5435F5BCCC17DACB0CDC52D2C48DBF96355DE31FDF63FFFEBAD60038724DA9D5AF57F91EFBD2DE16BE2D7AAFDB1701548B
Malicious:	false
Preview:	{"dual_engine":{"ie_to_edge":{"redirection_mode":0}},"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false},"tab_stabs":{"closed_without_unfreeze_never_unfrozen":0,"closed_without_unfreeze_previously_unfrozen":0,"discard_without_unfreeze_never_unfrozen":0,"discard_without_unfreeze_previously_unfrozen":0},"tab_stats":{"frozen_daily":0,"unfrozen_daily":0}},"fre":{"oem_bookmarks_set":true},"hardware_acceleration_mode_previous":true,"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABwOEytpCIMRZi1E0KfXQnYEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAAyCPSvPPSr08WLeAROze3a6Sabtk62mlV7n4midIaLWAAAAAAOgAAAAAIAACAAAADw7aeN5JiWRYL+GuUKSL2AU7ADs2RRDVn8X/1ZSTijxTAAAAB1xKeo8SoDrP4ex0ecDPS+z8CZppZo5OUDHTvaq3Y7mdedJBjeJ1ql5zhqOCbE6g9AAAAAy4QUaAAiGqNtmLMsf2CbhHhfS0iH9CqlrjGn+0okjWt2q/j+7Zo55d5HuUTElK9y7OfJWTc5um+cCwbYx

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\321cbfa8-7fd2-4654-a7b7-2bad120c002e.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	20789
Entropy (8bit):	6.065438859085964
Encrypted:	false
SSDEEP:	384:RtMGQ7LBjuYXGIgtDAW5u0TDJ2q03X8NBSJu3C1TpB0wySSVe5Y:LMGQ7FCYXGIgtDAWtJ4nN/1Tp624e2
MD5:	F4C58B56F24D3C80B77D2DB194E5E52F
SHA1:	3DA58A9DFBB72EC9E68D5761C5318EA6132EDAAE
SHA-256:	B46F27E6525C9FBD6801BE312EDE8E76A8E35D8ADA5D14A57133FC88F9133E18
SHA-512:	99A7206B7D43D41E84C9A5103B830E8ED6AFD591E0BB7C0FDAFBB3B63B041D4AE38596E4E7C69F6D661AA697E58D350B6AB374FC8701DC0DACD8BC28FB0231A9
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5GOJiTA/oXLTdG6qXtmMBDiyS59PvY7eCklyb4QcfFi7tpdwu3VBt1XNorvM4+RiU6+CjD0kb+pHz7rRm3rXSyzABnWdKBG+Ijlx7hEE4QTzo+AB6fnDLLJBpo7PKv8Ob367/KjUg8mcY6CmCjTJCmtsWFOcUf5vj04cw0e1yZe2WAl8svFn5IC43jfc+dLnGrEyDwAicHCxNdhlrVa5LEtTgt5u2lAK02pd198r5dr5VYgHj55jUJZGTtlg0NlA7S5AnvB8l7z3olnPV2vfCLsugvBUH7vTVIe9Y151SnmS2Auyvcr5UGYXBvzT2s0L3fKpCZl+2D91MLf04NPNNUni9BZmDP4Sfjk2Ig7ktgg8r8InfhHz//zSP7e8bquWlsDJ411jYlhlRsBQRm+LIWvOaiW4hdcyEra5fCtzINfylY7VRB4y

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\4b64e0dd-f8b9-463a-ad4a-68256b99e15f.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24092
Entropy (8bit):	6.056684841476398
Encrypted:	false
SSDEEP:	384:RtMGQ7LBjuYXGIgtDAW5u0TDJ2q03X8NGJu3C3pqdaVEQ5l4D0wySSVe5Y:LMGQ7FCYXGIgtDAWtJ4nP/3CQ5l4w249
MD5:	F347E20ACB42408C1E6A800884440717
SHA1:	131A6F0F54FB7D57EC3EB4C0216DB52817D0774B
SHA-256:	E7EF763452D688AF546D547E244BA2E54EE2A0F57055BBAF3FF61D2602512234
SHA-512:	E99BAC6E5AEB33BEA4DA5CADFC87CDA96E324D76DB2A22EE3DED8291BEF4D6AF9A1707346E15D1EAE66E730AEAF3D2CA87093B5D007216C07CF0AA0AE745C9AE
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5GOJiTA/oXLTdG6qXtmMBDiyS59PvY7eCklyb4QcfFi7tpdwu3VBt1XNorvM4+RiU6+CjD0kb+pHz7rRm3rXSyzABnWdKBG+Ijlx7hEE4QTzo+AB6fnDLLJBpo7PKv8Ob367/KjUg8mcY6CmCjTJCmtsWFOcUf5vj04cw0e1yZe2WAl8svFn5IC43jfc+dLnGrEyDwAicHCxNdhlrVa5LEtTgt5u2lAK02pd198r5dr5VYgHj55jUJZGTtlg0NlA7S5AnvB8l7z3olnPV2vfCLsugvBUH7vTVIe9Y151SnmS2Auyvcr5UGYXBvzT2s0L3fKpCZl+2D91MLf04NPNNUni9BZmDP4Sfjk2Ig7ktgg8r8InfhHz//zSP7e8bquWlsDJ411jYlhlRsBQRm+LIWvOaiW4hdcyEra5fCtzINfylY7VRB4y

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\4dc10f84-4ab9-4a97-b6ae-0f84277282a3.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	67513
Entropy (8bit):	6.073061322490467
Encrypted:	false
SSDEEP:	1536:LMGQ5XMBG8g1pt1TtL2qLrbPOWmGWshU+pOM3Q5l4+e:LMrJM8R1FtL3LrbPMYU2z3Q72
MD5:	396027D87839B706DE53BA298E5F2DBB
SHA1:	453DB9393A70DD086D0AD036FBFB337881A0BB6C
SHA-256:	FF09B0E204612F9FACD6144194403D65B9D819CE64D4F3BF2D9B359DD57ABE63
SHA-512:	97BBE8363B22D44720ABB06D8AD3C966EA37D5AFA8E1C2B5196DEA41F7E40FFC196D0B4363ECAA8ECCC49A8C53BC3F9B68BDBBED6EB2C2703A03FF8DD704634E
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5GOJiTA/oXLTdG6qXtmMBDiyS59PvY7eCklyb4QcfFi7tpdwu3VBt1XNorvM4+RiU6+CjD0kb+pHz7rRm3rXSyzABnWdKBG+Ijlx7hEE4QTzo+AB6fnDLLJBpo7PKv8Ob367/KjUg8mcY6CmCjTJCmtsWFOcUf5vj04cw0e1yZe2WAl8svFn5IC43jfc+dLnGrEyDwAicHCxNdhlrVa5LEtTgt5u2lAK02pd198r5dr5VYgHj55jUJZGTtlg0NlA7S5AnvB8l7z3olnPV2vfCLsugvBUH7vTVIe9Y151SnmS2Auyvcr5UGYXBvzT2s0L3fKpCZl+2D91MLf04NPNNUni9BZmDP4Sfjk2Ig7ktgg8r8InfhHz//zSP7e8bquWlsDJ411jYlhlRsBQRm+LIWvOaiW4hdcyEra5fCtzINfylY7VRB4y

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\66990a7d-ec61-402e-9afb-1b046817cb50.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2958
Entropy (8bit):	5.591119841956172
Encrypted:	false
SSDEEP:	48:YuBqDPEFMsFiHC0aflhuVjuxkHB+SdrxnvBDYO2wRpFaJkXZckwlRWBB0:Xq8NkC1flhuIoBzZvdnjpQJkpcJaq
MD5:	241EC0C5D394EA90856C95932ABDEFE6
SHA1:	73F6F7B2474AB07674ACEFE4C91E813D72BF83D8
SHA-256:	09FCCAE26B62FDB061D82E4733528D31A3EB335BD11CC40D8D9621D91CCD147A
SHA-512:	511525FD4B75D2E5AB250A14B07298183B07C15C68F68CB67B9DCD8E6226B16A447772DD8E024624CCD73BFB213AD139CA19A5DCCBD356CA26ABC3B77B69E28B
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false},"tab_stabs":{"closed_without_unfreeze_never_unfrozen":0,"closed_without_unfreeze_previously_unfrozen":0,"discard_without_unfreeze_never_unfrozen":0,"discard_without_unfreeze_previously_unfrozen":0},"tab_stats":{"frozen_daily":0,"unfrozen_daily":0}},"hardware_acceleration_mode_previous":true,"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABwOEytpCIMRZi1E0KfXQnYEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAAyCPSvPPSr08WLeAROze3a6Sabtk62mlV7n4midIaLWAAAAAAOgAAAAAIAACAAAADw7aeN5JiWRYL+GuUKSL2AU7ADs2RRDVn8X/1ZSTijxTAAAAB1xKeo8SoDrP4ex0ecDPS+z8CZppZo5OUDHTvaq3Y7mdedJBjeJ1ql5zhqOCbE6g9AAAAAy4QUaAAiGqNtmLMsf2CbhHhfS0iH9CqlrjGn+0okjWt2q/j+7Zo55d5HuUTElK9y7OfJWTc5um+cCwbYxA5xlQ=="},"policy":{"last_statistics_update":"13369921972154889"},"profile":{"info_ca

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\93acff2e-fdba-4895-9e3c-6b9bc0c494a6.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	67474
Entropy (8bit):	6.07298930103007
Encrypted:	false
SSDEEP:	1536:LMGQ5XMBGNg1pt1TtL2qLrbPOWmGWshU+pOM3Q5l4+e:LMrJM8i1FtL3LrbPMYU2z3Q72
MD5:	78A2A3BD210077783A494F1AB3C181B7
SHA1:	23AFD72D40CCA6F29B897AD9CFD98471A21F8DA4
SHA-256:	32BC27436F84EA48CF2E99E0F511D7B6EDA74BCA4822609A42BBAA97F15C949F
SHA-512:	6779EAC32C66505AA9C08178CB43BC8FC16019C62FF38A69FEC0597D2474EA12E5C85A812793C65960E2030050620209AE8DF852DC7CDF8C45A0C4479F12D3AD
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5GOJiTA/oXLTdG6qXtmMBDiyS59PvY7eCklyb4QcfFi7tpdwu3VBt1XNorvM4+RiU6+CjD0kb+pHz7rRm3rXSyzABnWdKBG+Ijlx7hEE4QTzo+AB6fnDLLJBpo7PKv8Ob367/KjUg8mcY6CmCjTJCmtsWFOcUf5vj04cw0e1yZe2WAl8svFn5IC43jfc+dLnGrEyDwAicHCxNdhlrVa5LEtTgt5u2lAK02pd198r5dr5VYgHj55jUJZGTtlg0NlA7S5AnvB8l7z3olnPV2vfCLsugvBUH7vTVIe9Y151SnmS2Auyvcr5UGYXBvzT2s0L3fKpCZl+2D91MLf04NPNNUni9BZmDP4Sfjk2Ig7ktgg8r8InfhHz//zSP7e8bquWlsDJ411jYlhlRsBQRm+LIWvOaiW4hdcyEra5fCtzINfylY7VRB4y

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Ad Blocking\098adde5-440e-4ee2-9e71-aaee8c7c95ab.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	107893
Entropy (8bit):	4.640149995732079
Encrypted:	false
SSDEEP:	1536:B/lv4EsQMNeQ9s5VwB34PsiaR+tjvYArQdW+Iuh57P75:fwUQC5VwBIiElEd2K57P75
MD5:	AD9FA3B6C5E14C97CFD9D9A6994CC84A
SHA1:	EF063B4A4988723E0794662EC9D9831DB6566E83
SHA-256:	DCC7F776DBDE2DB809D3402FC302DB414CF67FE5D57297DDDADCE1EE42CFCE8F
SHA-512:	81D9D59657CAF5805D2D190E8533AF48ACEBFFF63409F5A620C4E08F868710301A0C622D7292168048A9BC16C0250669FAAA2DCBF40419740A083C6ED5D79CFA
Malicious:	false
Preview:	{"sites":[{"url":"24video.be"},{"url":"7dnifutbol.bg"},{"url":"6tv.dk"},{"url":"9kefa.com"},{"url":"aculpaedoslb.blogspot.pt"},{"url":"aek-live.gr"},{"url":"arcadepunk.co.uk"},{"url":"acidimg.cc"},{"url":"aazah.com"},{"url":"allehensbeverwijk.nl"},{"url":"amateurgonewild.org"},{"url":"aindasoudotempo.blogspot.com"},{"url":"anorthosis365.com"},{"url":"autoreview.bg"},{"url":"alivefoot.us"},{"url":"arbitro10.com"},{"url":"allhard.org"},{"url":"babesnude.info"},{"url":"aysel.today"},{"url":"animepornx.com"},{"url":"bahisideal20.com"},{"url":"analyseindustrie.nl"},{"url":"bahis10line.org"},{"url":"apoel365.net"},{"url":"bahissitelerisikayetleri.com"},{"url":"bambusratte.com"},{"url":"banzaj.pl"},{"url":"barlevegas.com"},{"url":"baston.info"},{"url":"atomcurve.com"},{"url":"atascadocherba.com"},{"url":"astrologer.gr"},{"url":"adultpicz.com"},{"url":"alleporno.com"},{"url":"beaver-tube.com"},{"url":"beachbabes.info"},{"url":"bearworldmagazine.com"},{"url":"bebegimdensonra.com"},{"url":"autoy

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Ad Blocking\blocklist (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	107893
Entropy (8bit):	4.640149995732079
Encrypted:	false
SSDEEP:	1536:B/lv4EsQMNeQ9s5VwB34PsiaR+tjvYArQdW+Iuh57P75:fwUQC5VwBIiElEd2K57P75
MD5:	AD9FA3B6C5E14C97CFD9D9A6994CC84A
SHA1:	EF063B4A4988723E0794662EC9D9831DB6566E83
SHA-256:	DCC7F776DBDE2DB809D3402FC302DB414CF67FE5D57297DDDADCE1EE42CFCE8F
SHA-512:	81D9D59657CAF5805D2D190E8533AF48ACEBFFF63409F5A620C4E08F868710301A0C622D7292168048A9BC16C0250669FAAA2DCBF40419740A083C6ED5D79CFA
Malicious:	false
Preview:	{"sites":[{"url":"24video.be"},{"url":"7dnifutbol.bg"},{"url":"6tv.dk"},{"url":"9kefa.com"},{"url":"aculpaedoslb.blogspot.pt"},{"url":"aek-live.gr"},{"url":"arcadepunk.co.uk"},{"url":"acidimg.cc"},{"url":"aazah.com"},{"url":"allehensbeverwijk.nl"},{"url":"amateurgonewild.org"},{"url":"aindasoudotempo.blogspot.com"},{"url":"anorthosis365.com"},{"url":"autoreview.bg"},{"url":"alivefoot.us"},{"url":"arbitro10.com"},{"url":"allhard.org"},{"url":"babesnude.info"},{"url":"aysel.today"},{"url":"animepornx.com"},{"url":"bahisideal20.com"},{"url":"analyseindustrie.nl"},{"url":"bahis10line.org"},{"url":"apoel365.net"},{"url":"bahissitelerisikayetleri.com"},{"url":"bambusratte.com"},{"url":"banzaj.pl"},{"url":"barlevegas.com"},{"url":"baston.info"},{"url":"atomcurve.com"},{"url":"atascadocherba.com"},{"url":"astrologer.gr"},{"url":"adultpicz.com"},{"url":"alleporno.com"},{"url":"beaver-tube.com"},{"url":"beachbabes.info"},{"url":"bearworldmagazine.com"},{"url":"bebegimdensonra.com"},{"url":"autoy

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics-spare.pma (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	B5CFA9D6C8FEBD618F91AC2843D50A1C
SHA1:	2BCCBD2F38F15C13EB7D5A89FD9D85F595E23BC3
SHA-256:	BB9F8DF61474D25E71FA00722318CD387396CA1736605E1248821CC0DE3D3AF8
SHA-512:	BD273BF4E10ED6E305ECB7B781CB065545FCE9BE9F1E2968DF22C3A98F82D719855AAFE5FF303D14EA623A5C55E51E924E10033A92A7A6B07725D7E9692B74F5
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics-spare.pma.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	B5CFA9D6C8FEBD618F91AC2843D50A1C
SHA1:	2BCCBD2F38F15C13EB7D5A89FD9D85F595E23BC3
SHA-256:	BB9F8DF61474D25E71FA00722318CD387396CA1736605E1248821CC0DE3D3AF8
SHA-512:	BD273BF4E10ED6E305ECB7B781CB065545FCE9BE9F1E2968DF22C3A98F82D719855AAFE5FF303D14EA623A5C55E51E924E10033A92A7A6B07725D7E9692B74F5
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics\BrowserMetrics-66D840B4-10D4.pma

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.4458452381130643
Encrypted:	false
SSDEEP:	3072:FM1FEuI08jaMoNMx+q6X5F02UAUftnXV0a/9g1HFyF+LpksirXG7+q2RrqQefK8N:RuD00a/9aHrknohYaHvJkZ
MD5:	2DFBC1B1802AD1EA3F98B97BDA2765E8
SHA1:	C6F7CAD87FD43D8C4B4E01CD9658D7C8391CC759
SHA-256:	475356FDDBD23A22CA79BA57B8A23E15A49021F3A07B4C455A09773712967435
SHA-512:	0F2880CEC0C8499E1B8CAFCFB91F928D2CE1A6F36C4B02E285E06993B694EEE57F4E7999825687DA848448188430E4352421A8E411F239BA1D066921D09B5CF6
Malicious:	false
Preview:	...@..@...@.....C.].....@...................0...............`... ...i.y.........BrowserMetrics......i.y..Yd. .......A...................v.0.....UV&K.k<................UV&K.k<................UMA.PersistentHistograms.InitResult.....8...i.y.[".................................................i.y.Pq.30..............117.0.2045.47-64..".en-GB*...Windows NT..10.0.190452....x86_64..?........".vkhcju20,1(.0..8..B....(.....10.0.19041.5462.Google Inc. (Google):bANGLE (Google, Vulkan 1.3.0 (SwiftShader Device (Subzero) (0x0000C0DE)), SwiftShader driver-5.0.0)M..BU..Be...?j...GenuineIntel... .. ..............x86_64...J....s..^o..J...W..^o..J..,jp..^o..J.......^o..J../T...^o..J...X.p.^o..J.....p.^o..J...c...^o..J...Y...^o..J.......^o..J..w....^o..J...G.Y.^o..J..A....^o..J....c..^o..J...c=..^o..J....J..^o..J...h8..^o..J..3.(..^o..J.......^o..J..!n...^o..J...S@".^o..J.......^o..J.......^o..J...j.8.^o..J..@....^o..J.......^o..J...b.J.^o..J..G....^o..J..8...^o..J...#...^o..J....k..^o..J..S..O.^o.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics\BrowserMetrics-66D840B4-B0C.pma

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.04049454526788274
Encrypted:	false
SSDEEP:	192:ZuUjLYiVWK+ggCdP7JtD+1X9XSIoUgV8vYhXxNEq4bcRQM9+0bn8y08Tcm2RGOdB:4Ujjlh6ArnhBCQc0b08T2RGOD
MD5:	0CBA2367010905098BAF691AB5E9A6D4
SHA1:	52F732A17BAB859FFB8CB8CB01042ACC957296F0
SHA-256:	D2CE1DA2F1E4863569AA48E5F87CCA8B2645248891CAE204281DD14A9DD13C88
SHA-512:	2373DA0D6F542D8913F98D57C7F2775DC80D0A111DFAC327C40604552898672A1F29F0D3666949F2690F01AEDF9E193AE1E9683B30BF853FBDF12338E2FB2E2E
Malicious:	false
Preview:	...@..@...@.....C.].....@................a...P..............`... ...i.y.........BrowserMetrics......i.y..Yd. .......A...................v.0.....UV&K.k<................UV&K.k<................UMA.PersistentHistograms.InitResult.....8...i.y.[".................................................i.y.Pq.30..............117.0.2045.47-64..".en-GB...Windows NT..10.0.190452l..x86_64..?........".vkhcju20,1(.0..8..B.......2.:.M..BU..Be...?j...GenuineIntel... .. ..........x86_64...J....k..^o..J..l.zL.^o..J....\.^o..J.....f.^o..J....?.^o..P.Z...b.INBXj....... .8.@.............<.....................$}.CG....L.T.w..Ucw.}....u.$r....9...>.........."....."...2..."..:............B)..1.3.177.11.. .*.RegKeyNotFound2.windowsR...Z...V.-...Q@..$...SF@.......Y@.......Y@.......Y@........?........?.................?.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@................Y@.......Y@.......Y@........?........?z.......................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	280
Entropy (8bit):	4.115740697068824
Encrypted:	false
SSDEEP:	3:FiWWltlO4fhHU2XHSRqOFhJXI2EyBl+BVP/Sh/JzvJQc9vRKR3LRyDmcEn/+Xl:o1pfhH/yRqsx+BVsJDD9vRKRbR9/+1
MD5:	64385CE24C5C838A0D1853095A2519E5
SHA1:	7E6B17A985D04BB1F859E00C8FFD9921833E87F9
SHA-256:	AAE3AEB298401F8802FBD346751F6E28BCEA6764B4979223A57FDF8B610BE78E
SHA-512:	3921DFFFB7852ECB3B858847FEF8EEB761B5437CFC7649B6DE2830D79825DC83ABF9FA75B7FA3B0AE9C3DAEBF094938CE4C891F64FC59DA503149AA4F4C4A973
Malicious:	false
Preview:	sdPC.....................-.Cd.D.I<...>."1SCRpGKHAwpF5kOwXUUSc/ojBrTkNG2SgkvqW1WE7kI="..................................................................................47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=....................575958ed-d548-4d11-bdeb-74fb3f7a39a8............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\throttle_store.dat

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	20
Entropy (8bit):	3.6219280948873624
Encrypted:	false
SSDEEP:	3:8g6Vvn:8g6Vv
MD5:	9E4E94633B73F4A7680240A0FFD6CD2C
SHA1:	E68E02453CE22736169A56FDB59043D33668368F
SHA-256:	41C91A9C93D76295746A149DCE7EBB3B9EE2CB551D84365FFF108E59A61CC304
SHA-512:	193011A756B2368956C71A9A3AE8BC9537D99F52218F124B2E64545EEB5227861D372639052B74D0DD956CB33CA72A9107E069F1EF332B9645044849D14AF337
Malicious:	false
Preview:	level=none expiry=0.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\005a8f30-04f6-4de5-9ab3-757abe166b18.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\27527af2-e863-4913-81fc-737b4acd3dea.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24799
Entropy (8bit):	5.565851904665888
Encrypted:	false
SSDEEP:	768:+za0ahWP33fcH8F1+UoAYDCx9Tuqh0VfUC9xbog/OVSnBCIrwQpGtua:+za0ahWP33fcHu1jajBCZptp
MD5:	CBA6D2C1907D20F04E33B9D6063789B6
SHA1:	56688159DFC617F152F5C3003E2A30253F68BB37
SHA-256:	DA0A1316873555E4C2E7FC5EDCFE1F07D0E8671245A23700CA3EBC38C0539190
SHA-512:	6A2ECF49503817DFAC0927E7C34FC7BF42B0FABD06CA9F6F7E5B100348494E58D89B382C296650E04F38A08E77C0D2F7174F8E7CE2B4B416502A276CD0C42FEA
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13369921972816590","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13369921972816590","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\3a9687fd-ea5e-4e7d-9e78-4852c65fc67c.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\5552dccf-a83c-4120-92b1-89a369f8d98e.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6528
Entropy (8bit):	4.981053442529427
Encrypted:	false
SSDEEP:	96:stDqfXis12Mb9a+XuON8zMs85eh6Cb7/x+6MhmuecmAem/NQG+2MN/EJ:stD7sE5gpNkMs88bV+FiAp+PNMJ
MD5:	C34AD976795A4CE485DA4B1A45B1AAB4
SHA1:	F4A6933FB2983D59E8A8E6D339FEDE901969B4E0
SHA-256:	6564021398521282DEE1A94210673BD65F3F18132B0209BBD6E72931A408D46B
SHA-512:	F6F31558294C1510EB6BFC9032F5797CF473F520C52D41E4E976D50895D5A2DE035517E1873F66EC92AFBDDF29B81403324EA5FD26EF1F511290DB031CB5E84A
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369921974423840","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"domain_diversity":{"last_reporting_timestamp":"13369921974425066"},"download":{"default_directory":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\KioskDownloads\\","directory_upgrade":true},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version"

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\7bc4c5ef-1bd7-4032-b745-638e8e4bbced.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24800
Entropy (8bit):	5.566060902408149
Encrypted:	false
SSDEEP:	768:+za0ahWP33fDH8F1+UoAYDCx9Tuqh0VfUC9xbog/OVSnBCIrwmpGtuV:+za0ahWP33fDHu1jajBCZDti
MD5:	1CE98FB52B2A6620208CAD3483C3639F
SHA1:	654C8EB3630FE3E3CF0B60BB96629A9B6D47DB5A
SHA-256:	7EDCA44CC6AB7291505F5A69180B45C415D4129AE8EF16DD28B4237CDA930DD3
SHA-512:	287E7D8CC3DCB022A0E69AF8490FC15998C4A675B9C3A60F19DE36324F0DA5D3103106B1F6C2247665863E617FC7E80396166E7AAAB5B9EC508449956FA0C8C4
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13369921972816590","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13369921972816590","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	modified
Size (bytes):	12600
Entropy (8bit):	5.321075907596493
Encrypted:	false
SSDEEP:	192:5AOEH/WCxkD7MDPSYAxmemxb7mngJdv9TXJ4MQmLu5/4eeNdl:COEOKSXs/J7mGnQmLu5/5eNdl
MD5:	64FFC89868D07C242152FF6100D091BA
SHA1:	4A880CF84B46CE9773AF252A6199AEDC773E9B4D
SHA-256:	A7DFD3043C857BE1F6CBEB56E22977A2EAFB0712DCEBC26EDF30EFFBD8E4BD0C
SHA-512:	A8E254EA9A99FE3F8BBDFD9A179A6A9F3026242D38B9416367B9E40D65098B6A8E4AC68790D460A32C6FE9B91BCAA708FC1381A21ED1D295C7F2B3DC36E34DD4
Malicious:	false
Preview:	...m.................DB_VERSION.1..$b.................QUERY_TIMESTAMP:arbitration_priority_list4...13369921978276670.$QUERY:arbitration_priority_list4....[{"name":"arbitration_priority_list","url":"https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?assetgroup=ArbitrationService","version":{"major":4,"minor":0,"patch":5},"hash":"2DPW9BV28WrPpgGHdKsEvldNQvD7dA0AAxPa3B/lKN0=","size":11989}]..A./..............'ASSET_VERSION:arbitration_priority_list.4.0.5..ASSET:arbitration_priority_list.]{.. "configVersion": 32,.. "PrivilegedExperiences": [.. "ShorelinePrivilegedExperienceID",.. "SHOPPING_AUTO_SHOW_COUPONS_CHECKOUT",.. "SHOPPING_AUTO_SHOW_LOWER_PRICE_FOUND",.. "SHOPPING_AUTO_SHOW_BING_SEARCH",.. "SHOPPING_AUTO_SHOW_REBATES",.. "SHOPPING_AUTO_SHOW_REBATES_CONFIRMATION",.. "SHOPPING_AUTO_SHOW_REBATES_DEACTIVATED",.. "SHOPPING_AUTO_SHOW_REBATES_BING",.. "SHOPPING_AUTO_SHOW_REBATES_ORGANIC",.. "SHOPPING_AUTO_SHOW_PRICE_HIST

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	307
Entropy (8bit):	5.126192286524693
Encrypted:	false
SSDEEP:	6:P3oiGos1923oH+TcwtOEh1ZB2KLll3oKOG9yq2P923oH+TcwtOEh1tIFUv:PhGOYebOEh1ZFLnNiv4YebOEh16FUv
MD5:	05769F284710C94F2E5E502C2798EB9B
SHA1:	1E42AA7BC649C6CA545F803048F216DB05EB0FAA
SHA-256:	C98C00882D36EAC33E68F3E2E86FE06A2C407EC032C6C7CC0A94536A05E5D0E3
SHA-512:	095712D0CFDAD0E0B79804DF38C1FCEBA9F0FAF0A34E4BA04917A62CF828E89813AFF75C2D23D7645FC241F9F049251433E1070B55815C4C2C5F9369C283546A
Malicious:	false
Preview:	2024/09/04-07:12:57.468 22c0 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db since it was missing..2024/09/04-07:12:57.603 22c0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Asset Store\assets.db\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\AssistanceHome\AssistanceHomeSQLite

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	0.3202460253800455
Encrypted:	false
SSDEEP:	6:l9bNFlEuWk8TRH9MRumWEyE4gLueXdNOmWxFxCxmWxYgCxmW5y/mWz4ynLAtD/W4:TLiuWkMORuHEyESeXdwDQ3SOAtD/ie
MD5:	40B18EC43DB334E7B3F6295C7626F28D
SHA1:	0E46584B0E0A9703C6B2EC1D246F41E63AF2296F
SHA-256:	85E961767239E90A361FB6AA0A3FD9DAA57CAAF9E30599BB70124F1954B751C8
SHA-512:	8BDACDC4A9559E4273AD01407D5D411035EECD927385A51172F401558444AD29B5AD2DC5562D1101244665EBE86BBDDE072E75ECA050B051482005EB6A52CDBD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Cache\Cache_Data\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	45056
Entropy (8bit):	0.044049019463715665
Encrypted:	false
SSDEEP:	6:/Fii2px+J1+l8kM/lq1icKgtdcwaKzKuXRllSXqb/lJ:d6SwEqgcKgTV9/S6p
MD5:	F7680DFB32DB76FC8FC31ED7A8F5DE96
SHA1:	88A8FF34460E32132CE3B27E7312D9AD42EA547A
SHA-256:	5F5635D7BDDF8B73A56067B0D26229D29280BCF9C98AF16F4D36637CC6BC8EF1
SHA-512:	AEF4120C4771093C2E64966C7AD87E1449D8B5F4CA25C94A9D084EFF86D01FE9AC597F6FA6CCC284538E512F6A421B5D475B5E627AE9C6271133F2BB5A1A116B
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Cache\Cache_Data\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.09566879147005067
Encrypted:	false
SSDEEP:	48:NiV4XesaVV4A3es3NUeG1ASkJhT3lWp4:NiV4X3IV4A333NLG1A9F3L
MD5:	26A34FD3733D3EF0DDA03D990DE9463B
SHA1:	62EDF44A3F461AE87194D6F1C43FFFCD5BA3AB4C
SHA-256:	3E21727631FADA506F2C61248844777C0F34B2BF6C0A33D90F14AEB4B71895B6
SHA-512:	356EAB344E4692CBF990C882548A9ECF89276ED573E526AC42E48EAA719A864D04A4E726E20F84CCE20F4D288BC9C3A28D56CFDC9FC341306EB00DEF3F1A08DF
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Cache\Cache_Data\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	1056768
Entropy (8bit):	0.2829112490274063
Encrypted:	false
SSDEEP:	384:HJdhJtnp+dhJtnHeJtbMeJtbzRF5FJtR:HJdhJtp+dhJt+JtjJtHJt
MD5:	AF0DE160F6E5DBFF0CEF1DB57EFB5A8A
SHA1:	7980C33643BBF43EF10EB353BEB0B2D5EE918EC8
SHA-256:	614CFC352C8AC8DDAD4F878C4293D1559810C1F9C9BC81FE7FFA2CD10DFDA7D1
SHA-512:	D7972F8F868748568184A14EF341D57036F5E0AC6B2BC67307439AA6785547C6B08928709673CB86B6B599ACB0380D597003E1BF97932E4E219F1ABDF809DC1C
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Cache\Cache_Data\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4202496
Entropy (8bit):	0.04312480187296375
Encrypted:	false
SSDEEP:	192:rH/WCxkD7MDPSYAxmemxb7mngJdv9TXJ4MQmLu5/4eeNd:rOKSXs/J7mGnQmLu5/5eNd
MD5:	4D3862637A3E49DEA6B0E914424F7F3E
SHA1:	2ADD705EDC5981DFA1DDA043EF8917DD416CA4B3
SHA-256:	081133A6F01292BF3CDF0BFBAE44EEE97EC2920D820294EA0447EE2D71249D58
SHA-512:	FA1B6C0C9D28F5686D65A17D43EC6473524C7D576CADA3BA68A94B85375C703E750F624CA82ED3A431DBF5A41203A974E041BFCC6681E04CFBE708B34A4AA861
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Cache\Cache_Data\f_000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	gzip compressed data, was "asset", last modified: Fri Aug 2 18:10:34 2024, max compression, original size modulo 2^32 374872
Category:	dropped
Size (bytes):	70207
Entropy (8bit):	7.995911906073242
Encrypted:	true
SSDEEP:	1536:VzseWV/dT2G9zm5w0vgxQUFm6SM6ZYRuB61K+aK+POIwPru:VoNQGIwvs6S9+I6RWPOIwTu
MD5:	9F5A7E038BF08B13BD15338EC7BD4E16
SHA1:	AB69D28EEA9AE289BB86159C341910538CDDE5B9
SHA-256:	BA0BCBBF170ADB0B5119D19D56C2D004579507DFC4A9215BCCC8663C8A486AF8
SHA-512:	48557ECD56DFD2157304FE752E15E44314667EFC79E6C21312723251E4E1F1BF5BE0A76F88F4B4D83FADB9D81BFB1835B1C0E5CFA7B07214A605F58064BB94B1
Malicious:	false
Preview:	.....!.f..asset.....6.0.W..3....[........9m;.....IH.E...j...}.....PR..w.gg.....@.P...?...x....?./.%..Q...x....}..9..e..f.8..Yb@g...i..$...I.......<....k...{..{.Qg..k..q.....i.Y}..._......\?....5 .5 .`..._i'@....H'.f!...x`...f......v.._1w.u.<.........5.:..^.Ua....H6...x....D:.R..L..2.,.s.f.......FE'..%{]-;+.`....N...=\|.:q...9N.k..i.I.8E.i.I.s..Y...8..fe'...Xo...Xo...#.r$N.u2.o.]....^,.k....{E."......Q.N...AY..u.^o.............Z..ce.irN.{.O$.C.......HJ.HJ..J..hOgA.5.nW.\........}E.%-.A."a<..~.[O....~.......xX.G?Y.3O8d8I...&X....V4...0=.iS....].D.L@.YiS...<.W..W+..#mj...p..8^.\U;oV;W`..^..V...G..SC.9.....i%@g.iS=..`..#.H.p.q..E.q...)....).X..M.X.%.,i.%..V..6.nk.@1S@-..Y.6....K.n....:c.My.....h...9..q...f't.iS.v..6D7...d't.iS.v..F.....faG.t.f....lR.J@!l.0O..T.....T2...\.n..-....L..ES.9.:...B..P1@...P.l.fX.aV..Y6.B5......Mt..SS,l..+..J...).i.6......8...:.Z...2.H.8..Z.>.5.Oi..N`:..6.i.n.h.l.e.h.T\.lr...TE+m.T..).D..F..+.6....J...x.`..`.m..H..i....p...v

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Cache\Cache_Data\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	524656
Entropy (8bit):	5.027445846313988E-4
Encrypted:	false
SSDEEP:	3:LsulTs6aKt:Ls9M
MD5:	DD893EB6B8A5E596CD2EB73E180C1FB4
SHA1:	89ACE4CC21491D625748B3A3BC2E5A80EC8A6E1D
SHA-256:	549F9BCEBBC0775A346037A7DE4B91617E02550F7D4B6A06D46D4D08EF5EDCF7
SHA-512:	80525F44AF58556060F3CE451EC681B80EB2409BB041899D2EB723C5F63A1300B2CE023282FD87BA6A00200F789CCDF5477806EF5EE80E6E37347F75C7ACD440
Malicious:	false
Preview:	............................................../.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\js\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	2.1431558784658327
Encrypted:	false
SSDEEP:	3:m+l:m
MD5:	54CB446F628B2EA4A5BCE5769910512E
SHA1:	C27CA848427FE87F5CF4D0E0E3CD57151B0D820D
SHA-256:	FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
SHA-512:	8F6ED2E91AED9BD415789B1DBE591E7EAB29F3F1B48FDFA5E864D7BF4AE554ACC5D82B4097A770DABC228523253623E4296C5023CF48252E1B94382C43123CB0
Malicious:	false
Preview:	0\r..m..................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\js\index-dir\temp-index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.9972243200613975
Encrypted:	false
SSDEEP:	3:5dKKp0EMVAT:+KUm
MD5:	4A901CE8A6829F854413F73613AA20AD
SHA1:	71BBE645DA4178CA4A318C86A455C242C9BD5BCD
SHA-256:	7AA4D060419A2F343486FC040441EFA434B1318F39860E20AD1D9BF004F3FED8
SHA-512:	47A83255CA763FB6A06DD2A3648CD36688333653B42345FA1020F8F7BCC72E26DEFBDBB0B4C32982F200D5F1F9BDC8D250743B2CEEDDCB6E30203427AD15D4B0
Malicious:	false
Preview:	(....xD9oy retne............................./.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\js\index-dir\the-real-index (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.9972243200613975
Encrypted:	false
SSDEEP:	3:5dKKp0EMVAT:+KUm
MD5:	4A901CE8A6829F854413F73613AA20AD
SHA1:	71BBE645DA4178CA4A318C86A455C242C9BD5BCD
SHA-256:	7AA4D060419A2F343486FC040441EFA434B1318F39860E20AD1D9BF004F3FED8
SHA-512:	47A83255CA763FB6A06DD2A3648CD36688333653B42345FA1020F8F7BCC72E26DEFBDBB0B4C32982F200D5F1F9BDC8D250743B2CEEDDCB6E30203427AD15D4B0
Malicious:	false
Preview:	(....xD9oy retne............................./.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\wasm\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	2.1431558784658327
Encrypted:	false
SSDEEP:	3:m+l:m
MD5:	54CB446F628B2EA4A5BCE5769910512E
SHA1:	C27CA848427FE87F5CF4D0E0E3CD57151B0D820D
SHA-256:	FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
SHA-512:	8F6ED2E91AED9BD415789B1DBE591E7EAB29F3F1B48FDFA5E864D7BF4AE554ACC5D82B4097A770DABC228523253623E4296C5023CF48252E1B94382C43123CB0
Malicious:	false
Preview:	0\r..m..................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\wasm\index-dir\temp-index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.9972243200613975
Encrypted:	false
SSDEEP:	3:JMHC0EudEv:2qSEv
MD5:	5FEBDD5E93B0EB6C940B4DF912CCC2C2
SHA1:	ACA271929C4E37BC512F6E8FFA739A7D0A8359C1
SHA-256:	EFB4C86054BD8DEB4E3739C866A4699A0F54836CFADF7303F9FBB906C37FFBE3
SHA-512:	A202EBB74636D3B130840B2CB0F3B9B0A6BDCD455DC3810E1079AC78BDA3E0088016C0C973E6742C3F50EF11F1985C63DF8545B6030EB991DC551927086C37CC
Malicious:	false
Preview:	(...T.C.oy retne.........................8.../.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Code Cache\wasm\index-dir\the-real-index (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.9972243200613975
Encrypted:	false
SSDEEP:	3:JMHC0EudEv:2qSEv
MD5:	5FEBDD5E93B0EB6C940B4DF912CCC2C2
SHA1:	ACA271929C4E37BC512F6E8FFA739A7D0A8359C1
SHA-256:	EFB4C86054BD8DEB4E3739C866A4699A0F54836CFADF7303F9FBB906C37FFBE3
SHA-512:	A202EBB74636D3B130840B2CB0F3B9B0A6BDCD455DC3810E1079AC78BDA3E0088016C0C973E6742C3F50EF11F1985C63DF8545B6030EB991DC551927086C37CC
Malicious:	false
Preview:	(...T.C.oy retne.........................8.../.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.0012471779557650352
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zE:/M/xT02z
MD5:	F50F89A0A91564D0B8A211F8921AA7DE
SHA1:	112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
SHA-256:	B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
SHA-512:	BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\DawnCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNlBBlll:Ls3B
MD5:	0F651556E1098AA704E2FE6BA008A9D3
SHA1:	3177CC0D72D3F185CDD1A3BCA0F83673FB9CE6E7
SHA-256:	9BF8301093F91B4379455D44C5639D80C65C58ED5A094191639C4270D0CD7FEB
SHA-512:	788C894A44BF666C663BA152B819B4A9087AEC1EF551C6A7CE774E17208E939EA96344FEA6F4BADA256C48A4B4D2B656D56D43CBAABAA1C0F15E051AC6470C6D
Malicious:	false
Preview:	.........................................M..../.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EdgeCoupons\coupons_data.db\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EdgeCoupons\coupons_data.db\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	33
Entropy (8bit):	3.5394429593752084
Encrypted:	false
SSDEEP:	3:iWstvhYNrkUn:iptAd
MD5:	F27314DD366903BBC6141EAE524B0FDE
SHA1:	4714D4A11C53CF4258C3A0246B98E5F5A01FBC12
SHA-256:	68C7AD234755B9EDB06832A084D092660970C89A7305E0C47D327B6AC50DD898
SHA-512:	07A0D529D9458DE5E46385F2A9D77E0987567BA908B53DDB1F83D40D99A72E6B2E3586B9F79C2264A83422C4E7FC6559CAC029A6F969F793F7407212BB3ECD51
Malicious:	false
Preview:	...m.................DB_VERSION.1

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EdgeCoupons\coupons_data.db\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EdgeCoupons\coupons_data.db\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EdgeEDrop\EdgeEDropSQLite.db

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 14, database pages 8, cookie 0xe, schema 4, UTF-8, version-valid-for 14
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.494709561094235
Encrypted:	false
SSDEEP:	24:TLEC30OIcqIn2o0FUFlA2cs0US5S693Xlej2:ThLaJUnAg0UB6I
MD5:	CF7760533536E2AF66EA68BC3561B74D
SHA1:	E991DE2EA8F42AE7E0A96A3B3B8AF87A689C8CCD
SHA-256:	E1F183FAE5652BA52F5363A7E28BF62B53E7781314C9AB76B5708AF9918BE066
SHA-512:	38B15FE7503F6DFF9D39BC74AA0150A7FF038029F973BE9A37456CDE6807BCBDEAB06E624331C8DFDABE95A5973B0EE26A391DB2587E614A37ADD50046470162
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...i............t...c................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EdgeHubAppUsage\EdgeHubAppUsageSQLite.db

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 5, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.5094712832659277
Encrypted:	false
SSDEEP:	12:TLW4QpRSJDBJuqJSEDNvrWjJQ9Dl9np59yDLgHFUxOUDaaTXubHa7me5q4iZ7dV:TLqpR+DDNzWjJ0npnyXKUO8+j25XmL
MD5:	D4971855DD087E30FC14DF1535B556B9
SHA1:	9E00DEFC7E54C75163273184837B9D0263AA528C
SHA-256:	EC7414FF1DB052E8E0E359801F863969866F19228F3D5C64F632D991C923F0D2
SHA-512:	ACA411D7819B03EF9C9ACA292D91B1258238DF229B4E165A032DB645E66BFE1148FF3DCFDAC3126FCD34DBD0892F420148E280D9716C63AD9FCDD9E7CA58D71D
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...%.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtraction\EntityExtractionAssetStore.db\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtraction\EntityExtractionAssetStore.db\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	375520
Entropy (8bit):	5.354098614698263
Encrypted:	false
SSDEEP:	6144:ZA/imBpx6WdPSxKWcHu5MURacq49QxxPnyEndBuHltBfdK5WNbsVEziP/CfXtLPz:ZFdMyq49tEndBuHltBfdK5WNbsVEziPU
MD5:	DF5067311B5F1B0521C10E80AB0026BB
SHA1:	674A9417B8F689504345F7BCBEE12F82F26160F6
SHA-256:	00D46DFB31B92AF770781C3E6C1981E0EAD32B48518DEA890DCA053E9247D774
SHA-512:	11C580D5177D73F09038DF468A1645E2615D497DBFF639C4D3F98B1E8C0364B33490233D7F494ED1122C01EAEDBF08D0B04E7094D04F4E30DF6E383213C7709B
Malicious:	false
Preview:	...m.................DB_VERSION.1i~..q...............&QUERY_TIMESTAMP:domains_config_gz2...13369921978190380..QUERY:domains_config_gz2....[{"name":"domains_config_gz","url":"https://edgeassetservice.azureedge.net/assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtractionDomainsConfig","version":{"major":2,"minor":8,"patch":76},"hash":"78Xsq/1H+MXv88uuTT1Rx79Nu2ryKVXh2J6ZzLZd38w=","size":374872}]..*.`~...............ASSET_VERSION:domains_config_gz.2.8.76..ASSET:domains_config_gz...{"config": {"token_limit": 1600, "page_cutoff": 4320, "default_locale_map": {"bg": "bg-bg", "bs": "bs-ba", "el": "el-gr", "en": "en-us", "es": "es-mx", "et": "et-ee", "cs": "cs-cz", "da": "da-dk", "de": "de-de", "fa": "fa-ir", "fi": "fi-fi", "fr": "fr-fr", "he": "he-il", "hr": "hr-hr", "hu": "hu-hu", "id": "id-id", "is": "is-is", "it": "it-it", "ja": "ja-jp", "ko": "ko-kr", "lv": "lv-lv", "lt": "lt-lt", "mk": "mk-mk", "nl": "nl-nl", "nb": "nb-no", "no": "no-no", "pl": "pl-pl", "pt": "pt-pt", "ro": "

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtraction\EntityExtractionAssetStore.db\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtraction\EntityExtractionAssetStore.db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	323
Entropy (8bit):	5.190266161975981
Encrypted:	false
SSDEEP:	6:P3oiLEq1923oH+Tcwtj2WwnvB2KLll3o5hAq2P923oH+Tcwtj2WwnvIFUv:PhwfYebjxwnvFLn/v4YebjxwnQFUv
MD5:	BE8D30416FAD8D64B13CE0FDD1779A46
SHA1:	EB635004811526B281614B617D9CBEF9DE687EFC
SHA-256:	839FF361177C525E216248908C980332C6D0649724320C735DF7F208D760A95F
SHA-512:	86217936FF9B91307025315499498F6D860C0E2C2C0827580C97268694D95F2D43E0A03AF9B076F746E90C065FEBEB2EBBF58340A761701F07A7E9007F91D28F
Malicious:	false
Preview:	2024/09/04-07:12:57.468 22d0 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtractionAssetStore.db since it was missing..2024/09/04-07:12:57.494 22d0 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtractionAssetStore.db/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtraction\EntityExtractionAssetStore.db\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\EntityExtraction\domains_config.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	modified
Size (bytes):	358859
Entropy (8bit):	5.324607973268754
Encrypted:	false
SSDEEP:	6144:CgimBVvUrsc6rRA81b/18jyJNjfvrfM6RR:C1gAg1zfvZ
MD5:	CB037179BD18D4FEC7CE97A15818A63F
SHA1:	669C70B4ECF61FA7818A2748B448D50F92EFADEE
SHA-256:	13E293A4665424295D148E5DBCEA255A70B3E149040504AA854C5008BC6B7C75
SHA-512:	87BAA4FAEFAA80B69AB553F7B21DBE257201E82322457D2784408E3FDE3919EA6B7B7D45498A52E97AAC9D5371719FB74B591F4104D0DCA83B298E6DF7D4C0C2
Malicious:	false
Preview:	{"aee_config":{"ar":{"price_regex":{"ae":"(((ae\|aed\|\\x{062F}\\x{0660}\\x{0625}\\x{0660}\|\\x{062F}\\.\\x{0625}\|dhs\|dh)\\s\\d{1,3})\|(\\d{1,3}\\s(ae\|aed\|\\x{062F}\\x{0660}\\x{0625}\\x{0660}\|\\x{062F}\\.\\x{0625}\|dhs\|dh)))","dz":"(((dzd\|da\|\\x{062F}\\x{062C})\\s\\d{1,3})\|(\\d{1,3}\\s(dzd\|da\|\\x{062F}\\x{062C})))","eg":"(((e\\x{00a3}\|egp)\\s\\d{1,3})\|(\\d{1,3}\\s(e\\x{00a3}\|egp)))","ma":"(((mad\|dhs\|dh)\\s\\d{1,3})\|(\\d{1,3}\\s(mad\|dhs\|dh)))","sa":"((\\d{1,3}\\s(sar\\s\\x{fdfc}\|sar\|sr\|\\x{fdfc}\|\\.\\x{0631}\\.\\x{0633}))\|((sar\\s\\x{fdfc}\|sar\|sr\|\\x{fdfc}\|\\.\\x{0631}\\.\\x{0633})\\s\\d{1,3}))"},"product_terms":"((\\x{0623}\\x{0636}\\x{0641}\\s\\x{0625}\\x{0644}\\x{0649}\\s\\x{0627}\\x{0644}\\x{0639}\\x{0631}\\x{0628}\\x{0629})\|(\\x{0623}\\x{0636}\\x{0641}\\s\\x{0625}\\x{0644}\\x{0649}\\s\\x{0627}\\x{0644}\\x{062D}\\x{0642}\\x{064A}\\x{0628}\\x{0629})\|(\\x{0627}\\x{0634}\\x{062A}\\x{0631}\\x{064A}\\s*\\x{0627}\\x{0644}\\x{0622}\\x{0646})\|(\\x{062E}\\x{064A}\\x{0627}\\x{0631}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	171
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	3:FQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlX:qTCTCTCTCTCTCTCTCT
MD5:	E952942B492DB39A75DD2669B98EBE74
SHA1:	F6C4DEF325DCA0DFEC01759D7D8610837A370176
SHA-256:	14F92B911F9FE774720461EEC5BB4761AE6BFC9445C67E30BF624A8694B4B1DA
SHA-512:	9193E7BBE7EB633367B39513B48EFED11FD457DCED070A8708F8572D0AB248CBFF37254599A6BFB469637E0DCCBCD986347C6B6075C06FAE2AF08387B560DEA0
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.201897850970914
Encrypted:	false
SSDEEP:	6:P3olEcRq1923oH+TcwttaVdg2KLll3o23+q2P923oH+TcwttaPrqIFUv:PWEcxYebDLnov4Yeb83FUv
MD5:	0BE73F66C142BE1160CDA1751E5DAB90
SHA1:	C4182276148312FBA1D066EF2E3892A13A0DD321
SHA-256:	C883D2AC3AD3A007A7B5D8BAA80CF6652D2B7DF59C04FF6721040497F4081772
SHA-512:	9A30B858E7CD313090E8CD6B1B6345C86A87314B134681AB9F3EBB6AC1845C09C752185D7BBD9741F8F6EF229384FCE303843949997BCCB17D6C933AC4FE44BB
Malicious:	false
Preview:	2024/09/04-07:12:52.851 1c18 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules since it was missing..2024/09/04-07:12:53.069 1c18 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Rules\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	171
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	3:FQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlXNQxlX:qTCTCTCTCTCTCTCTCT
MD5:	E952942B492DB39A75DD2669B98EBE74
SHA1:	F6C4DEF325DCA0DFEC01759D7D8610837A370176
SHA-256:	14F92B911F9FE774720461EEC5BB4761AE6BFC9445C67E30BF624A8694B4B1DA
SHA-512:	9193E7BBE7EB633367B39513B48EFED11FD457DCED070A8708F8572D0AB248CBFF37254599A6BFB469637E0DCCBCD986347C6B6075C06FAE2AF08387B560DEA0
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	299
Entropy (8bit):	5.180606082725854
Encrypted:	false
SSDEEP:	6:P3oWHmRq1923oH+Tcwtt6FB2KLll3oRw+q2P923oH+Tcwtt65IFUv:POxYeb8FFLnkv4Yeb8WFUv
MD5:	53705E1E60C850D53491622ED666D5E7
SHA1:	643F6D31C0577E9FE4D35E1E8916B2030DEFB4AC
SHA-256:	4827EBFFD0DFAC54E7BB7C7EFC4192690A38F335E5D283A11D32E52859A15B54
SHA-512:	2A5C494743E8C7B5E246776C8EBDEA396A23CBC7710959A6698CADEE4759E8BE7A1A33D3F9528CEB17B325305895ADA651C65D4F100E15B956A3BDBDC06986F3
Malicious:	false
Preview:	2024/09/04-07:12:53.072 1c18 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts since it was missing..2024/09/04-07:12:53.083 1c18 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension Scripts\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	513
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	6:qTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCT:qWWWWWWWWWWWWWWWWWWWWWWWWWW
MD5:	C92EABB217D45C77F8D52725AD3758F0
SHA1:	43B422AC002BB445E2E9B2C27D74C27CD70C9975
SHA-256:	388C5C95F0F54F32B499C03A37AABFA5E0A31030EC70D0956A239942544B0EEA
SHA-512:	DFD5D1C614F0EBFF97F354DFC23266655C336B9B7112781D7579057814B4503D4B63AB1263258BDA3358E5EE9457429C1A2451B22261A1F1E2D8657F31240D3C
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.15541791385365
Encrypted:	false
SSDEEP:	6:P3oAUQ1923oH+TcwttYg2KLll3ou4q2P923oH+TcwttNIFUv:PzGYebJLnB4v4Yeb0FUv
MD5:	B8D205EA015CE7E3D3FC3D76A7F1B1FE
SHA1:	F987474C7CD79A8FCEB4ACE5E25BAA40DB40AE11
SHA-256:	57521F7FA4648D751A0C28FB1C0B8E4A67FE22FAEEFD5232B7C8CBDD7B643524
SHA-512:	401CD134625C83332C3B66DFD3998C8FB8AD1513D1EDDC8CACF00D27CCD94BD2F83C86C6A235E58CFE8C067DA5EF460F003AD2BB628E2CEED5DEDEBD4EFC28DB
Malicious:	false
Preview:	2024/09/04-07:12:54.681 1c20 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State since it was missing..2024/09/04-07:12:54.694 1c20 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Extension State\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\ExtensionActivityComp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 1, cookie 0x1, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.3169096321222068
Encrypted:	false
SSDEEP:	3:lSWbNFl/sl+ltl4ltllOl83/XWEEabIDWzdWuAzTgdWj3FtFIU:l9bNFlEs1ok8fDEPDadUTgd81Z
MD5:	2554AD7847B0D04963FDAE908DB81074
SHA1:	F84ABD8D05D7B0DFB693485614ECF5204989B74A
SHA-256:	F6EF01E679B9096A7D8A0BD8151422543B51E65142119A9F3271F25F966E6C42
SHA-512:	13009172518387D77A67BBF86719527077BE9534D90CB06E7F34E1CCE7C40B49A185D892EE859A8BAFB69D5EBB6D667831A0FAFBA28AC1F44570C8B68F8C90A4
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\ExtensionActivityEdge

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 8, cookie 0x8, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.40981274649195937
Encrypted:	false
SSDEEP:	24:TL1WK3iOvwxwwweePKmJIOAdQBVA/kjo/TJZwJ9OV3WOT/5eQQ:Tmm+/9ZW943WOT/
MD5:	1A7F642FD4F71A656BE75B26B2D9ED79
SHA1:	51BBF587FB0CCC2D726DDB95C96757CC2854CFAD
SHA-256:	B96B6DDC10C29496069E16089DB0AB6911D7C13B82791868D583897C6D317977
SHA-512:	FD14EADCF5F7AB271BE6D8EF682977D1A0B5199A142E4AB353614F2F96AE9B49A6F35A19CC237489F297141994A4A16B580F88FAC44486FCB22C05B2F1C3F7D1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j............M.....8...b..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Favicons

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 10, cookie 0x8, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6975083372685086
Encrypted:	false
SSDEEP:	24:LLiZxh0GY/l1rWR1PmCx9fZjsBX+T6UwcE85fBmI:EBmw6fU1zBmI
MD5:	F5BBD8449A9C3AB28AC2DE45E9059B01
SHA1:	C569D730853C33234AF2402E69C19E0C057EC165
SHA-256:	825FF36C4431084C76F3D22CE0C75FA321EA680D1F8548706B43E60FCF5B566E
SHA-512:	96ACDED5A51236630A64FAE91B8FA9FAB43E22E0C1BCB80C2DD8D4829E03FBFA75AA6438053599A42EC4BBCF805BF0B1E6DFF9069B2BA182AD0BB30F2542FD3F
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g....._.c...~.2.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................s...;+...indexfavicon_bitmaps_icon_idfavico

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\GPUCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\GPUCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.0012471779557650352
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zE:/M/xT02z
MD5:	F50F89A0A91564D0B8A211F8921AA7DE
SHA1:	112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
SHA-256:	B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
SHA-512:	BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\GPUCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\GPUCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\GPUCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNl79l:Ls3
MD5:	7F73238AEF052FF008956985CACD562A
SHA1:	3108DF3C09915206FFFCEBD7971B53D3CA0D642E
SHA-256:	0B78139DD984C9A69D9554D6EF9437F29F31B4B819FE093BE7398FB259B963B3
SHA-512:	05EE9299DAD64DB5D22DE407719D0787CE2E7BF55FCD85C9FC4BAE775B8970D57D65FF823F8C5989C3B2BE7150DD68B09CB2A2749AF4CCF1435DF93C570ECF8C
Malicious:	false
Preview:	........................................n...../.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\History

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	155648
Entropy (8bit):	0.5407252242845243
Encrypted:	false
SSDEEP:	96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
MD5:	7B955D976803304F2C0505431A0CF1CF
SHA1:	E29070081B18DA0EF9D98D4389091962E3D37216
SHA-256:	987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
SHA-512:	CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
Malicious:	false
Preview:	SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\History-journal

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	0.21861961848037048
Encrypted:	false
SSDEEP:	3:GHjlntFlljq7A/mhWJFuQ3yy7IOWUVUHCl/dweytllrE9SFcTp4AGbNCV9RUIn:GHC75fO/5l/d0Xi99pEYp
MD5:	D7E8E07C8C1DE795C551EFA6EB11FB05
SHA1:	3D2E4011259E9A6D73A32710B4279478A537C6BD
SHA-256:	537FA8FD9518D6252C06EDD6AC1C2EEFDAAB39AC9D5B756B145D0F1DF9ED9EB8
SHA-512:	4CBCBFE0A0E224D38D6EE2941CE29F66786857423E7ACACEDFFADC16782872E0259436F07EB6BD1B007035F9C59F804E1A5E9665F51FF31C304262F2ED470FD8
Malicious:	false
Preview:	.............`.b...&....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\HubApps Icons

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	0.33890226319329847
Encrypted:	false
SSDEEP:	12:TLMfly7aoxrRGcAkSQdC6ae1//fxEjkE/RFL2iFV1eHFxOUwa5qgufTsZ75fOSI:TLYcjr0+Pdajk+FZH1W6UwccI5fBI
MD5:	971F4C153D386AC7ED39363C31E854FC
SHA1:	339841CA0088C9EABDE4AACC8567D2289CCB9544
SHA-256:	B6468DA6EC0EAE580B251692CFE24620D39412954421BBFDECB13EF21BE7BC88
SHA-512:	1A4DD0C2BE163AAB3B81D63DEB4A7DB6421612A6CF1A5685951F86B7D5A40B67FC6585B7E52AA0CC20FF47349F15DFF0C9038086E3A7C78AE0FFBEE6D8AA7F7E
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...:.8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	379
Entropy (8bit):	5.233945455541693
Encrypted:	false
SSDEEP:	6:P3oM5smRq1923oH+TcwtRage8Y55HEZzXELIx2KLll3orS+q2P923oH+TcwtRagX:Pj5HxYebRrcHEZrEkVLnSjv4YebRrcH0
MD5:	5FC3E76CD5F70C224A3BF435873ED89B
SHA1:	A8735FCBCA913F79ACB482CF6B59CA0C63FA5DD8
SHA-256:	8FE883B9D272EBAED66664A09351EE7116FE52264DC1C429653F821E4978D6BC
SHA-512:	4D35B8BA1AFB41C7EB87900BBF78EC95CA69F45D4ACDDB86D218581D0676DD3D4E755EA29DBC75AEF1CBE2568F9CE42224FF3397D07C31944FA29481E06930A0
Malicious:	false
Preview:	2024/09/04-07:12:55.952 1c18 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold since it was missing..2024/09/04-07:12:55.988 1c18 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	307
Entropy (8bit):	5.21577560573056
Encrypted:	false
SSDEEP:	6:P3oUc81923oH+TcwtRa2jM8B2KLll3oUTFiVq2P923oH+TcwtRa2jMGIFUv:PzcxYebRjFLn/J+v4YebREFUv
MD5:	E90B38228701858F8ABC6C25FB3B362F
SHA1:	D9F2DC419EA229FAA430703A43F90E890D49BC3E
SHA-256:	D9A29E0DF294C7FEC2311D2049C2615DDFA6494EEC5C9B67F85E7B3589978B76
SHA-512:	10668B7308211DD0E961F2A2637559C6423B779968FA47E6886AA07E885746B34873CBF08965D397E824BA66D245FE3BAA917B107FC1800F80EB0257DAA02A97
Malicious:	false
Preview:	2024/09/04-07:12:54.357 1d50 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb since it was missing..2024/09/04-07:12:54.386 1d50 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Local Storage\leveldb\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Login Data

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network Action Predictor

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 11, cookie 0x6, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	45056
Entropy (8bit):	0.40293591932113104
Encrypted:	false
SSDEEP:	24:TLVgTjDk5Yk8k+/kCkzD3zzbLGfIzLihje90xq/WMFFfeFzfXVVlYWOT/CUFSe:Tmo9n+8dv/qALihje9kqL42WOT/9F
MD5:	ADC0CFB8A1A20DE2C4AB738B413CBEA4
SHA1:	238EF489E5FDC6EBB36F09D415FB353350E7097B
SHA-256:	7C071E36A64FB1881258712C9880F155D9CBAC693BADCC391A1CB110C257CC37
SHA-512:	38C8B7293B8F7BEF03299BAFB981EEEE309945B1BDE26ACDAD6FDD63247C21CA04D493A1DDAFC3B9A1904EFED998E9C7C0C8E98506FD4AC0AB252DFF34566B66
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......=......\.t.+.>...,...=........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\352648aa-64f0-4367-8d44-678bb53e6c96.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	170
Entropy (8bit):	4.89042451592505
Encrypted:	false
SSDEEP:	3:YLb9N+eAXRfHDHERW6JfYoR6oJbQpwhYMKWKWMS7PMVKJq0nMb1KKtiVY:YHpo03h6ubQ+a4MS7PMVKJTnMRK3VY
MD5:	89DA93E9471CD8C8C255E72CA2CF45CB
SHA1:	BEE1905E765B0BB06275A2D6F91598BDA84B3B5A
SHA-256:	79F1C11C178CA0BC1E11CC6569FCFAB5D1B54F0359D878CBD7862F649076EDBA
SHA-512:	09D068514220CDCDF00D73A47E2362B02DF6F227D4666A7E077D8B2B9FC82E29449D2B2ACFC4340C3654C46ECDB9A90373F5B2E2F4F454A1CA334B98CDE74CD9
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[],"supports_quic":{"address":"192.168.2.5","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\8a42bf20-10f5-4c61-a12a-dac982af03c6.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Cookies

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKtiVY:YHkVKJTnMRK3VY
MD5:	2800881C775077E1C4B6E06BF4676DE4
SHA1:	2873631068C8B3B9495638C865915BE822442C8B
SHA-256:	226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
SHA-512:	E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Network Persistent State~RF443db.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKtiVY:YHkVKJTnMRK3VY
MD5:	2800881C775077E1C4B6E06BF4676DE4
SHA1:	2873631068C8B3B9495638C865915BE822442C8B
SHA-256:	226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
SHA-512:	E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Reporting and NEL

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 9, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	0.7608992358174622
Encrypted:	false
SSDEEP:	48:TaIopKWurJNVr1GJmA8pv82pfurJNVrdHXuccaurJN2VrJ1n4n1GmzNGU1cSBkQH:uIEumQv8m1ccnvS6J
MD5:	44C81C833251022290CAFD1807A54D8E
SHA1:	3F6A33D489A0C01EA0499C88DE0B98F9A7ACE33F
SHA-256:	8F6DE5647E504CA1D72B34DAD282A1D9C9B7060179323B2F17505548E0FEB744
SHA-512:	B462AF586FB5B76DB2F30EEA6C47317087999EBD1C6130DA2DE7231629A85357F33489FA255CE0A11480E6C73AEF9FFB9801E08AD463B02F6C02599CCF16ADE3
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...D.........7............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\SCT Auditing Pending Reports (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\SCT Auditing Pending Reports~RF31dba.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Sdch Dictionaries (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\Trust Tokens

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	0.36515621748816035
Encrypted:	false
SSDEEP:	24:TLH3lIIAoDJ84l5lDlnDMlRlyKDtM6UwccWfp15fBIe:Tb31DtX5nDOvyKDhU1cSB
MD5:	25363ADC3C9D98BAD1A33D0792405CBF
SHA1:	D06E343087D86EF1A06F7479D81B26C90A60B5C3
SHA-256:	6E019B8B9E389216D5BDF1F2FE63F41EF98E71DA101F2A6BE04F41CC5954532D
SHA-512:	CF7EEE35D0E00945AF221BEC531E8BF06C08880DA00BD103FA561BC069D7C6F955CBA3C1C152A4884601E5A670B7487D39B4AE9A4D554ED8C14F129A74E555F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......X..g...}.....$.X..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\b2bd4ed9-78b6-4ee7-8680-2f2f423d93ca.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\b5fe1baa-868e-4272-97da-66bdc93ceb6e.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKtiVY:YHkVKJTnMRK3VY
MD5:	2800881C775077E1C4B6E06BF4676DE4
SHA1:	2873631068C8B3B9495638C865915BE822442C8B
SHA-256:	226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
SHA-512:	E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Network\e6687d90-819a-44d5-b048-cedb9b878cd4.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Nurturing\campaign_history

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.46731661083066856
Encrypted:	false
SSDEEP:	12:TL1QAFUxOUDaabZXiDiIF8izX4fhhdWeci2oesJaYi3is25q0S9K0xHZ75fOV:TLiOUOq0afDdWec9sJf5Q7J5fc
MD5:	E93ACF0820CA08E5A5D2D159729F70E3
SHA1:	2C1A4D4924B9AEC1A796F108607404B000877C5D
SHA-256:	F2267FDA7F45499F7A01186B75CEFB799F8D2BC97E2E9B5068952D477294302C
SHA-512:	3BF36C20E04DCF1C16DC794E272F82F68B0DE43F16B4A9746B63B6D6BBC953B00BD7111CDA7AFE85CEBB2C447145483A382B15E2B0A5B36026C3441635D4E50C
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Preferences (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6292
Entropy (8bit):	4.971242511142306
Encrypted:	false
SSDEEP:	96:stDqfXis12Mb9a+XuON8zMs85eh6Cb7/x+6MhmuecmAem/SG+2MN/EJ:stD7sE5gpNkMs88bV+FiA/+PNMJ
MD5:	72FC86298975028DFE9EBAC6683D2E51
SHA1:	9B1F4F5DA5C0E912E6B2048439F063740287FDC0
SHA-256:	1A8FD966779567D08B4ED0723D69F24F150EDB02D520074A82A63CEEB63B374A
SHA-512:	7E5FBB56CFF1C5C02996C4D17DB29D8CBE06433B288D43B5DE20CDF2D79268E1FCFA601551BB4877A895BBC9AFC54E84D6579B92243FE1B46B0832BF023F2950
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369921974423840","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"domain_diversity":{"last_reporting_timestamp":"13369921974425066"},"download":{"default_directory":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\KioskDownloads\\","directory_upgrade":true},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version"

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Preferences~RF3b0f2.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6292
Entropy (8bit):	4.971242511142306
Encrypted:	false
SSDEEP:	96:stDqfXis12Mb9a+XuON8zMs85eh6Cb7/x+6MhmuecmAem/SG+2MN/EJ:stD7sE5gpNkMs88bV+FiA/+PNMJ
MD5:	72FC86298975028DFE9EBAC6683D2E51
SHA1:	9B1F4F5DA5C0E912E6B2048439F063740287FDC0
SHA-256:	1A8FD966779567D08B4ED0723D69F24F150EDB02D520074A82A63CEEB63B374A
SHA-512:	7E5FBB56CFF1C5C02996C4D17DB29D8CBE06433B288D43B5DE20CDF2D79268E1FCFA601551BB4877A895BBC9AFC54E84D6579B92243FE1B46B0832BF023F2950
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369921974423840","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"domain_diversity":{"last_reporting_timestamp":"13369921974425066"},"download":{"default_directory":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\KioskDownloads\\","directory_upgrade":true},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version"

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Preferences~RF42641.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6292
Entropy (8bit):	4.971242511142306
Encrypted:	false
SSDEEP:	96:stDqfXis12Mb9a+XuON8zMs85eh6Cb7/x+6MhmuecmAem/SG+2MN/EJ:stD7sE5gpNkMs88bV+FiA/+PNMJ
MD5:	72FC86298975028DFE9EBAC6683D2E51
SHA1:	9B1F4F5DA5C0E912E6B2048439F063740287FDC0
SHA-256:	1A8FD966779567D08B4ED0723D69F24F150EDB02D520074A82A63CEEB63B374A
SHA-512:	7E5FBB56CFF1C5C02996C4D17DB29D8CBE06433B288D43B5DE20CDF2D79268E1FCFA601551BB4877A895BBC9AFC54E84D6579B92243FE1B46B0832BF023F2950
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369921974423840","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"domain_diversity":{"last_reporting_timestamp":"13369921974425066"},"download":{"default_directory":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\KioskDownloads\\","directory_upgrade":true},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version"

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\PreferredApps

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	33
Entropy (8bit):	4.051821770808046
Encrypted:	false
SSDEEP:	3:YVXADAEvTLSJ:Y9AcEvHSJ
MD5:	2B432FEF211C69C745ACA86DE4F8E4AB
SHA1:	4B92DA8D4C0188CF2409500ADCD2200444A82FCC
SHA-256:	42B55D126D1E640B1ED7A6BDCB9A46C81DF461FA7E131F4F8C7108C2C61C14DE
SHA-512:	948502DE4DC89A7E9D2E1660451FCD0F44FD3816072924A44F145D821D0363233CC92A377DBA3A0A9F849E3C17B1893070025C369C8120083A622D025FE1EACF
Malicious:	false
Preview:	{"preferred_apps":[],"version":1}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\README

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	182
Entropy (8bit):	4.2629097520179995
Encrypted:	false
SSDEEP:	3:RGXKRjg0QwVIWRKXECSAV6jDyhjgHGAW+LB2Z4MKLFE1SwhiFAfXQmWyKBPMwRgK:z3frsUpAQQgHGwB26MK8Sw06fXQmWtRT
MD5:	643E00B0186AA80523F8A6BED550A925
SHA1:	EC4056125D6F1A8890FFE01BFFC973C2F6ABD115
SHA-256:	A0C9ABAE18599F0A65FC654AD36251F6330794BEA66B718A09D8B297F3E38E87
SHA-512:	D91A934EAF7D9D669B8AD4452234DE6B23D15237CB4D251F2C78C8339CEE7B4F9BA6B8597E35FE8C81B3D6F64AE707C68FF492903C0EDC3E4BAF2C6B747E247D
Malicious:	false
Preview:	Microsoft Edge settings and storage represent user-selected preferences and information and MUST not be extracted, overwritten or modified except through Microsoft Edge defined APIs.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Secure Preferences (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24799
Entropy (8bit):	5.565851904665888
Encrypted:	false
SSDEEP:	768:+za0ahWP33fcH8F1+UoAYDCx9Tuqh0VfUC9xbog/OVSnBCIrwQpGtua:+za0ahWP33fcHu1jajBCZptp
MD5:	CBA6D2C1907D20F04E33B9D6063789B6
SHA1:	56688159DFC617F152F5C3003E2A30253F68BB37
SHA-256:	DA0A1316873555E4C2E7FC5EDCFE1F07D0E8671245A23700CA3EBC38C0539190
SHA-512:	6A2ECF49503817DFAC0927E7C34FC7BF42B0FABD06CA9F6F7E5B100348494E58D89B382C296650E04F38A08E77C0D2F7174F8E7CE2B4B416502A276CD0C42FEA
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13369921972816590","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13369921972816590","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Secure Preferences~RF381e3.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24799
Entropy (8bit):	5.565851904665888
Encrypted:	false
SSDEEP:	768:+za0ahWP33fcH8F1+UoAYDCx9Tuqh0VfUC9xbog/OVSnBCIrwQpGtua:+za0ahWP33fcHu1jajBCZptp
MD5:	CBA6D2C1907D20F04E33B9D6063789B6
SHA1:	56688159DFC617F152F5C3003E2A30253F68BB37
SHA-256:	DA0A1316873555E4C2E7FC5EDCFE1F07D0E8671245A23700CA3EBC38C0539190
SHA-512:	6A2ECF49503817DFAC0927E7C34FC7BF42B0FABD06CA9F6F7E5B100348494E58D89B382C296650E04F38A08E77C0D2F7174F8E7CE2B4B416502A276CD0C42FEA
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13369921972816590","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13369921972816590","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	118
Entropy (8bit):	3.160877598186631
Encrypted:	false
SSDEEP:	3:S8ltHlS+QUl1ASEGhTFljljljl:S85aEFljljljl
MD5:	7733303DBE19B64C38F3DE4FE224BE9A
SHA1:	8CA37B38028A2DB895A4570E0536859B3CC5C279
SHA-256:	B10C1BA416A632CD57232C81A5C2E8EE76A716E0737D10EABE1D430BEC50739D
SHA-512:	E8CD965BCA0480DB9808CB1B461AC5BF5935C3CBF31C10FDF090D406F4BC4F3187D717199DCF94197B8DF24C1D6E4FF07241D8CFFFD9AEE06CCE9674F0220E29
Malicious:	false
Preview:	*...#................version.1..namespace-..&f.................&f.................&f.................&f...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.109873588416339
Encrypted:	false
SSDEEP:	6:P3JG81923oH+TcwtSQM72KLll3cIVSVq2P923oH+TcwtSQMxIFUv:P5GxYeb0LnM5v4YebrFUv
MD5:	8282A6996E63C2F9665DFABC504BD049
SHA1:	BEEE0B706ED5AD515E18A11A9E0D31AA50B30B6E
SHA-256:	5EE173162FC558F5F2A4443B3309533FBF5E46CA6272F7972A42A6504937ABD3
SHA-512:	ADC62ABBF0D4C20A89D7F36C3F2D8C29C12F92DC9F306BB361E097285F5AAF8A9999A652DEDA6177F44AC27083A11DD0EE71A1E54FF89B100AEB1F634200243B
Malicious:	false
Preview:	2024/09/04-07:13:10.079 1d50 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage since it was missing..2024/09/04-07:13:10.107 1d50 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Session Storage\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Shortcuts

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.44194574462308833
Encrypted:	false
SSDEEP:	12:TLiNCcUMskMVcIWGhWxBzEXx7AAQlvsdFxOUwa5qgufTJpbZ75fOS:TLisVMnYPhIY5Qlvsd6UwccNp15fB
MD5:	B35F740AA7FFEA282E525838EABFE0A6
SHA1:	A67822C17670CCE0BA72D3E9C8DA0CE755A3421A
SHA-256:	5D599596D116802BAD422497CF68BE59EEB7A9135E3ED1C6BEACC48F73827161
SHA-512:	05C0D33516B2C1AB6928FB34957AD3E03CB0A8B7EEC0FD627DD263589655A16DEA79100B6CC29095C3660C95FD2AFB2E4DD023F0597BD586DD664769CABB67F8
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g....."....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	3.473726825238924
Encrypted:	false
SSDEEP:	3:41tt0diERGn:et084G
MD5:	148079685E25097536785F4536AF014B
SHA1:	C5FF5B1B69487A9DD4D244D11BBAFA91708C1A41
SHA-256:	F096BC366A931FBA656BDCD77B24AF15A5F29FC53281A727C79F82C608ECFAB8
SHA-512:	C2556034EA51ABFBC172EB62FF11F5AC45C317F84F39D4B9E3DDBD0190DA6EF7FA03FE63631B97AB806430442974A07F8E81B5F7DC52D9F2FCDC669ADCA8D91F
Malicious:	false
Preview:	.On.!................database_metadata.1

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	323
Entropy (8bit):	5.122235771863851
Encrypted:	false
SSDEEP:	6:P3o+R1923oH+TcwtgUh2gr52KLll3orCNcM+q2P923oH+TcwtgUh2ghZIFUv:Pt8Yeb3hHJLn4M+v4Yeb3hHh2FUv
MD5:	DFDEC09E7C227CA78786794A6FFEFB62
SHA1:	EA183FB0E1AFB8C52BA4DA6FF24A0131377826A9
SHA-256:	A8F26B0E49A19104A1264C6A05FA47754E17725AE0CFD9A8F40F1678D89BBFA1
SHA-512:	7B3AF6DE3B70202F174D204C6D7B31E976EEE1E7F166ED29E567DAD3E8FB08401B5A6344A4FFBCABF42335EB230514B62E6F6F108D94A88BD6D34A958FC92912
Malicious:	false
Preview:	2024/09/04-07:12:52.817 1c6c Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database since it was missing..2024/09/04-07:12:52.831 1c6c Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Site Characteristics Database\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\Cache_Data\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\Cache_Data\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	8.280239615765425E-4
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2:/M/xT02
MD5:	D0D388F3865D0523E451D6BA0BE34CC4
SHA1:	8571C6A52AACC2747C048E3419E5657B74612995
SHA-256:	902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
SHA-512:	376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\Cache_Data\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\Cache_Data\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache\Cache_Data\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	524656
Entropy (8bit):	5.027445846313988E-4
Encrypted:	false
SSDEEP:	3:Lsulqvk:LsF
MD5:	E8886C5A023B1F73B89235AA8EB49CFE
SHA1:	CDF24EB41A54CACC0C6F017C4F8A73037EE492EA
SHA-256:	6BBF65832852B1E9AA9BDE14897BA932C68360CED6BE8940BA6C084281259F70
SHA-512:	0B584751062B3D550D3ABAEA317D1DA9168B345DE9BEC38762E20E776A5DA8D4A34D92CD36764517D4DEFB8282B1B093DDDEF9C91BAB5C4A5B490BA8B433C5A2
Malicious:	false
Preview:	..........................................H.../.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	2.1431558784658327
Encrypted:	false
SSDEEP:	3:m+l:m
MD5:	54CB446F628B2EA4A5BCE5769910512E
SHA1:	C27CA848427FE87F5CF4D0E0E3CD57151B0D820D
SHA-256:	FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
SHA-512:	8F6ED2E91AED9BD415789B1DBE591E7EAB29F3F1B48FDFA5E864D7BF4AE554ACC5D82B4097A770DABC228523253623E4296C5023CF48252E1B94382C43123CB0
Malicious:	false
Preview:	0\r..m..................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index-dir\temp-index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.9972243200613975
Encrypted:	false
SSDEEP:	3:9H3Oc9EeMal:E1y
MD5:	F27B29EBE1CE0BAFBC043D66C733CE27
SHA1:	8FD6D23CF81A713192AEDECE6E8D9610B4B262DD
SHA-256:	FDC5B7C0CDF3701F9065C804072E7BF316389229D932C62F870313898BBCF4D1
SHA-512:	14E844C178A35D6BFC6DEF9191D720513E1A4FE30A74BBEC002561353E98C3FFF915801498797DF0E1F38EBFE6064FD905F2D3C9D1C83840EFE503D139932D9D
Malicious:	false
Preview:	(...`b.^oy retne............................../.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index-dir\the-real-index (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.9972243200613975
Encrypted:	false
SSDEEP:	3:9H3Oc9EeMal:E1y
MD5:	F27B29EBE1CE0BAFBC043D66C733CE27
SHA1:	8FD6D23CF81A713192AEDECE6E8D9610B4B262DD
SHA-256:	FDC5B7C0CDF3701F9065C804072E7BF316389229D932C62F870313898BBCF4D1
SHA-512:	14E844C178A35D6BFC6DEF9191D720513E1A4FE30A74BBEC002561353E98C3FFF915801498797DF0E1F38EBFE6064FD905F2D3C9D1C83840EFE503D139932D9D
Malicious:	false
Preview:	(...`b.^oy retne............................../.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	2.1431558784658327
Encrypted:	false
SSDEEP:	3:m+l:m
MD5:	54CB446F628B2EA4A5BCE5769910512E
SHA1:	C27CA848427FE87F5CF4D0E0E3CD57151B0D820D
SHA-256:	FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
SHA-512:	8F6ED2E91AED9BD415789B1DBE591E7EAB29F3F1B48FDFA5E864D7BF4AE554ACC5D82B4097A770DABC228523253623E4296C5023CF48252E1B94382C43123CB0
Malicious:	false
Preview:	0\r..m..................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm\index-dir\temp-index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.9555576533947305
Encrypted:	false
SSDEEP:	3:tKjUKaEu6s6Bl:4jUK1Ds6T
MD5:	A84A7ECDBB1F2566DD5B9C75326C3170
SHA1:	6DD3FE0BF876C4EF2435CABB9B64BB55984B1EFA
SHA-256:	52266610582849FDECA01BA0B175C207B3202693624E331818D0B1E07EF10CAD
SHA-512:	30CDB8325391139368CD261B7DB78F8A920A520D94423447C6F8062039F3BF423738B29800874DF66A24FE5C0A99CB97044FD3A2A24B2E4C08F9B564C9DDC59D
Malicious:	false
Preview:	(...0..qoy retne........................r...../.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm\index-dir\the-real-index (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.9555576533947305
Encrypted:	false
SSDEEP:	3:tKjUKaEu6s6Bl:4jUK1Ds6T
MD5:	A84A7ECDBB1F2566DD5B9C75326C3170
SHA1:	6DD3FE0BF876C4EF2435CABB9B64BB55984B1EFA
SHA-256:	52266610582849FDECA01BA0B175C207B3202693624E331818D0B1E07EF10CAD
SHA-512:	30CDB8325391139368CD261B7DB78F8A920A520D94423447C6F8062039F3BF423738B29800874DF66A24FE5C0A99CB97044FD3A2A24B2E4C08F9B564C9DDC59D
Malicious:	false
Preview:	(...0..qoy retne........................r...../.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.0012471779557650352
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zE:/M/xT02z
MD5:	F50F89A0A91564D0B8A211F8921AA7DE
SHA1:	112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
SHA-256:	B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
SHA-512:	BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\DawnCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.47693366977411E-4
Encrypted:	false
SSDEEP:	3:LsNlfTll:Ls3b
MD5:	732990F2F24AD4BD8CB04B19DFB9C351
SHA1:	7559403C21BB2DBA2B321613C27B33E71B0598A0
SHA-256:	44310B5EC0528F3D76B468389A77090E1538B2164A49958084989E5BF40F6850
SHA-512:	36B44FE2CD6AE5339C7C8E65D71AB090C6367D58090EE431776F071FA68A2BFDC34621BC695702EFE186402931FEB0C16AF3801EB5C11D4527DCA0E7753B0844
Malicious:	false
Preview:	.........................................Z..../.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.0012471779557650352
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zE:/M/xT02z
MD5:	F50F89A0A91564D0B8A211F8921AA7DE
SHA1:	112403A17DD69D5B9018B8CEDE023CB3B54EAB7D
SHA-256:	B1E963D702392FB7224786E7D56D43973E9B9EFD1B89C17814D7C558FFC0CDEC
SHA-512:	BF8CDA48CF1EC4E73F0DD1D4FA5562AF1836120214EDB74957430CD3E4A2783E801FA3F4ED2AFB375257CAEED4ABE958265237D6E0AACF35A9EDE7A2E8898D58
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNl8sl:Ls3
MD5:	55081F7BDC5CAA57411BC9D1377570D6
SHA1:	1E9A3663BA6207306A4E5C2F7D84095D7BB7C567
SHA-256:	30DBB53C4FF6463DA3926C401BF8F71133134993E35E434C789E750E1CA7C953
SHA-512:	3BE24A8130D413DE618C47D0E48F542ACD487F3646F39C4248AE14DEBB6BB84B391D2E9F142BE8B83E3762FD635A2680E46F0C64872822D2F0379394E7E7658A
Malicious:	false
Preview:	........................................s...../.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	405
Entropy (8bit):	5.212056243365271
Encrypted:	false
SSDEEP:	6:P3o9c81923oH+Tcwt0jqEKj3K/2jM8B2KLll3ovTVq2P923oH+Tcwt0jqEKj3K/M:PdxYebqqBvFLnARv4YebqqBQFUv
MD5:	ADD231E0AFE5092B736C11AAFE9D370A
SHA1:	9BEB6D12CB70B312EBEFB3CD8B153F708736EE37
SHA-256:	A9484675929DB4CD92F699301E6AF3C7E33D21A3765773085ED4A0526115F915
SHA-512:	5A9751BEE2F54622EE928DA94F32EAB734DBEBE3E688E0B9AAE5FCE4EB3DEBF2AD5EBBF02ACBD88CDE3E93EEB00C42C86F3230EAA17E94AF456384EF1D1345C5
Malicious:	false
Preview:	2024/09/04-07:12:54.699 1d50 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb since it was missing..2024/09/04-07:12:54.894 1d50 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\0ce09696-a5e1-4100-b888-65599db75a93.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\715b664a-fee3-4d82-8d89-769d53e4a42e.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKtiVY:YHkVKJTnMRK3VY
MD5:	2800881C775077E1C4B6E06BF4676DE4
SHA1:	2873631068C8B3B9495638C865915BE822442C8B
SHA-256:	226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
SHA-512:	E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Network Persistent State~RF44429.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKtiVY:YHkVKJTnMRK3VY
MD5:	2800881C775077E1C4B6E06BF4676DE4
SHA1:	2873631068C8B3B9495638C865915BE822442C8B
SHA-256:	226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
SHA-512:	E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Reporting and NEL

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 9, cookie 0x4, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	0.5559635235158827
Encrypted:	false
SSDEEP:	48:T6IopKWurJNVr1GJmA8pv82pfurJNVrdHXuccaurJN2VrJ1n4n1GmzNGU1cSB:OIEumQv8m1ccnvS6
MD5:	9AAAE8C040B616D1378F3E0E17689A29
SHA1:	F91E7DE07F1DA14D15D067E1F50C3B84A328DBB7
SHA-256:	5B94D63C31AE795661F69B9D10E8BFD115584CD6FEF5FBB7AA483FDC6A66945B
SHA-512:	436202AB8B6BB0318A30946108E6722DFF781F462EE05980C14F57F347EDDCF8119E236C3290B580CEF6902E1B59FB4F546D6BD69F62479805B39AB0F3308EC1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...D.........7............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\SCT Auditing Pending Reports (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Sdch Dictionaries (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.1275671571169275
Encrypted:	false
SSDEEP:	3:Y2ktGMxkAXWMSN:Y2xFMSN
MD5:	20D4B8FA017A12A108C87F540836E250
SHA1:	1AC617FAC131262B6D3CE1F52F5907E31D5F6F00
SHA-256:	6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
SHA-512:	507B2B8A8A168FF8F2BDAFA5D9D341C44501A5F17D9F63F3D43BD586BC9E8AE33221887869FA86F845B7D067CB7D2A7009EFD71DDA36E03A40A74FEE04B86856
Malicious:	false
Preview:	{"SDCH":{"dictionaries":{},"version":2}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\Trust Tokens

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	0.36515621748816035
Encrypted:	false
SSDEEP:	24:TLH3lIIAoDJ84l5lDlnDMlRlyKDtM6UwccWfp15fBIe:Tb31DtX5nDOvyKDhU1cSB
MD5:	25363ADC3C9D98BAD1A33D0792405CBF
SHA1:	D06E343087D86EF1A06F7479D81B26C90A60B5C3
SHA-256:	6E019B8B9E389216D5BDF1F2FE63F41EF98E71DA101F2A6BE04F41CC5954532D
SHA-512:	CF7EEE35D0E00945AF221BEC531E8BF06C08880DA00BD103FA561BC069D7C6F955CBA3C1C152A4884601E5A670B7487D39B4AE9A4D554ED8C14F129A74E555F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......X..g...}.....$.X..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\f033f28f-36a0-49b8-be81-752acedba43b.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:	3:YLbkVKJq0nMb1KKtiVY:YHkVKJTnMRK3VY
MD5:	2800881C775077E1C4B6E06BF4676DE4
SHA1:	2873631068C8B3B9495638C865915BE822442C8B
SHA-256:	226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
SHA-512:	E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network\f2b3e50f-a43b-4b5f-a165-eeb040604d1c.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	111
Entropy (8bit):	4.718418993774295
Encrypted:	false
SSDEEP:	3:YLb9N+eAXRfHDH2LS7PMVKJq0nMb1KKtiVY:YHpoeS7PMVKJTnMRK3VY
MD5:	285252A2F6327D41EAB203DC2F402C67
SHA1:	ACEDB7BA5FBC3CE914A8BF386A6F72CA7BAA33C6
SHA-256:	5DFC321417FC31359F23320EA68014EBFD793C5BBED55F77DAB4180BBD4A2026
SHA-512:	11CE7CB484FEE66894E63C31DB0D6B7EF66AD0327D4E7E2EB85F3BCC2E836A3A522C68D681E84542E471E54F765E091EFE1EE4065641B0299B15613EB32DCC0D
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[],"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	61
Entropy (8bit):	3.7273991737283296
Encrypted:	false
SSDEEP:	3:S8ltHlS+QUl1ASEGhTFl:S85aEFl
MD5:	9F7EADC15E13D0608B4E4D590499AE2E
SHA1:	AFB27F5C20B117031328E12DD3111A7681FF8DB5
SHA-256:	5C3A5B578AB9FE853EAD7040BC161929EA4F6902073BA2B8BB84487622B98923
SHA-512:	88455784C705F565C70FA0A549C54E2492976E14643E9DD0A8E58C560D003914313DF483F096BD33EC718AEEC7667B8DE063A73627AA3436BA6E7E562E565B3F
Malicious:	false
Preview:	*...#................version.1..namespace-..&f...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	393
Entropy (8bit):	5.186805269748331
Encrypted:	false
SSDEEP:	6:P3aZuR81923oH+Tcwt0jqEKj0QM72KLll3adSVq2P923oH+Tcwt0jqEKj0QMxIF2:P7xYebqqB6LnSOv4YebqqBZFUv
MD5:	24BF6299B7A032C636282F8EA6A0FD9D
SHA1:	F46F2737F4E7C48356AFE54C79B2C2DCEC3B8192
SHA-256:	05030F83DA9A6297DF615CFD2E2D20E0275E54022CFD07F3E0232B2040640F26
SHA-512:	C835C85F409D469D1D8EFC2136C7DC3FECB3B758A44CAE6A049938FC72FDA716E560236735E5BCC75A6F182956D8542DF8A33D509EEA4723943D87A1326661B9
Malicious:	false
Preview:	2024/09/04-07:13:10.760 1d50 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage since it was missing..2024/09/04-07:13:10.793 1d50 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	46
Entropy (8bit):	4.019797536844534
Encrypted:	false
SSDEEP:	3:sLollttz6sjlGXU2tkn:qolXtWswXU2tkn
MD5:	90881C9C26F29FCA29815A08BA858544
SHA1:	06FEE974987B91D82C2839A4BB12991FA99E1BDD
SHA-256:	A2CA52E34B6138624AC2DD20349CDE28482143B837DB40A7F0FBDA023077C26A
SHA-512:	15F7F8197B4FC46C4C5C2570FB1F6DD73CB125F9EE53DFA67F5A0D944543C5347BDAB5CCE95E91DD6C948C9023E23C7F9D76CFF990E623178C92F8D49150A625
Malicious:	false
Preview:	...n'................_mts_schema_descriptor...

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	299
Entropy (8bit):	5.245871809388717
Encrypted:	false
SSDEEP:	6:P3ovH1923oH+Tcwtkx2KLll3osF9+q2P923oH+TcwtCIFUv:PwCYebkVLn9F4v4YebLFUv
MD5:	F5A5059D73C6CCE75C4364998AF6445A
SHA1:	2F092CFD50503080A6D914ED391CF0B66D898D24
SHA-256:	54271A6C5BE5A88A9D3D8B0F2560D31F2D3B2D53EF0D6DF4513574AAD0574052
SHA-512:	C50CCC8DC1A6C30F1B0323928071F1BAE755F04638ADC8C215BC446171E4A6046A5B02FAA8B98BC67A2530119B22AA3988405F6A04E5D105F9D0ED4CD6FAF1FA
Malicious:	false
Preview:	2024/09/04-07:12:52.893 1c68 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB since it was missing..2024/09/04-07:12:53.031 1c68 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Sync Data\LevelDB\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Top Sites

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.3528485475628876
Encrypted:	false
SSDEEP:	12:TLiN6CZhDu6MvDOF5yEHFxOUwa5qguYZ75fOSiPe2d:TLiwCZwE8I6Uwcco5fBtC
MD5:	F2B4FB2D384AA4E4D6F4AEB0BBA217DC
SHA1:	2CD70CFB3CE72D9B079170C360C1F563B6BF150E
SHA-256:	1ECC07CD1D383472DAD33D2A5766625009EA5EACBAEDE2417ADA1842654CBBC8
SHA-512:	48D03991660FA1598B3E002F5BC5F0F05E9696BCB2289240FA8CCBB2C030CDD23245D4ECC0C64DA1E7C54B092C3E60AE0427358F63087018BF0E6CEDC471DD34
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g.....4....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Visited Links

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.002110589502647469
Encrypted:	false
SSDEEP:	3:ImtV802p:IiVg
MD5:	DF22A1F442984E496A061278D7F18CCE
SHA1:	B0EA0DE5E95514F8E5F731E5E70C0CCD9ABD6208
SHA-256:	33AA6736DC99FF76467CA42D343D9771AC67F368E3EBB30EBA3C888DAF5EA587
SHA-512:	D7AF6F4BDCA1EE69D07371A02F70A906507F33CDA5A1E46A25BBF12C1F0C340618FD04615B206031C699172A45A1B55C7F1D796533CEF25B230BACD53B61DF54
Malicious:	false
Preview:	VLnk.....?......YSC<.`..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\Web Data

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 4, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	182272
Entropy (8bit):	1.0773671051254048
Encrypted:	false
SSDEEP:	192:erb2qAdB9TbTbuDDsnxCkOvSAE+WslKOMq+vVumYzBn66:e/2qOB1nxCkOvSAELyKOMq+vVum+p
MD5:	4B66BD625D6E12D437F03D5FB8A303E3
SHA1:	00F81F0416F791632ADA1DADC2FF187144DD04D0
SHA-256:	861C082A10E87BD7E31444CC0377CA6B1C05834AE9C76815992E4188852E3AEF
SHA-512:	840FF76C719412191651DC482FB90AA4ACFC34A115691EC3B96957E797415C7330CAF5A5029E94E044AA38C69B0DC4024453EE814F316F6D38E6961F128B239F
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\WebAssistDatabase

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 10, database pages 7, cookie 0xb, schema 4, UTF-8, version-valid-for 10
Category:	dropped
Size (bytes):	14336
Entropy (8bit):	0.7836182415564406
Encrypted:	false
SSDEEP:	24:LLqlCouxhK3thdkSdj5QjUsEGcGBXp22iSBgm+xjgm:uOK3tjkSdj5IUltGhp22iSBgm+xj/
MD5:	AA9965434F66985F0979719F3035C6E1
SHA1:	39FC31CBB2BB4F8FA8FB6C34154FB48FBCBAEEF4
SHA-256:	F42877E694E9AFC76E1BBA279F6EC259E28A7E7C574EFDCC15D58EFAE06ECA09
SHA-512:	201667EAA3DF7DBCCF296DE6FCF4E79897C1BB744E29EF37235C44821A18EAD78697DFEB9253AA01C0DC28E5758E2AF50852685CDC9ECA1010DBAEE642590CEA
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..................n..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\arbitration_service_config.json

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with very long lines (3951), with CRLF line terminators
Category:	dropped
Size (bytes):	11755
Entropy (8bit):	5.190465908239046
Encrypted:	false
SSDEEP:	192:hH4vrmqRBB4W4PoiUDNaxvR5FCHFcoaSbqGEDI:hH4vrmUB6W4jR3GaSbqGEDI
MD5:	07301A857C41B5854E6F84CA00B81EA0
SHA1:	7441FC1018508FF4F3DBAA139A21634C08ED979C
SHA-256:	2343C541E095E1D5F202E8D2A0807113E69E1969AF8E15E3644C51DB0BF33FBF
SHA-512:	00ADE38E9D2F07C64648202F1D5F18A2DFB2781C0517EAEBCD567D8A77DBB7CB40A58B7C7D4EC03336A63A20D2E11DD64448F020C6FF72F06CA870AA2B4765E0
Malicious:	false
Preview:	{.. "DefaultCohort": {.. "21f3388b-c2a5-4791-8f6e-a4cad6d17f4f.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.BingHomePage.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Covid.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Finance.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Jobs.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.KnowledgeCard.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Local.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.NTP3PCLICK.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.NotifySearchPage.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Recipe.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.SearchPage.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Sports.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Travel.Bubble": 1,.. "2354565a-f412-4654-b89c-f92eaa9dbd20.Weather.Bubble": 1,.. "2cb2db96-3bd0-403e-abe2-9269b3761041.Bubble": 1,.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\c14d696d-e55a-4cc1-9053-8478391a90c3.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6426
Entropy (8bit):	4.978484852173554
Encrypted:	false
SSDEEP:	96:stDqfXis12Mb9a+XuON8zMs85eh6Cb7/x+6MhmuecmAem/zQG+2MN/EJ:stD7sE5gpNkMs88bV+FiAn+PNMJ
MD5:	4F4DDE6182AFA4EF0FF81F347DDBBAFE
SHA1:	ED60DE7D42CB0C03C9A483534C36081F576291E9
SHA-256:	1289B9E9D3B40C9B0E399ECA49FF5AEDC1DB71281A480AEC4C07B261E54CC513
SHA-512:	77386930314782A80432F2FFEDA52102738489840724F40C61C4CDF0BEF86839AE0CC2F7AC1C777286CBE7705F3EB314BF379B21E02AF640899CEC08CED36912
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369921974423840","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"domain_diversity":{"last_reporting_timestamp":"13369921974425066"},"download":{"default_directory":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\KioskDownloads\\","directory_upgrade":true},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version"

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\fffbe8f7-93f6-4f34-9bad-0cc07d3d1958.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6292
Entropy (8bit):	4.971242511142306
Encrypted:	false
SSDEEP:	96:stDqfXis12Mb9a+XuON8zMs85eh6Cb7/x+6MhmuecmAem/SG+2MN/EJ:stD7sE5gpNkMs88bV+FiA/+PNMJ
MD5:	72FC86298975028DFE9EBAC6683D2E51
SHA1:	9B1F4F5DA5C0E912E6B2048439F063740287FDC0
SHA-256:	1A8FD966779567D08B4ED0723D69F24F150EDB02D520074A82A63CEEB63B374A
SHA-512:	7E5FBB56CFF1C5C02996C4D17DB29D8CBE06433B288D43B5DE20CDF2D79268E1FCFA601551BB4877A895BBC9AFC54E84D6579B92243FE1B46B0832BF023F2950
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369921974423840","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"domain_diversity":{"last_reporting_timestamp":"13369921974425066"},"download":{"default_directory":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\KioskDownloads\\","directory_upgrade":true},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version"

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\heavy_ad_intervention_opt_out.db

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 4, cookie 0x2, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.35226517389931394
Encrypted:	false
SSDEEP:	12:TLC+waBg9LBgVDBgQjiZBgKuFtuQkMbmgcVAzO5kMCgGUg5OR:TLPdBgtBgJBgQjiZS53uQFE27MCgGZsR
MD5:	D2CCDC36225684AAE8FA563AFEDB14E7
SHA1:	3759649035F23004A4C30A14C5F0B54191BEBF80
SHA-256:	080AEE864047C67CB1586A5BA5EDA007AFD18ECC2B702638287E386F159D7AEE
SHA-512:	1A915AF643D688CA68AEDC1FF26C407D960D18DFDE838B417C437D7ADAC7B91C906E782DCC414784E64287915BD1DE5BB6A282E59AA9FEB8C384B4D4BC5F70EC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......Q......Q......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\load_statistics.db

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, writer version 2, read version 2, file counter 1, database pages 1, cookie 0, schema 0, unknown 0 encoding, version-valid-for 1
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.0905602561507182
Encrypted:	false
SSDEEP:	3:lSWFN3sl+ltlMWll:l9Fys1M
MD5:	A8E75ACC11904CB877E15A0D0DE03941
SHA1:	FBEE05EA246A7F08F7390237EA8B7E49204EF0E0
SHA-256:	D78C40FEBE1BA7EC83660B78E3F6AB7BC45AB822B8F21B03B16B9CB4F3B3A259
SHA-512:	A7B52B0575D451466A47AFFE3DCC0BC7FC9A6F8AB8194DA1F046AADA0EDDCCA76B4326AA9F19732BA50359B51EC72896BB8FA2FC23BAA6847C33AB51218511A4
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\load_statistics.db-journal

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.28499812076190567
Encrypted:	false
SSDEEP:	3:7FEG2l/mz/X/lFll:7+/l/c
MD5:	12C50CA9A4AC522938711FAC51BDB71C
SHA1:	EFD60FFE9160548D6E8EC9A016CD4DCDDB7B821D
SHA-256:	6D4D6F872F37500A9CDCDDE37502358C9F097F42185F1D6F78CC38938A7FC341
SHA-512:	B8B4685F4069B49C22DED29E0D8F9819150D4E325346C0E1871CC62FC91EF4DE62FAC7963CF24A733AF9D3E977F653D1B41FDECBB6C2C46ABCB59AE7A35D7E8F
Malicious:	false
Preview:	.... .c......va+................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\load_statistics.db-shm

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.04956300960139089
Encrypted:	false
SSDEEP:	6:GLW0bwhpt+kLaW0bwhpt+kLuL9X8hslotGLNl0ml/XoQDeX:aUhkUhaGEjVl/XoQ
MD5:	0D410E1CA9392E462E64CB6909CC1219
SHA1:	61E2DD8D2DA218A8C572310E09A6274A3FF3FA6A
SHA-256:	69F5B26F37DFB5E665F540570347F9F6A16AE67A42B97C6DA4CA78A915E45544
SHA-512:	B499A9D117D918587E70705BCBFAC2BFD5DDDAE0C21E7895C7FB0F74E7E49D8B2C1BB3FD5CE111439691BDA31C0E6D4FF376F10620277995EC69A85BAD734E0C
Malicious:	false
Preview:	..-.....................R.H..?....R..A.:eJ....3...-.....................R.H..?....R..A.:eJ....3.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\load_statistics.db-wal

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	70072
Entropy (8bit):	0.9979202236840549
Encrypted:	false
SSDEEP:	48:xzxetlO+uPcbX+wTn9VAKAFXX+t2VAKAFXX+nxOqVAKAFXX+7nUYVAKAFXX+4Xf0:FxqO/NsrNsxO5NsqNs4X8
MD5:	11203FFA79F77EEC16BFD30381F58085
SHA1:	7038817CB456F6B89AB39ADA38B62B556704672A
SHA-256:	B862B9EFA1E145CD5D5B626D487C9790D1F6676FCA3AD47DF3F7D919AF55F741
SHA-512:	EA85BFC64828C49F495AB55CAD3B377E23514124D6A56BA5C0966B7F30A727C9941170BD254B6505F44F64B77DF0E3D5FA3AAC0569C8A99283DA7D531F5AE5A3
Malicious:	false
Preview:	7....-............R..A.:.9...O............R..A.:...c..SQLite format 3......@ ..........................................................................j.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	modified
Size (bytes):	1566
Entropy (8bit):	5.4942504554089036
Encrypted:	false
SSDEEP:	48:gZB8TSBSqQclUP+HRHoxuIYjIYczcqkNMYjMYBy7AlkfAlkd3K:60qQaIYjIYczcbNMYjMYoYcYw3K
MD5:	49F86C24A55EDCC1BFC47A65AB8C0ECB
SHA1:	7CD2AB34E629518177905E9901DD63BB3E0A36DD
SHA-256:	E5E7434DFE45937346DF9F3EEBCB6128C3BCC4C8E8AEEBAC9ECD713C667381DE
SHA-512:	1536D4B3B2091E6471B46941598FA8C7B02F3DAD2DB9E38F728004879F1F50BE090197933E012763C6BFC9A326DC5896E639B9BE248D9C1D02DA1BD8D3752293
Malicious:	false
Preview:	A..r.................20_1_1...1.,U.................20_1_1...1..&f.................&f....................................4_IPH_CompanionSidePanel...IPH_CompanionSidePanel.....$4_IPH_CompanionSidePanelRegionSearch(."IPH_CompanionSidePanelRegionSearch......4_IPH_DownloadToolbarButton...IPH_DownloadToolbarButton.....&4_IPH_FocusHelpBubbleScreenReaderPromo.$IPH_FocusHelpBubbleScreenReaderPromo......4_IPH_GMCCastStartStop...IPH_GMCCastStartStop......4_IPH_HighEfficiencyMode...IPH_HighEfficiencyMode......4_IPH_LiveCaption...IPH_LiveCaption......4_IPH_PasswordsAccountStorage!..IPH_PasswordsAccountStorage....."4_IPH_PasswordsWebAppProfileSwitch&. IPH_PasswordsWebAppProfileSwitch.....-4_IPH_PriceInsightsPageActionIconLabelFeature1.+IPH_PriceInsightsPageActionIconLabelFeature......4_IPH_PriceTrackingChipFeature"..IPH_PriceTrackingChipFeature.....&4_IPH_PriceTrackingEmailConsentFeature.$IPH_PriceTrackingEmailConsentFeature.....-4_IPH_PriceTrackingPageActionIconLabelFeature1.+IPH_PriceTrackingPa

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.231719020157223
Encrypted:	false
SSDEEP:	6:P3oCD1923oH+Tcwt0rl2KLll3ov34q2P923oH+Tcwt0rK+IFUv:PmYebeLno4v4Yeb13FUv
MD5:	3DA63D760CCA694F5ED2A07D7F644386
SHA1:	368A436B7FA19820E646D37197D394C90C4BF92D
SHA-256:	46B2B04A00B5574F244ED315DCA5DD18A34CA726838AC82100906AEF68598EED
SHA-512:	BD0705B318346B480F2BA50940CB49539FEF69FA57E3DC09BF011AECC6117FF43E78E2E2F4BDAFB13F157F2AAA924A1541994AB886CA8050E746000C486E3929
Malicious:	false
Preview:	2024/09/04-07:12:53.325 1c20 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db since it was missing..2024/09/04-07:12:53.337 1c20 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata\000001.dbtmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	729
Entropy (8bit):	3.9479986538414393
Encrypted:	false
SSDEEP:	12:G0nYUtTNop//z3T6/b8gA7QRmPStub/RG0lbANqa:G0nYUtypD3TKbXEc25m
MD5:	FE93E8284646BC0FD92B3280C8979FEE
SHA1:	9CB9F3C018B22C2231ABEB0A9CABCBE06C2A4EBD
SHA-256:	4ABFEFE77E14B8D5BF5E6F66C36B0B2D707C0E21A1F46FA601E4E06997B2F5C0
SHA-512:	EC168A4CB7874C903329C41EC8C3F0236DC949E0894111A1EED6E793F21C9D5F9EAF005BE42A2585334FAD5E969E31DCF1911AB7223AEB9CD62625F6774C19D4
Malicious:	false
Preview:	.h.6.................__global... .t...................__global... .9..b.................33_..........................33_........v.................21_.....vuNX.................21_.....<...................20_...../...................20_.....W.J+.................19_......qY.................18_.....5oP..................3_.......\4.................4_.....G....................37_.....[Q.\|.................38_.......K..................39_......R...................20_.......1..................19_......(...................18_.....:.=..................3_......W2..................4_.....)..>.................37_..........................38_.....h.#..................39_.....P"...................9_.........................9_.....

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata\CURRENT (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:	3:1sjgWIV//Uv:1qIFUv
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	313
Entropy (8bit):	5.202477723874998
Encrypted:	false
SSDEEP:	6:P3od1923oH+Tcwt0rzs52KLll3oS4q2P923oH+Tcwt0rzAdIFUv:PpYeb99LnN4v4YebyFUv
MD5:	6492579E8DBC722EB376E564E36DDEAE
SHA1:	080D81C38F175CDB6F63C052DA82469BAC9679AF
SHA-256:	4F6FAE71DC3FDFC716CA7AF30F21D4AB3E7334AD959BEA9EC1704683D774CF89
SHA-512:	5D46A33DBF0B873F539F40750232DBB48F47D22355D82F6024BB0777965847BEC067296B317F8524A4EAAC13CD3E489361C6F62F873D26F62CD11CE25B82BC94
Malicious:	false
Preview:	2024/09/04-07:12:53.296 1c20 Creating DB C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata since it was missing..2024/09/04-07:12:53.323 1c20 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata/MANIFEST-000001.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\shared_proto_db\metadata\MANIFEST-000001

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:	3:scoBAIxQRDKIVjn:scoBY7jn
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GrShaderCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GrShaderCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	8.280239615765425E-4
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2:/M/xT02
MD5:	D0D388F3865D0523E451D6BA0BE34CC4
SHA1:	8571C6A52AACC2747C048E3419E5657B74612995
SHA-256:	902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
SHA-512:	376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GrShaderCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GrShaderCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GrShaderCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNlZ9l:Ls3Z
MD5:	79D70BD4DA7D6FE151FAEACAD51F852E
SHA1:	08EA29501E8E1B62235B6F8D65DE4870D991A194
SHA-256:	50D5EE6B0FEB0CC3BEB27EBA1A47E9B16B973D0AB33384AE20A781E7B09F3D20
SHA-512:	4816F0D158448C2E0FA1C8B007F56E3041A733FED85C7CD89772BAEBC7AD3454B7222A72535E91D6A36D55816C43D9FB45DF14580A671AE0BB827522EA109705
Malicious:	false
Preview:	............................................../.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GraphiteDawnCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GraphiteDawnCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	8.280239615765425E-4
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2:/M/xT02
MD5:	D0D388F3865D0523E451D6BA0BE34CC4
SHA1:	8571C6A52AACC2747C048E3419E5657B74612995
SHA-256:	902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
SHA-512:	376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GraphiteDawnCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GraphiteDawnCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\GraphiteDawnCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNlq/:Ls3
MD5:	173D3C89A402EBF2148D090AE41D21BF
SHA1:	818181120ED323A94ECBB1FF3DAC3447BB23B5D9
SHA-256:	DBE1765B6809762DE4BEAADCAF4BA96BA21C85AC0108EC5DEE6B5B9628C23948
SHA-512:	7E4C7A3CF3BF69AFDC8765ED1A4B3E707CCD65B794C1EACBB09CE29D3236A5E618B887E17349271D09E1FBF76C961C4B7507782714BBA9AB4E31BF330E02866B
Malicious:	false
Preview:	........................................Zq..../.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Last Browser

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	120
Entropy (8bit):	3.32524464792714
Encrypted:	false
SSDEEP:	3:tbloIlrJFlXnpQoWcNylRjlgbYnPdJiG6R7lZAUAl:tbdlrYoWcV0n1IGi7kBl
MD5:	A397E5983D4A1619E36143B4D804B870
SHA1:	AA135A8CC2469CFD1EF2D7955F027D95BE5DFBD4
SHA-256:	9C70F766D3B84FC2BB298EFA37CC9191F28BEC336329CC11468CFADBC3B137F4
SHA-512:	4159EA654152D2810C95648694DD71957C84EA825FCCA87B36F7E3282A72B30EF741805C610C5FA847CA186E34BDE9C289AAA7B6931C5B257F1D11255CD2A816
Malicious:	false
Preview:	C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Last Version

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	13
Entropy (8bit):	2.7192945256669794
Encrypted:	false
SSDEEP:	3:NYLFRQI:ap2I
MD5:	BF16C04B916ACE92DB941EBB1AF3CB18
SHA1:	FA8DAEAE881F91F61EE0EE21BE5156255429AA8A
SHA-256:	7FC23C9028A316EC0AC25B09B5B0D61A1D21E58DFCF84C2A5F5B529129729098
SHA-512:	F0B7DF5517596B38D57C57B5777E008D6229AB5B1841BBE74602C77EEA2252BF644B8650C7642BD466213F62E15CC7AB5A95B28E26D3907260ED1B96A74B65FB
Malicious:	false
Preview:	117.0.2045.47

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.525331511488017
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtFRhDKVHejKpyikuJdXBuBuwBgsaVOVNhhIVXRQQRCYfYg:YuBqDPaflhuVjFxgBzBDYOZCVmB0
MD5:	599476CB4D75C1817DEBC6DA4DC50E02
SHA1:	DBA61DE31FF87ED42648B8496ACD2B59F76B0289
SHA-256:	D4CAF26762A31408BA7A20F445E35A3837B17EAA505FBE2768568911EDE55CF5
SHA-512:	6A5D3AA7477D1C87013A6EA362F4AE1BE252A8F7A1DAFED19C520B8BD31527BCF1297E19AB07B0DB84F438558D60D1D71E7181A5074408667887F2ED7FD90194
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABwOEytpCIMRZi1E0KfXQnYEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAAyCPSvPPSr08WLeAROze3a6Sabtk62mlV7n4midIaLWAAAAAAOgAAAAAIAACAAAADw7aeN5JiWRYL+GuUKSL2AU7ADs2RRDVn8X/1ZSTijxTAAAAB1xKeo8SoDrP4ex0ecDPS+z8CZppZo5OUDHTvaq3Y7mdedJBjeJ1ql5zhqOCbE6g9AAAAAy4QUaAAiGqNtmLMsf2CbhHhfS0iH9CqlrjGn+0okjWt2q/j+7Zo55d5HuUTElK9y7OfJWTc5um+cCwbYxA5xlQ=="},"profile":{"info_cache":{},"profile_counts_reported":"13369921972126260","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1725448372"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF312fc.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.525331511488017
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtFRhDKVHejKpyikuJdXBuBuwBgsaVOVNhhIVXRQQRCYfYg:YuBqDPaflhuVjFxgBzBDYOZCVmB0
MD5:	599476CB4D75C1817DEBC6DA4DC50E02
SHA1:	DBA61DE31FF87ED42648B8496ACD2B59F76B0289
SHA-256:	D4CAF26762A31408BA7A20F445E35A3837B17EAA505FBE2768568911EDE55CF5
SHA-512:	6A5D3AA7477D1C87013A6EA362F4AE1BE252A8F7A1DAFED19C520B8BD31527BCF1297E19AB07B0DB84F438558D60D1D71E7181A5074408667887F2ED7FD90194
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABwOEytpCIMRZi1E0KfXQnYEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAAyCPSvPPSr08WLeAROze3a6Sabtk62mlV7n4midIaLWAAAAAAOgAAAAAIAACAAAADw7aeN5JiWRYL+GuUKSL2AU7ADs2RRDVn8X/1ZSTijxTAAAAB1xKeo8SoDrP4ex0ecDPS+z8CZppZo5OUDHTvaq3Y7mdedJBjeJ1ql5zhqOCbE6g9AAAAAy4QUaAAiGqNtmLMsf2CbhHhfS0iH9CqlrjGn+0okjWt2q/j+7Zo55d5HuUTElK9y7OfJWTc5um+cCwbYxA5xlQ=="},"profile":{"info_cache":{},"profile_counts_reported":"13369921972126260","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1725448372"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF3130c.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.525331511488017
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtFRhDKVHejKpyikuJdXBuBuwBgsaVOVNhhIVXRQQRCYfYg:YuBqDPaflhuVjFxgBzBDYOZCVmB0
MD5:	599476CB4D75C1817DEBC6DA4DC50E02
SHA1:	DBA61DE31FF87ED42648B8496ACD2B59F76B0289
SHA-256:	D4CAF26762A31408BA7A20F445E35A3837B17EAA505FBE2768568911EDE55CF5
SHA-512:	6A5D3AA7477D1C87013A6EA362F4AE1BE252A8F7A1DAFED19C520B8BD31527BCF1297E19AB07B0DB84F438558D60D1D71E7181A5074408667887F2ED7FD90194
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABwOEytpCIMRZi1E0KfXQnYEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAAyCPSvPPSr08WLeAROze3a6Sabtk62mlV7n4midIaLWAAAAAAOgAAAAAIAACAAAADw7aeN5JiWRYL+GuUKSL2AU7ADs2RRDVn8X/1ZSTijxTAAAAB1xKeo8SoDrP4ex0ecDPS+z8CZppZo5OUDHTvaq3Y7mdedJBjeJ1ql5zhqOCbE6g9AAAAAy4QUaAAiGqNtmLMsf2CbhHhfS0iH9CqlrjGn+0okjWt2q/j+7Zo55d5HuUTElK9y7OfJWTc5um+cCwbYxA5xlQ=="},"profile":{"info_cache":{},"profile_counts_reported":"13369921972126260","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1725448372"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF314e1.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.525331511488017
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtFRhDKVHejKpyikuJdXBuBuwBgsaVOVNhhIVXRQQRCYfYg:YuBqDPaflhuVjFxgBzBDYOZCVmB0
MD5:	599476CB4D75C1817DEBC6DA4DC50E02
SHA1:	DBA61DE31FF87ED42648B8496ACD2B59F76B0289
SHA-256:	D4CAF26762A31408BA7A20F445E35A3837B17EAA505FBE2768568911EDE55CF5
SHA-512:	6A5D3AA7477D1C87013A6EA362F4AE1BE252A8F7A1DAFED19C520B8BD31527BCF1297E19AB07B0DB84F438558D60D1D71E7181A5074408667887F2ED7FD90194
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABwOEytpCIMRZi1E0KfXQnYEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAAyCPSvPPSr08WLeAROze3a6Sabtk62mlV7n4midIaLWAAAAAAOgAAAAAIAACAAAADw7aeN5JiWRYL+GuUKSL2AU7ADs2RRDVn8X/1ZSTijxTAAAAB1xKeo8SoDrP4ex0ecDPS+z8CZppZo5OUDHTvaq3Y7mdedJBjeJ1ql5zhqOCbE6g9AAAAAy4QUaAAiGqNtmLMsf2CbhHhfS0iH9CqlrjGn+0okjWt2q/j+7Zo55d5HuUTElK9y7OfJWTc5um+cCwbYxA5xlQ=="},"profile":{"info_cache":{},"profile_counts_reported":"13369921972126260","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1725448372"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF3158d.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.525331511488017
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtFRhDKVHejKpyikuJdXBuBuwBgsaVOVNhhIVXRQQRCYfYg:YuBqDPaflhuVjFxgBzBDYOZCVmB0
MD5:	599476CB4D75C1817DEBC6DA4DC50E02
SHA1:	DBA61DE31FF87ED42648B8496ACD2B59F76B0289
SHA-256:	D4CAF26762A31408BA7A20F445E35A3837B17EAA505FBE2768568911EDE55CF5
SHA-512:	6A5D3AA7477D1C87013A6EA362F4AE1BE252A8F7A1DAFED19C520B8BD31527BCF1297E19AB07B0DB84F438558D60D1D71E7181A5074408667887F2ED7FD90194
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABwOEytpCIMRZi1E0KfXQnYEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAAyCPSvPPSr08WLeAROze3a6Sabtk62mlV7n4midIaLWAAAAAAOgAAAAAIAACAAAADw7aeN5JiWRYL+GuUKSL2AU7ADs2RRDVn8X/1ZSTijxTAAAAB1xKeo8SoDrP4ex0ecDPS+z8CZppZo5OUDHTvaq3Y7mdedJBjeJ1ql5zhqOCbE6g9AAAAAy4QUaAAiGqNtmLMsf2CbhHhfS0iH9CqlrjGn+0okjWt2q/j+7Zo55d5HuUTElK9y7OfJWTc5um+cCwbYxA5xlQ=="},"profile":{"info_cache":{},"profile_counts_reported":"13369921972126260","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1725448372"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF33c2f.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.525331511488017
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtFRhDKVHejKpyikuJdXBuBuwBgsaVOVNhhIVXRQQRCYfYg:YuBqDPaflhuVjFxgBzBDYOZCVmB0
MD5:	599476CB4D75C1817DEBC6DA4DC50E02
SHA1:	DBA61DE31FF87ED42648B8496ACD2B59F76B0289
SHA-256:	D4CAF26762A31408BA7A20F445E35A3837B17EAA505FBE2768568911EDE55CF5
SHA-512:	6A5D3AA7477D1C87013A6EA362F4AE1BE252A8F7A1DAFED19C520B8BD31527BCF1297E19AB07B0DB84F438558D60D1D71E7181A5074408667887F2ED7FD90194
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABwOEytpCIMRZi1E0KfXQnYEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAAyCPSvPPSr08WLeAROze3a6Sabtk62mlV7n4midIaLWAAAAAAOgAAAAAIAACAAAADw7aeN5JiWRYL+GuUKSL2AU7ADs2RRDVn8X/1ZSTijxTAAAAB1xKeo8SoDrP4ex0ecDPS+z8CZppZo5OUDHTvaq3Y7mdedJBjeJ1ql5zhqOCbE6g9AAAAAy4QUaAAiGqNtmLMsf2CbhHhfS0iH9CqlrjGn+0okjWt2q/j+7Zo55d5HuUTElK9y7OfJWTc5um+cCwbYxA5xlQ=="},"profile":{"info_cache":{},"profile_counts_reported":"13369921972126260","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1725448372"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF38473.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.525331511488017
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtFRhDKVHejKpyikuJdXBuBuwBgsaVOVNhhIVXRQQRCYfYg:YuBqDPaflhuVjFxgBzBDYOZCVmB0
MD5:	599476CB4D75C1817DEBC6DA4DC50E02
SHA1:	DBA61DE31FF87ED42648B8496ACD2B59F76B0289
SHA-256:	D4CAF26762A31408BA7A20F445E35A3837B17EAA505FBE2768568911EDE55CF5
SHA-512:	6A5D3AA7477D1C87013A6EA362F4AE1BE252A8F7A1DAFED19C520B8BD31527BCF1297E19AB07B0DB84F438558D60D1D71E7181A5074408667887F2ED7FD90194
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABwOEytpCIMRZi1E0KfXQnYEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAAyCPSvPPSr08WLeAROze3a6Sabtk62mlV7n4midIaLWAAAAAAOgAAAAAIAACAAAADw7aeN5JiWRYL+GuUKSL2AU7ADs2RRDVn8X/1ZSTijxTAAAAB1xKeo8SoDrP4ex0ecDPS+z8CZppZo5OUDHTvaq3Y7mdedJBjeJ1ql5zhqOCbE6g9AAAAAy4QUaAAiGqNtmLMsf2CbhHhfS0iH9CqlrjGn+0okjWt2q/j+7Zo55d5HuUTElK9y7OfJWTc5um+cCwbYxA5xlQ=="},"profile":{"info_cache":{},"profile_counts_reported":"13369921972126260","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1725448372"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF3ff02.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.525331511488017
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtFRhDKVHejKpyikuJdXBuBuwBgsaVOVNhhIVXRQQRCYfYg:YuBqDPaflhuVjFxgBzBDYOZCVmB0
MD5:	599476CB4D75C1817DEBC6DA4DC50E02
SHA1:	DBA61DE31FF87ED42648B8496ACD2B59F76B0289
SHA-256:	D4CAF26762A31408BA7A20F445E35A3837B17EAA505FBE2768568911EDE55CF5
SHA-512:	6A5D3AA7477D1C87013A6EA362F4AE1BE252A8F7A1DAFED19C520B8BD31527BCF1297E19AB07B0DB84F438558D60D1D71E7181A5074408667887F2ED7FD90194
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABwOEytpCIMRZi1E0KfXQnYEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAAyCPSvPPSr08WLeAROze3a6Sabtk62mlV7n4midIaLWAAAAAAOgAAAAAIAACAAAADw7aeN5JiWRYL+GuUKSL2AU7ADs2RRDVn8X/1ZSTijxTAAAAB1xKeo8SoDrP4ex0ecDPS+z8CZppZo5OUDHTvaq3Y7mdedJBjeJ1ql5zhqOCbE6g9AAAAAy4QUaAAiGqNtmLMsf2CbhHhfS0iH9CqlrjGn+0okjWt2q/j+7Zo55d5HuUTElK9y7OfJWTc5um+cCwbYxA5xlQ=="},"profile":{"info_cache":{},"profile_counts_reported":"13369921972126260","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1725448372"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF42622.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.525331511488017
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtFRhDKVHejKpyikuJdXBuBuwBgsaVOVNhhIVXRQQRCYfYg:YuBqDPaflhuVjFxgBzBDYOZCVmB0
MD5:	599476CB4D75C1817DEBC6DA4DC50E02
SHA1:	DBA61DE31FF87ED42648B8496ACD2B59F76B0289
SHA-256:	D4CAF26762A31408BA7A20F445E35A3837B17EAA505FBE2768568911EDE55CF5
SHA-512:	6A5D3AA7477D1C87013A6EA362F4AE1BE252A8F7A1DAFED19C520B8BD31527BCF1297E19AB07B0DB84F438558D60D1D71E7181A5074408667887F2ED7FD90194
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABwOEytpCIMRZi1E0KfXQnYEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAAyCPSvPPSr08WLeAROze3a6Sabtk62mlV7n4midIaLWAAAAAAOgAAAAAIAACAAAADw7aeN5JiWRYL+GuUKSL2AU7ADs2RRDVn8X/1ZSTijxTAAAAB1xKeo8SoDrP4ex0ecDPS+z8CZppZo5OUDHTvaq3Y7mdedJBjeJ1ql5zhqOCbE6g9AAAAAy4QUaAAiGqNtmLMsf2CbhHhfS0iH9CqlrjGn+0okjWt2q/j+7Zo55d5HuUTElK9y7OfJWTc5um+cCwbYxA5xlQ=="},"profile":{"info_cache":{},"profile_counts_reported":"13369921972126260","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1725448372"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Local State~RF484bd.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.525331511488017
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtFRhDKVHejKpyikuJdXBuBuwBgsaVOVNhhIVXRQQRCYfYg:YuBqDPaflhuVjFxgBzBDYOZCVmB0
MD5:	599476CB4D75C1817DEBC6DA4DC50E02
SHA1:	DBA61DE31FF87ED42648B8496ACD2B59F76B0289
SHA-256:	D4CAF26762A31408BA7A20F445E35A3837B17EAA505FBE2768568911EDE55CF5
SHA-512:	6A5D3AA7477D1C87013A6EA362F4AE1BE252A8F7A1DAFED19C520B8BD31527BCF1297E19AB07B0DB84F438558D60D1D71E7181A5074408667887F2ED7FD90194
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABwOEytpCIMRZi1E0KfXQnYEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAAyCPSvPPSr08WLeAROze3a6Sabtk62mlV7n4midIaLWAAAAAAOgAAAAAIAACAAAADw7aeN5JiWRYL+GuUKSL2AU7ADs2RRDVn8X/1ZSTijxTAAAAB1xKeo8SoDrP4ex0ecDPS+z8CZppZo5OUDHTvaq3Y7mdedJBjeJ1ql5zhqOCbE6g9AAAAAy4QUaAAiGqNtmLMsf2CbhHhfS0iH9CqlrjGn+0okjWt2q/j+7Zo55d5HuUTElK9y7OfJWTc5um+cCwbYxA5xlQ=="},"profile":{"info_cache":{},"profile_counts_reported":"13369921972126260","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1725448372"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Nurturing\campaign_history

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.46731661083066856
Encrypted:	false
SSDEEP:	12:TL1QAFUxOUDaabZXiDiIF8izX4fhhdWeci2oesJaYi3is25q0S9K0xHZ75fOV:TLiOUOq0afDdWec9sJf5Q7J5fc
MD5:	E93ACF0820CA08E5A5D2D159729F70E3
SHA1:	2C1A4D4924B9AEC1A796F108607404B000877C5D
SHA-256:	F2267FDA7F45499F7A01186B75CEFB799F8D2BC97E2E9B5068952D477294302C
SHA-512:	3BF36C20E04DCF1C16DC794E272F82F68B0DE43F16B4A9746B63B6D6BBC953B00BD7111CDA7AFE85CEBB2C447145483A382B15E2B0A5B36026C3441635D4E50C
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\ShaderCache\data_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\ShaderCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	8.280239615765425E-4
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2:/M/xT02
MD5:	D0D388F3865D0523E451D6BA0BE34CC4
SHA1:	8571C6A52AACC2747C048E3419E5657B74612995
SHA-256:	902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
SHA-512:	376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\ShaderCache\data_2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\ShaderCache\data_3

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\ShaderCache\index

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNlpLx+/:Ls3Bk
MD5:	2CD7AF5D62CB7DE3B578B63842DC1191
SHA1:	A464A932204E973A802656D1C8F108864A97DEE1
SHA-256:	818510844AF11D1AEE5AFFA96C8EE204F54BFAA021EC62976CE6F43BF6FC9EE2
SHA-512:	4A8DC4317E3A8916B21C90CDD152F5A1777EB5529F878CA6CCD79D66215AB105B6074B50228AC3D0052438F48D11F17D1280DAA9AD1BD26F3CF5DD6F8AF11776
Malicious:	false
Preview:	............................................./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\customSettings

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	47
Entropy (8bit):	4.3818353308528755
Encrypted:	false
SSDEEP:	3:2jRo6jhM6ceYcUtS2djIn:5I2uxUt5Mn
MD5:	48324111147DECC23AC222A361873FC5
SHA1:	0DF8B2267ABBDBD11C422D23338262E3131A4223
SHA-256:	D8D672F953E823063955BD9981532FC3453800C2E74C0CC3653D091088ABD3B3
SHA-512:	E3B5DB7BA5E4E3DE3741F53D91B6B61D6EB9ECC8F4C07B6AE1C2293517F331B716114BAB41D7935888A266F7EBDA6FABA90023EFFEC850A929986053853F1E02
Malicious:	false
Preview:	customSettings_F95BA787499AB4FA9EFFF472CE383A14

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\customSettings_F95BA787499AB4FA9EFFF472CE383A14

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	35
Entropy (8bit):	4.014438730983427
Encrypted:	false
SSDEEP:	3:YDMGA2ADH/AYKEqsYq:YQXT/bKE1F
MD5:	BB57A76019EADEDC27F04EB2FB1F1841
SHA1:	8B41A1B995D45B7A74A365B6B1F1F21F72F86760
SHA-256:	2BAE8302F9BD2D87AE26ACF692663DF1639B8E2068157451DA4773BD8BD30A2B
SHA-512:	A455D7F8E0BE9A27CFB7BE8FE0B0E722B35B4C8F206CAD99064473F15700023D5995CC2C4FAFDB8FBB50F0BAB3EC8B241E9A512C0766AAAE1A86C3472C589FFD
Malicious:	false
Preview:	{"forceServiceDetermination":false}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\customSynchronousLookupUris

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	29
Entropy (8bit):	3.922828737239167
Encrypted:	false
SSDEEP:	3:2NGw+K+:fwZ+
MD5:	7BAAFE811F480ACFCCCEE0D744355C79
SHA1:	24B89AE82313084BB8BBEB9AD98A550F41DF7B27
SHA-256:	D5743766AF0312C7B7728219FC24A03A4FB1C2A54A506F337953FBC2C1B847C7
SHA-512:	70FE1C197AF507CC0D65E99807D245C896A40A4271BA1121F9B621980877B43019E584C48780951FC1AD2A5D7D146FC6EA4678139A5B38F9B6F7A5F1E2E86BA3
Malicious:	false
Preview:	customSynchronousLookupUris_0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\customSynchronousLookupUris_0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	35302
Entropy (8bit):	7.99333285466604
Encrypted:	true
SSDEEP:	768:rRhaFePY38QBsj61g3g01LXoDGPpgb8KbMcnjrQCckBuJyqk3x8cBBT:rLP+TBK6ZQLXSsaMcnHQQcox80
MD5:	0E06E28C3536360DE3486B1A9E5195E8
SHA1:	EB768267F34EC16A6CCD1966DCA4C3C2870268AB
SHA-256:	F2658B1C913A96E75B45E6ADB464C8D796B34AC43BAF1635AA32E16D1752971C
SHA-512:	45F1E909599E2F63372867BC359CF72FD846619DFEB5359E52D5700E0B1BCFFE5FF07606511A3BFFDDD933A0507195439457E4E29A49EB6451F26186B7240041
Malicious:	false
Preview:	.......murmur3.....IN...9.......0..X..#l....C....]......pv..E..........,..?.N?....V..B-..F.1....g\|..._.>'.-(V... .=.7P.m....#}.r.....>.LE...G.A.h5........J..=..L^-.Zl++,..h..o.y..~j.]u...W...&s.........M..........h3b..[.5.]..V^w.........a....6g3..%.gy../{\|Z.B..X.}5.]..t.1.H&B.[.).$Y......2....L.t...{...[WE.yy.]..e.v0..\.J3..T.`1Lnh.../..-=w...W.&N7.nz.P...z......'i..R6....../....t.[..&-.....T&l..e....$.8.."....Iq....J.v..\|.6.M...zE...a9uw..'.$6.L..m$......NB).JL.G.7}8(`....J.)b.E.m...c.0I.V...\|$....;.k.......8v..l.:..@.F.........K..2...%(...kA......LJd~._A.N.....$3...5....Z"...X=.....%.........6.k.....F..1..l,ia..i.i....y.M..Cl........}.I..r..-+=b.6....%...#...W..K.....=.F....~.....[.......-...../;....~.09..d.....GR..H.lR...m.Huh9.:..A H./)..D.F..Y.n7.....7D.O.a;>Z.K....w...sq..qo3N...8@.zpD.Ku......+.Z=.zNFgP._@.z.ic.......3.....+..j...an%...X..7.q..A.l.7.S2..+....1.s.b..z...@v..!.y...N.C.XQ.p.\..x8(.<.....cq.(

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\edgeSettings

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	18
Entropy (8bit):	3.5724312513221195
Encrypted:	false
SSDEEP:	3:kDnaV6bVon:kDYa2
MD5:	5692162977B015E31D5F35F50EFAB9CF
SHA1:	705DC80E8B32AC8B68F7E13CF8A75DCCB251ED7D
SHA-256:	42CCB5159B168DBE5D5DDF026E5F7ED3DBF50873CFE47C7C3EF0677BB07B90D4
SHA-512:	32905A4CC5BCE0FE8502DDD32096F40106625218BEDC4E218A344225D6DF2595A7B70EEB3695DCEFDD894ECB2B66BED479654E8E07F02526648E07ACFE47838C
Malicious:	false
Preview:	edgeSettings_2.0-0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\edgeSettings_2.0-0

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3581
Entropy (8bit):	4.459693941095613
Encrypted:	false
SSDEEP:	96:JTMhnytNaSA4BOsNQNhnUZTFGKDIWHCgL5tfHaaJzRHF+P1sYmnfHUdT+GWBH7Y/:KyMot7vjFU
MD5:	BDE38FAE28EC415384B8CFE052306D6C
SHA1:	3019740AF622B58D573C00BF5C98DD77F3FBB5CD
SHA-256:	1F4542614473AE103A5EE3DEEEC61D033A40271CFF891AAA6797534E4DBB4D20
SHA-512:	9C369D69298EBF087412EDA782EE72AFE5448FD0D69EA5141C2744EA5F6C36CDF70A51845CDC174838BAC0ADABDFA70DF6AEDBF6E7867578AE7C4B7805A8B55E
Malicious:	false
Preview:	{"models":[],"geoidMaps":{"gw_my":"https://malaysia.smartscreen.microsoft.com/","gw_tw":"https://taiwan.smartscreen.microsoft.com/","gw_at":"https://austria.smartscreen.microsoft.com/","gw_es":"https://spain.smartscreen.microsoft.com/","gw_pl":"https://poland.smartscreen.microsoft.com/","gw_se":"https://sweden.smartscreen.microsoft.com/","gw_kr":"https://southkorea.smartscreen.microsoft.com/","gw_br":"https://brazil.smartscreen.microsoft.com/","au":"https://australia.smartscreen.microsoft.com/","dk":"https://denmark.smartscreen.microsoft.com/","gw_sg":"https://singapore.smartscreen.microsoft.com/","gw_fr":"https://france.smartscreen.microsoft.com/","gw_ca":"https://canada.smartscreen.microsoft.com/","test":"https://eu-9.smartscreen.microsoft.com/","gw_il":"https://israel.smartscreen.microsoft.com/","gw_au":"https://australia.smartscreen.microsoft.com/","gw_ffl4mod":"https://unitedstates4.ss.wd.microsoft.us/","gw_ffl4":"https://unitedstates1.ss.wd.microsoft.us/","gw_eu":"https://europe.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\synchronousLookupUris

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	47
Entropy (8bit):	4.493433469104717
Encrypted:	false
SSDEEP:	3:kfKbQSQSuLA5:kyUc5
MD5:	3F90757B200B52DCF5FDAC696EFD3D60
SHA1:	569A2E1BED9ECCDF7CD03E270AEF2BD7FF9B0E77
SHA-256:	1EE63F0A3502CFB7DF195FABBA41A7805008AB2CCCDAEB9AF990409D163D60C8
SHA-512:	39252BBAA33130DF50F36178A8EAB1D09165666D8A229FBB3495DD01CBE964F87CD2E6FCD479DFCA36BE06309EF18FEDA7F14722C57545203BBA24972D4835C8
Malicious:	false
Preview:	synchronousLookupUris_636976985063396749.rel.v2

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\synchronousLookupUris_636976985063396749.rel.v2

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	35302
Entropy (8bit):	7.99333285466604
Encrypted:	true
SSDEEP:	768:rRhaFePY38QBsj61g3g01LXoDGPpgb8KbMcnjrQCckBuJyqk3x8cBBT:rLP+TBK6ZQLXSsaMcnHQQcox80
MD5:	0E06E28C3536360DE3486B1A9E5195E8
SHA1:	EB768267F34EC16A6CCD1966DCA4C3C2870268AB
SHA-256:	F2658B1C913A96E75B45E6ADB464C8D796B34AC43BAF1635AA32E16D1752971C
SHA-512:	45F1E909599E2F63372867BC359CF72FD846619DFEB5359E52D5700E0B1BCFFE5FF07606511A3BFFDDD933A0507195439457E4E29A49EB6451F26186B7240041
Malicious:	false
Preview:	.......murmur3.....IN...9.......0..X..#l....C....]......pv..E..........,..?.N?....V..B-..F.1....g\|..._.>'.-(V... .=.7P.m....#}.r.....>.LE...G.A.h5........J..=..L^-.Zl++,..h..o.y..~j.]u...W...&s.........M..........h3b..[.5.]..V^w.........a....6g3..%.gy../{\|Z.B..X.}5.]..t.1.H&B.[.).$Y......2....L.t...{...[WE.yy.]..e.v0..\.J3..T.`1Lnh.../..-=w...W.&N7.nz.P...z......'i..R6....../....t.[..&-.....T&l..e....$.8.."....Iq....J.v..\|.6.M...zE...a9uw..'.$6.L..m$......NB).JL.G.7}8(`....J.)b.E.m...c.0I.V...\|$....;.k.......8v..l.:..@.F.........K..2...%(...kA......LJd~._A.N.....$3...5....Z"...X=.....%.........6.k.....F..1..l,ia..i.i....y.M..Cl........}.I..r..-+=b.6....%...#...W..K.....=.F....~.....[.......-...../;....~.09..d.....GR..H.lR...m.Huh9.:..A H./)..D.F..Y.n7.....7D.O.a;>Z.K....w...sq..qo3N...8@.zpD.Ku......+.Z=.zNFgP._@.z.ic.......3.....+..j...an%...X..7.q..A.l.7.S2..+....1.s.b..z...@v..!.y...N.C.XQ.p.\..x8(.<.....cq.(

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\topTraffic

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	50
Entropy (8bit):	3.9904355005135823
Encrypted:	false
SSDEEP:	3:0xXF/XctY5GUf+:0RFeUf+
MD5:	E144AFBFB9EE10479AE2A9437D3FC9CA
SHA1:	5AAAC173107C688C06944D746394C21535B0514B
SHA-256:	EB28E8ED7C014F211BD81308853F407DF86AEBB5F80F8E4640C608CD772544C2
SHA-512:	837D15B3477C95D2D71391D677463A497D8D9FFBD7EB42E412DA262C9B5C82F22CE4338A0BEAA22C81A06ECA2DF7A9A98B7D61ECACE5F087912FD9BA7914AF3F
Malicious:	false
Preview:	topTraffic_170540185939602997400506234197983529371

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\SmartScreen\RemoteData\topTraffic_170540185939602997400506234197983529371

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	575056
Entropy (8bit):	7.999649474060713
Encrypted:	true
SSDEEP:	12288:fXdhUG0PlM/EXEBQlbk19RrH76Im4u8C1jJodha:Ji80e9Rb7Tm4u8CnR
MD5:	BE5D1A12C1644421F877787F8E76642D
SHA1:	06C46A95B4BD5E145E015FA7E358A2D1AC52C809
SHA-256:	C1CE928FBEF4EF5A4207ABAFD9AB6382CC29D11DDECC215314B0522749EF6A5A
SHA-512:	FD5B100E2F192164B77F4140ADF6DE0322F34D7B6F0CF14AED91BACAB18BB8F195F161F7CF8FB10651122A598CE474AC4DC39EDF47B6A85C90C854C2A3170960
Malicious:	false
Preview:	...._+jE.`..}....S..1....G}s..E....y".Wh.^.W.H...-...#.A...KR...9b........>k......bU.IVo...D......Y..[l.yx.......'c=..I0.....E.d...-...1 ....m../C...OQ.........qW..<:N.....38.u..X-..s....<..U.,Mi..._.......`.Y/.........^..,.E..........j@..G8..N.... ..Ea...4.+.79k.!T.-5W..!..@+..!.P..LDG.....V."....L.... .(#..$..&......C.....%A.T}....K_.S..'Q.".d....s....(j.D!......Ov..)d0)."(..%..-..G..L.}....i.....m9;.....t.w..0....f?..-..M.c.3.....N7K.T..D>.3.x...z..u$5!..4..T.....U.O^L{.5..=E..'..;.}(\|.6.:..f!.>...?M.8......P.D.J.I4.<....y.E....>....i%.6..Y.@..n.....M..r..C.f.;..<..0.H...F....h.......HB1]1....u..:...H..k....B.Q..J...@}j~.#...'Y.J~....I...ub.&..L[z..1.W/.Ck....M.......[.......N.F..z.{nZ~d.V.4.u.K.V.......X.<p..cz..>....X...W..da3(..g..Z$.L4.j=~.p.l.\.[e.&&.Y ...U)..._.^r0.,.{_......`S..[....(.\..p.bt.g..%.$+....f.....d....Im..f...W ......G..i_8a..ae..7....pS.....z-H..A.s.4.3..O.r.....u.S......a.}..v.-/..... ...a.x#./:...sS&U.().xL...pg

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Variations

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	86
Entropy (8bit):	4.3751917412896075
Encrypted:	false
SSDEEP:	3:YQ3JYq9xSs0dMEJAELJ2rjozQan:YQ3Kq9X0dMgAEwjM
MD5:	961E3604F228B0D10541EBF921500C86
SHA1:	6E00570D9F78D9CFEBE67D4DA5EFE546543949A7
SHA-256:	F7B24F2EB3D5EB0550527490395D2F61C3D2FE74BB9CB345197DAD81B58B5FED
SHA-512:	535F930AFD2EF50282715C7E48859CC2D7B354FF4E6C156B94D5A2815F589B33189FFEDFCAF4456525283E993087F9F560D84CFCF497D189AB8101510A09C472
Malicious:	false
Preview:	{"user_experience_metrics.stability.exited_cleanly":false,"variations_crash_streak":0}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\bfa8447b-1009-4cf1-98b7-6fec9e48822e.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	20790
Entropy (8bit):	6.065450921136866
Encrypted:	false
SSDEEP:	384:RtMGQ7LBjuYXGIgtDAW5u0TDJ2q03X8NBSJb3C1TpB0wySSVe5Y:LMGQ7FCYXGIgtDAWtJ4nNm1Tp624e2
MD5:	AFFBDD71AB8BFC95BD8D1A3A9F93CA53
SHA1:	B2DCA7C2EAA9466623DE766D2FEE8C064DA0CA9B
SHA-256:	2787E9AB37BC2624DFD41F6974B8ECD953A6ECEB970D675F48232E9BC11B2153
SHA-512:	0BC6B4D3AF6C15A683AA5608D9B74D92DB948492102DF3516D3F4ADFF88622631347BB263C155A329E54918538B7AAED25CE05C1111FEE8E9C0D05B2F6F48D0E
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"5E25271B8190D943537AD3FDB50874FC133E8B4A00380E2A6A888D63386F728B\"","domain_actions_config":"H4sIAAAAAAAAAL1dWZPktpH+KxP9ZDtU6GMujfykHY9txVpHyHIoYh2ODhBEkWiCAAdHVbEc/u+bCVb1dE8RqEqOdh806mbzw8VEXshM/PuKb27vha2luF9LHqKT96KVoru3G+mcquXVN/++4sOgleBBWeOvvvnn4YGs7wcLz8erb65+HMKPMVx9dVXbnisDT4wMa612TNj+6j9fUSA+xFpZPyH/9dVVQig59Wx4L5+Cwzjg799ubt/jJP48zeE9TuHwDjYBc/Ew+Ktvbv/z1ZWoe+rsjB4/7Abr5U+ajz9LXo9Px+21Mk1hoo/oX6HHjTLyKTjYyMJmCbLnO/hZMpjFAjSvxOIhbxgi5FK85m+ZCkuQu7UyKoxLO97yIFoYvbAluiw2oRoYgIQ2nG2AqJY2U+koRXQbbMm3fMsEX9JMK3GLbeAvNjhrlo5GOJiTA/oXLTdG6qXtmMBDiyS59PvY7eCklyb4QcfFi7tpdwu3VBt1XNorvM4+RiU6+CjD0kb+pHz7rRm3rXSyzABnWdKBG+Ijlx7hEE4QTzo+AB6fnDLLJBpo7PKv8Ob367/KjUg8mcY6CmCjTJCmtsWFOcUf5vj04cw0e1yZe2WAl8svFn5IC43jfc+dLnGrEyDwAicHCxNdhlrVa5LEtTgt5u2lAK02pd198r5dr5VYgHj55jUJZGTtlg0NlA7S5AnvB8l7z3olnPV2vfCLsugvBUH7vTVIe9Y151SnmS2Auyvcr5UGYXBvzT2s0L3fKpCZl+2D91MLf04NPNNUni9BZmDP4Sfjk2Ig7ktgg8r8InfhHz//zSP7e8bquWlsDJ411jYlhlRsBQRm+LIWvOaiW4hdcyEra5fCtzINfylY7VRB4y

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\e8169674-5502-4d29-aa10-126fcd71c1dc.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1371
Entropy (8bit):	5.525331511488017
Encrypted:	false
SSDEEP:	24:YpQBqDPak7u5rrtFRhDKVHejKpyikuJdXBuBuwBgsaVOVNhhIVXRQQRCYfYg:YuBqDPaflhuVjFxgBzBDYOZCVmB0
MD5:	599476CB4D75C1817DEBC6DA4DC50E02
SHA1:	DBA61DE31FF87ED42648B8496ACD2B59F76B0289
SHA-256:	D4CAF26762A31408BA7A20F445E35A3837B17EAA505FBE2768568911EDE55CF5
SHA-512:	6A5D3AA7477D1C87013A6EA362F4AE1BE252A8F7A1DAFED19C520B8BD31527BCF1297E19AB07B0DB84F438558D60D1D71E7181A5074408667887F2ED7FD90194
Malicious:	false
Preview:	{"edge":{"perf_center":{"efficiency_mode_v2_is_active":false,"perf_game_mode":true,"performance_mode":3,"performance_mode_is_on":false}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABwOEytpCIMRZi1E0KfXQnYEAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAAyCPSvPPSr08WLeAROze3a6Sabtk62mlV7n4midIaLWAAAAAAOgAAAAAIAACAAAADw7aeN5JiWRYL+GuUKSL2AU7ADs2RRDVn8X/1ZSTijxTAAAAB1xKeo8SoDrP4ex0ecDPS+z8CZppZo5OUDHTvaq3Y7mdedJBjeJ1ql5zhqOCbE6g9AAAAAy4QUaAAiGqNtmLMsf2CbhHhfS0iH9CqlrjGn+0okjWt2q/j+7Zo55d5HuUTElK9y7OfJWTc5um+cCwbYxA5xlQ=="},"profile":{"info_cache":{},"profile_counts_reported":"13369921972126260","profiles_order":[]},"smartscreen":{"enabled":true,"pua_protection_enabled":true},"telemetry_client":{"install_source_name":"windows","os_integration_level":5,"updater_version":"1.3.177.11","windows_update_applied":false},"uninstall_metrics":{"installation_date2":"1725448372"},"user_experienc

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\5945111b-1b60-45d7-a603-5c7d8b20256c.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44673
Entropy (8bit):	6.095688100266986
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4xkBBFuthDO6vP6OKJ9JipgK+zNcGoup1Xl3jVzXr4CW:z/Ps+wsI7yOEh6qJ9Jchu3VlXr4CRo1
MD5:	FCAF459F4CFFCED758B1E0A7EB00DC20
SHA1:	5AFFB5081E597E94653EE09B25B6299D6505BBEC
SHA-256:	EC3D490E0183FAEC0AB87D4CFA8FBE3DB87B77F900B5A0F0AFF3A367BFB63BEA
SHA-512:	BF525A3A4F44F97C329E30617CEEBF4139FB6A4315CA7AC1F1ACDB7BF7D4AAA876D132E46F800D811ECAD8C6AB6AD66FC5B9E19795162B91ABC27A7743621B1F
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\759ab3fb-d2b3-4fca-8404-4c9619378cc7.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	modified
Size (bytes):	44673
Entropy (8bit):	6.095835787712181
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4xkBBFuthDO6vP6OKJ9RqpnxFWcGoup1Xl3jVzXr4CCz:z/Ps+wsI7yOEh6qJ9xchu3VlXr4CRo1
MD5:	B61F1261BA72E3E8DD373376D259D950
SHA1:	CDE068DD85CA0960E2F16872B3F192C911113BF8
SHA-256:	0566DD6732541DAD34C406E1D15EAD0499D2373CBD3549225A36C1C5C25D015A
SHA-512:	5285B0C845EBEA41BF53C3E15143952FF3A9F9BFB52ACC394A0CA8D80CA43745D5E27F4E738DADEADE2E8DF7566F1C9DD2358A0A52479335A508B20EC3500CC5
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\8fa55e5f-e758-4d3e-b8c6-a3522a130887.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.0906986433323285
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMBwuF9hDO6vP6O+jtbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynE16Ctbz8hu3VlXr4CRo1
MD5:	B3BAADA935C065004E2385629EBD919D
SHA1:	641E65F56D6E71DD8B4276A53D046283B5FAD836
SHA-256:	D9A8C7F129EDD2F95F82D33F324508D342EEDDA6095937A1905E85D7F0E62C66
SHA-512:	68AD8C6755CD0B64A7A6EF87E9DA03578A65D00A3A032F20CAC57704A957FFD69F587F38BC1042A88E3DE78DF99F8B456C25382A9D28B7D5E04F16ACD6D2DDDA
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-66D840CF-16A0.pma

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.1280750337980722
Encrypted:	false
SSDEEP:	768:clbt5HfEE3Qxr6feBND6K++2RGOJJ+l2JVtArbRGO:clh5HcEgxrakD6Kp2RGgMsXtArbRG
MD5:	70DDFF15444827D61F9B9F3A054E4E6A
SHA1:	7FC10C2C6DB041D5089A6288EA3081196326EB23
SHA-256:	ECEC4A49DD8E7890B0EBD01F6E08284DCFEB84DAEBE98B2DDA302D8915960C75
SHA-512:	389DC311DD5D91B51EB4837051DCF5A73413DE5862BCBF42B40CBA55CCE8820DB7EFB20F1BCAEBC5481757361BC23D2C6B4FA1C1DFD29C6426FF25E725ABFE07
Malicious:	false
Preview:	...@..@...@.....C.].....@...............0#..................`... ...i.y.........BrowserMetrics......i.y..Yd. .......A...................v.0.....UV&K.k<................UV&K.k<................UMA.PersistentHistograms.InitResult.....8...i.y.[".................................................i.y.Pq.30..............117.0.2045.47-64..".en-GB...Windows NT..10.0.190452l..x86_64..?........".vkhcju20,1(.0..8..B.......2.:.M..BU..Be...?j...GenuineIntel... .. ..........x86_64...J....k..^o..J..l.zL.^o..J....\.^o..J.....f.^o..J....?.^o..P.Z...b.INBXj....... .8.@..............(......................w..U].0r........>.........."....."...24.."."pZLhTaJ23hN5uQxwzu0K2CYes/dvJuE93VbIVV/LnRA=".:............B)..1.3.177.11.. .*.RegKeyNotFound2.windowsR...Z...u...V.S@..$...SF@.......Y@.......4@.......Y@........?........?.........................Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......Y@.......4@.......Y@................Y@.......Y@.......Y@........?........?2..........~...... .2.......

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	280
Entropy (8bit):	4.132041621771752
Encrypted:	false
SSDEEP:	3:FiWWltlApdeXKeQwFMYLAfJrAazlYBVP/Sh/JzvPWVcRVEVg3WWD5x1:o1ApdeaEqYsMazlYBVsJDu2ziy5
MD5:	845CFA59D6B52BD2E8C24AC83A335C66
SHA1:	6882BB1CE71EB14CEF73413EFC591ACF84C63C75
SHA-256:	29645C274865D963D30413284B36CC13D7472E3CD2250152DEE468EC9DA3586F
SHA-512:	8E0E7E8CCDC8340F68DB31F519E1006FA7B99593A0C1A2425571DAF71807FBBD4527A211030162C9CE9E0584C8C418B5346C2888BEDC43950BF651FD1D40575E
Malicious:	false
Preview:	sdPC......................X..<EE..r/y..."pZLhTaJ23hN5uQxwzu0K2CYes/dvJuE93VbIVV/LnRA="..................................................................................47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=....................fdb35e9f-12f5-40d5-8d50-87a9333d43a4............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\10a39b5f-c90a-4b86-9996-a05ad7ca73c7.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\1d7e9a9a-4d26-4f08-bc83-dfd7385aa3fc.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7818
Entropy (8bit):	5.089287132429918
Encrypted:	false
SSDEEP:	192:stvM/Rsgx8CZihnk9sY8bV+FiA66WbNbaFIMY5bLMJ:stvM/Rsgx8xhRbGix6WbZaTYC
MD5:	2F128BDAB68A50123A48A22169B7E2FB
SHA1:	FC8BE476DD5E5CA8A3494883CA3966C730F05696
SHA-256:	CA1F3769B8515FF34A5C5BA89C50D3041F42AF03E0CBD09EE5A8275600F38F4A
SHA-512:	7A88FB35B6DF5570AA61B8F0776175F67BC1FDDC48A8C4DD3571A0EDF832991F8CDFE34E0BF5030E429C9C6E1F36A1F78B8D10BD184B3DD8033FEE35EAC7F18B
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13340900082427237","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340900603634208","arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"default_apps_install_state":3,"domain_diversity":{"last_reporting_timestamp":"13340900082535948"},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version":""},"edge":{

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\1f5d08e2-58d3-436a-98ec-431e2e971762.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\33cf5072-8e91-4932-9017-685491b1538e.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24691
Entropy (8bit):	5.568410114344186
Encrypted:	false
SSDEEP:	768:bVdU+tWPKlfX+8F1+UoAYDCx9Tuqh0VfUC9xbog/OVd8M0lrwYputufv:bVdU+tWPKlfX+u1jagj0OZtQv
MD5:	9898292CC27981A8BB1764772E51B400
SHA1:	DA9AF0829EE8C0780EC9E4B6417218D7BA9F6307
SHA-256:	F77E4639F45CCF2596A5D67A065F0C489437F8ED9C78F8EF61168281F39CA3D5
SHA-512:	9DDB9A7DCC69B06325564E26415488070CA6B5F6475D77E52C8AE66ED91547D346EEC35985BA5E0BB888B203CC7F1857BE22A1D15CBBE8463FA5D3F487394878
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13369921991771428","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13369921991771428","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\465a361c-87a3-41ee-beaf-f9bb900a0aa6.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7999
Entropy (8bit):	5.090058015737403
Encrypted:	false
SSDEEP:	192:stO/Rsfx8CZihnk9sY8bV+FiA66WbNbaFIMYybLMJ:stO/Rsfx8xhRbGix6WbZaTYZ
MD5:	624FFFD2901417A668819C52B0D0A9FE
SHA1:	F428E88870CE7A4C2A242211EF2A82C78F8956EE
SHA-256:	BD2B21C6A64DD0137D67F8E2C51F72AF612CD5768766F69097758180B1E87E59
SHA-512:	CA1A328B158996D3832601828BE66546625F27911539650F8A5C625B4333E5EB157F44410C3EC6D9CF4E8B292DD50CF4535DC7FAEDC938DD6EBDE94D6E2D3BD1
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13369921999596600","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340900603634208","arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"default_apps_install_state":3,"domain_diversity":{"last_reporting_timestamp":"13340900082535948"},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version":""},"edge":{

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\96c45671-2f77-46c8-b5fe-270d6b9072b6.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	348
Entropy (8bit):	5.221407136160366
Encrypted:	false
SSDEEP:	6:P3iVq2P923oH+TcwtnG2tMsIFUt823i28Zmw+23i28kwO923oH+TcwtnG2tMsLJ:P4v4Yebn9GFUt82w/+245LYebn95J
MD5:	25AED05CE9F823853E428DB88EA9CE19
SHA1:	874B37D9C4588A2DBD11C4B57D9418D80E06CA0C
SHA-256:	FF7ADC93096DB9C8034AD13B98C2E46E0D7999FB1EF49E75396792AF0677CE36
SHA-512:	B8A0F878E7F362E6495D117041AD898E2F5A840E2A4BCA03A39E5ECC9BAC79406CCA6EED68663DDD1B116325D0E67031348272A66DAB0BBA319BC9C311C8EF6B
Malicious:	false
Preview:	2024/09/04-07:13:19.554 1480 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/MANIFEST-000001.2024/09/04-07:13:19.557 1480 Recovering log #3.2024/09/04-07:13:19.557 1480 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	348
Entropy (8bit):	5.221407136160366
Encrypted:	false
SSDEEP:	6:P3iVq2P923oH+TcwtnG2tMsIFUt823i28Zmw+23i28kwO923oH+TcwtnG2tMsLJ:P4v4Yebn9GFUt82w/+245LYebn95J
MD5:	25AED05CE9F823853E428DB88EA9CE19
SHA1:	874B37D9C4588A2DBD11C4B57D9418D80E06CA0C
SHA-256:	FF7ADC93096DB9C8034AD13B98C2E46E0D7999FB1EF49E75396792AF0677CE36
SHA-512:	B8A0F878E7F362E6495D117041AD898E2F5A840E2A4BCA03A39E5ECC9BAC79406CCA6EED68663DDD1B116325D0E67031348272A66DAB0BBA319BC9C311C8EF6B
Malicious:	false
Preview:	2024/09/04-07:13:19.554 1480 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/MANIFEST-000001.2024/09/04-07:13:19.557 1480 Recovering log #3.2024/09/04-07:13:19.557 1480 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db\LOG.old~RF37d11.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	348
Entropy (8bit):	5.221407136160366
Encrypted:	false
SSDEEP:	6:P3iVq2P923oH+TcwtnG2tMsIFUt823i28Zmw+23i28kwO923oH+TcwtnG2tMsLJ:P4v4Yebn9GFUt82w/+245LYebn95J
MD5:	25AED05CE9F823853E428DB88EA9CE19
SHA1:	874B37D9C4588A2DBD11C4B57D9418D80E06CA0C
SHA-256:	FF7ADC93096DB9C8034AD13B98C2E46E0D7999FB1EF49E75396792AF0677CE36
SHA-512:	B8A0F878E7F362E6495D117041AD898E2F5A840E2A4BCA03A39E5ECC9BAC79406CCA6EED68663DDD1B116325D0E67031348272A66DAB0BBA319BC9C311C8EF6B
Malicious:	false
Preview:	2024/09/04-07:13:19.554 1480 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/MANIFEST-000001.2024/09/04-07:13:19.557 1480 Recovering log #3.2024/09/04-07:13:19.557 1480 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons/coupons_data.db/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	380
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	6:qTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCT:qWWWWWWWWWWWWWWWWWWW
MD5:	9FE07A071FDA31327FA322B32FCA0B7E
SHA1:	A3E0BAE8853A163C9BB55F68616C795AAAF462E8
SHA-256:	E02333C0359406998E3FED40B69B61C9D28B2117CF9E6C0239E2E13EC13BA7C8
SHA-512:	9CCE621CD5B7CFBD899ABCBDD71235776FF9FF7DEA19C67F86E7F0603F7B09CA294CC16B672B742FA9B51387B2F0A501C3446872980BCA69ADE13F2B5677601D
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.152996424689879
Encrypted:	false
SSDEEP:	6:P3Hq2P923oH+Tcwt8aPrqIFUt823xXZmw+23xFkwO923oH+Tcwt8amLJ:PXv4YebL3FUt82t/+2f5LYebQJ
MD5:	51918D4B359B1B2AF6672A19EF8246A9
SHA1:	81AA0EED5D9B6B8894BC36835049A313FE83094A
SHA-256:	0734F4732CCFAD74D1B4ACBF3F482E21C6E8C30519788FA1137636DECBCAEA01
SHA-512:	CD0FF558D80B1689987C6802B137BFDF42FC0CE2A47AFAD89C61F8D1931F44DF585E34448AA2184AEBE96B5E8AC01820E6A52008A67A0064901BCCA2A7B7DE9D
Malicious:	false
Preview:	2024/09/04-07:13:12.068 19a4 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/MANIFEST-000001.2024/09/04-07:13:12.069 19a4 Recovering log #3.2024/09/04-07:13:12.069 19a4 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.152996424689879
Encrypted:	false
SSDEEP:	6:P3Hq2P923oH+Tcwt8aPrqIFUt823xXZmw+23xFkwO923oH+Tcwt8amLJ:PXv4YebL3FUt82t/+2f5LYebQJ
MD5:	51918D4B359B1B2AF6672A19EF8246A9
SHA1:	81AA0EED5D9B6B8894BC36835049A313FE83094A
SHA-256:	0734F4732CCFAD74D1B4ACBF3F482E21C6E8C30519788FA1137636DECBCAEA01
SHA-512:	CD0FF558D80B1689987C6802B137BFDF42FC0CE2A47AFAD89C61F8D1931F44DF585E34448AA2184AEBE96B5E8AC01820E6A52008A67A0064901BCCA2A7B7DE9D
Malicious:	false
Preview:	2024/09/04-07:13:12.068 19a4 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/MANIFEST-000001.2024/09/04-07:13:12.069 19a4 Recovering log #3.2024/09/04-07:13:12.069 19a4 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	380
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	6:qTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCTCT:qWWWWWWWWWWWWWWWWWWW
MD5:	9FE07A071FDA31327FA322B32FCA0B7E
SHA1:	A3E0BAE8853A163C9BB55F68616C795AAAF462E8
SHA-256:	E02333C0359406998E3FED40B69B61C9D28B2117CF9E6C0239E2E13EC13BA7C8
SHA-512:	9CCE621CD5B7CFBD899ABCBDD71235776FF9FF7DEA19C67F86E7F0603F7B09CA294CC16B672B742FA9B51387B2F0A501C3446872980BCA69ADE13F2B5677601D
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	328
Entropy (8bit):	5.146796697425865
Encrypted:	false
SSDEEP:	6:P32q2P923oH+Tcwt865IFUt823LF4FZZmw+231PkwO923oH+Tcwt86+ULJ:PGv4Yeb/WFUt82bF0/+2lP5LYeb/+SJ
MD5:	A7EE2F6BAC1F5CCEDF1DDA84583CB3B8
SHA1:	FA939A088165E1E9F0D576B3E73C918A8C975088
SHA-256:	10055790C5E8E4373133E1CC91A4C22D643760F806179450B13D97BBEEBEF6C7
SHA-512:	9A164BBBAF86B6788D77ED574F224AF3138873F3094A499C829AE91DAAA14D87DE7D4A950F8BFB907F09991F4B15500A8B4F5BF032FD75097819B0612A97BCEF
Malicious:	false
Preview:	2024/09/04-07:13:12.074 19a4 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/MANIFEST-000001.2024/09/04-07:13:12.077 19a4 Recovering log #3.2024/09/04-07:13:12.078 19a4 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	328
Entropy (8bit):	5.146796697425865
Encrypted:	false
SSDEEP:	6:P32q2P923oH+Tcwt865IFUt823LF4FZZmw+231PkwO923oH+Tcwt86+ULJ:PGv4Yeb/WFUt82bF0/+2lP5LYeb/+SJ
MD5:	A7EE2F6BAC1F5CCEDF1DDA84583CB3B8
SHA1:	FA939A088165E1E9F0D576B3E73C918A8C975088
SHA-256:	10055790C5E8E4373133E1CC91A4C22D643760F806179450B13D97BBEEBEF6C7
SHA-512:	9A164BBBAF86B6788D77ED574F224AF3138873F3094A499C829AE91DAAA14D87DE7D4A950F8BFB907F09991F4B15500A8B4F5BF032FD75097819B0612A97BCEF
Malicious:	false
Preview:	2024/09/04-07:13:12.074 19a4 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/MANIFEST-000001.2024/09/04-07:13:12.077 19a4 Recovering log #3.2024/09/04-07:13:12.078 19a4 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\000003.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	1140
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:	12:qWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW:
MD5:	914FD8DC5F9A741C6947E1AB12A9D113
SHA1:	6529EFE14E7B0BEA47D78B147243096408CDAAE4
SHA-256:	8BE3C96EE64B5D2768057EA1C4D1A70F40A0041585F3173806E2278E9300960B
SHA-512:	2862BF83C061414EFA2AC035FFC25BA9C4ED523B430FDEEED4974F55D4450A62766C2E799D0ACDB8269210078547048ACAABFD78EDE6AB91133E30F6B5EBFFBD
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5........

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.181325952070176
Encrypted:	false
SSDEEP:	6:P3xcq2P923oH+Tcwt8NIFUt823xNZmw+23sUOkwO923oH+Tcwt8+eLJ:POv4YebpFUt82X/+28N5LYebqJ
MD5:	72C7BCEC637A54EA25D698ADDD1295F2
SHA1:	76497383FAFD0A58A234B2FCD342BA204D8B54B0
SHA-256:	43F5657C7CAF7046DEB3ACBD31B928ED7878A2C324D299D263D1DE36EBDFF137
SHA-512:	EA63E45CCB5185FD65FB6614D1E2E13AC2C0FF5C8E34D23E3387859F5B78CF4B70BCEDEB690C233D257D3B912AD6F551494E0D45467C7995A9B354CF8344F7AF
Malicious:	false
Preview:	2024/09/04-07:13:19.566 1e24 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/MANIFEST-000001.2024/09/04-07:13:19.566 1e24 Recovering log #3.2024/09/04-07:13:19.567 1e24 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.181325952070176
Encrypted:	false
SSDEEP:	6:P3xcq2P923oH+Tcwt8NIFUt823xNZmw+23sUOkwO923oH+Tcwt8+eLJ:POv4YebpFUt82X/+28N5LYebqJ
MD5:	72C7BCEC637A54EA25D698ADDD1295F2
SHA1:	76497383FAFD0A58A234B2FCD342BA204D8B54B0
SHA-256:	43F5657C7CAF7046DEB3ACBD31B928ED7878A2C324D299D263D1DE36EBDFF137
SHA-512:	EA63E45CCB5185FD65FB6614D1E2E13AC2C0FF5C8E34D23E3387859F5B78CF4B70BCEDEB690C233D257D3B912AD6F551494E0D45467C7995A9B354CF8344F7AF
Malicious:	false
Preview:	2024/09/04-07:13:19.566 1e24 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/MANIFEST-000001.2024/09/04-07:13:19.566 1e24 Recovering log #3.2024/09/04-07:13:19.567 1e24 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG.old~RF37d20.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.181325952070176
Encrypted:	false
SSDEEP:	6:P3xcq2P923oH+Tcwt8NIFUt823xNZmw+23sUOkwO923oH+Tcwt8+eLJ:POv4YebpFUt82X/+28N5LYebqJ
MD5:	72C7BCEC637A54EA25D698ADDD1295F2
SHA1:	76497383FAFD0A58A234B2FCD342BA204D8B54B0
SHA-256:	43F5657C7CAF7046DEB3ACBD31B928ED7878A2C324D299D263D1DE36EBDFF137
SHA-512:	EA63E45CCB5185FD65FB6614D1E2E13AC2C0FF5C8E34D23E3387859F5B78CF4B70BCEDEB690C233D257D3B912AD6F551494E0D45467C7995A9B354CF8344F7AF
Malicious:	false
Preview:	2024/09/04-07:13:19.566 1e24 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/MANIFEST-000001.2024/09/04-07:13:19.566 1e24 Recovering log #3.2024/09/04-07:13:19.567 1e24 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\34d58e95-9f69-4be2-84bd-0b9d8a54b5c3.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	61
Entropy (8bit):	3.926136109079379
Encrypted:	false
SSDEEP:	3:YLb9N+eAXRfHDH2LSL:YHpoeSL
MD5:	4DF4574BFBB7E0B0BC56C2C9B12B6C47
SHA1:	81EFCBD3E3DA8221444A21F45305AF6FA4B71907
SHA-256:	E1B77550222C2451772C958E44026ABE518A2C8766862F331765788DDD196377
SHA-512:	78B14F60F2D80400FE50360CF303A961685396B7697775D078825A29B717081442D357C2039AD0984D4B622976B0314EDE8F478CDE320DAEC118DA546CB0682A
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[],"version":5}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	61
Entropy (8bit):	3.926136109079379
Encrypted:	false
SSDEEP:	3:YLb9N+eAXRfHDH2LSL:YHpoeSL
MD5:	4DF4574BFBB7E0B0BC56C2C9B12B6C47
SHA1:	81EFCBD3E3DA8221444A21F45305AF6FA4B71907
SHA-256:	E1B77550222C2451772C958E44026ABE518A2C8766862F331765788DDD196377
SHA-512:	78B14F60F2D80400FE50360CF303A961685396B7697775D078825A29B717081442D357C2039AD0984D4B622976B0314EDE8F478CDE320DAEC118DA546CB0682A
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[],"version":5}}}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports~RF36439.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\af5760ce-6313-45b9-8c84-159a088e2d7f.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\e9e390b6-84df-46a2-95d2-ce9dc73e3ba7.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:H:H
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Preferences (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7818
Entropy (8bit):	5.089287132429918
Encrypted:	false
SSDEEP:	192:stvM/Rsgx8CZihnk9sY8bV+FiA66WbNbaFIMY5bLMJ:stvM/Rsgx8xhRbGix6WbZaTYC
MD5:	2F128BDAB68A50123A48A22169B7E2FB
SHA1:	FC8BE476DD5E5CA8A3494883CA3966C730F05696
SHA-256:	CA1F3769B8515FF34A5C5BA89C50D3041F42AF03E0CBD09EE5A8275600F38F4A
SHA-512:	7A88FB35B6DF5570AA61B8F0776175F67BC1FDDC48A8C4DD3571A0EDF832991F8CDFE34E0BF5030E429C9C6E1F36A1F78B8D10BD184B3DD8033FEE35EAC7F18B
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13340900082427237","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340900603634208","arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"default_apps_install_state":3,"domain_diversity":{"last_reporting_timestamp":"13340900082535948"},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version":""},"edge":{

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Preferences~RF37dbc.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7818
Entropy (8bit):	5.089287132429918
Encrypted:	false
SSDEEP:	192:stvM/Rsgx8CZihnk9sY8bV+FiA66WbNbaFIMY5bLMJ:stvM/Rsgx8xhRbGix6WbZaTYC
MD5:	2F128BDAB68A50123A48A22169B7E2FB
SHA1:	FC8BE476DD5E5CA8A3494883CA3966C730F05696
SHA-256:	CA1F3769B8515FF34A5C5BA89C50D3041F42AF03E0CBD09EE5A8275600F38F4A
SHA-512:	7A88FB35B6DF5570AA61B8F0776175F67BC1FDDC48A8C4DD3571A0EDF832991F8CDFE34E0BF5030E429C9C6E1F36A1F78B8D10BD184B3DD8033FEE35EAC7F18B
Malicious:	false
Preview:	{"aadc_info":{"age_group":0},"account_tracker_service_last_update":"13340900082427237","alternate_error_pages":{"backup":true},"apps":{"shortcuts_arch":"","shortcuts_version":0},"arbitration_experiences":{},"arbitration_local_nsat_reset_time":"13340900603634208","arbitration_using_experiment_config":false,"browser":{"available_dark_theme_options":"All","has_seen_welcome_page":false},"continuous_migration":{"ci_correction_for_holdout_treatment_state":1},"countryid_at_install":17224,"custom_links":{"list":[]},"default_apps_install_state":3,"domain_diversity":{"last_reporting_timestamp":"13340900082535948"},"dual_engine":{"consumer_mode":{"ie_user":false},"consumer_site_list_with_ie_entries":false,"consumer_sitelist_location":"","consumer_sitelist_version":"","external_consumer_shared_cookie_data":{},"shared_cookie_data":{},"sitelist_data_2":{},"sitelist_has_consumer_data":false,"sitelist_has_enterprise_data":false,"sitelist_location":"","sitelist_source":0,"sitelist_version":""},"edge":{

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24691
Entropy (8bit):	5.568410114344186
Encrypted:	false
SSDEEP:	768:bVdU+tWPKlfX+8F1+UoAYDCx9Tuqh0VfUC9xbog/OVd8M0lrwYputufv:bVdU+tWPKlfX+u1jagj0OZtQv
MD5:	9898292CC27981A8BB1764772E51B400
SHA1:	DA9AF0829EE8C0780EC9E4B6417218D7BA9F6307
SHA-256:	F77E4639F45CCF2596A5D67A065F0C489437F8ED9C78F8EF61168281F39CA3D5
SHA-512:	9DDB9A7DCC69B06325564E26415488070CA6B5F6475D77E52C8AE66ED91547D346EEC35985BA5E0BB888B203CC7F1857BE22A1D15CBBE8463FA5D3F487394878
Malicious:	false
Preview:	{"edge_fundamentals_appdefaults":{"ess_lightweight_version":101},"ess_kv_states":{"restore_on_startup":{"closed_notification":false,"decrypt_success":true,"key":"restore_on_startup","notification_popup_count":0},"startup_urls":{"closed_notification":false,"decrypt_success":true,"key":"startup_urls","notification_popup_count":0},"template_url_data":{"closed_notification":false,"decrypt_success":true,"key":"template_url_data","notification_popup_count":0}},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":{"active_permissions":{"api":["management","system.display","system.storage","webstorePrivate","system.cpu","system.memory","system.network"],"explicit_host":[],"manifest_permissions":[],"scriptable_host":[]},"app_launcher_ordinal":"t","commands":{},"content_settings":[],"creation_flags":1,"events":[],"first_install_time":"13369921991771428","from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"last_update_time":"13369921991771428","location":5,"ma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	352
Entropy (8bit):	5.1475905568138645
Encrypted:	false
SSDEEP:	6:P3Wv39+q2P923oH+Tcwt7Uh2ghZIFUt823Uv3JZmw+23Sv9VkwO923oH+Tcwt7UT:P634v4YebIhHh2FUt82Ev3J/+24D5LYz
MD5:	8FDCD24233A8602860259883B731AD91
SHA1:	BD4E4737C20BD276649C8160C6BCEA27A2FEDE8C
SHA-256:	81A90BF09C18C7F950353CCBC00BD0BBA216DDCF55A8C0FC0D4781E6F1D58CB9
SHA-512:	D36E0F326E7AEB7391DD9DBB1DCB225F698DF479E975A83CC859E8D2796109E070BB2711DD8B678AA5D29A90E2F1CB156B75E7C3A928DCEED159D953160DAE1E
Malicious:	false
Preview:	2024/09/04-07:13:12.171 1eb8 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/MANIFEST-000001.2024/09/04-07:13:12.173 1eb8 Recovering log #3.2024/09/04-07:13:12.175 1eb8 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	352
Entropy (8bit):	5.1475905568138645
Encrypted:	false
SSDEEP:	6:P3Wv39+q2P923oH+Tcwt7Uh2ghZIFUt823Uv3JZmw+23Sv9VkwO923oH+Tcwt7UT:P634v4YebIhHh2FUt82Ev3J/+24D5LYz
MD5:	8FDCD24233A8602860259883B731AD91
SHA1:	BD4E4737C20BD276649C8160C6BCEA27A2FEDE8C
SHA-256:	81A90BF09C18C7F950353CCBC00BD0BBA216DDCF55A8C0FC0D4781E6F1D58CB9
SHA-512:	D36E0F326E7AEB7391DD9DBB1DCB225F698DF479E975A83CC859E8D2796109E070BB2711DD8B678AA5D29A90E2F1CB156B75E7C3A928DCEED159D953160DAE1E
Malicious:	false
Preview:	2024/09/04-07:13:12.171 1eb8 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/MANIFEST-000001.2024/09/04-07:13:12.173 1eb8 Recovering log #3.2024/09/04-07:13:12.175 1eb8 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG.old~RF37cc2.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	352
Entropy (8bit):	5.1475905568138645
Encrypted:	false
SSDEEP:	6:P3Wv39+q2P923oH+Tcwt7Uh2ghZIFUt823Uv3JZmw+23Sv9VkwO923oH+Tcwt7UT:P634v4YebIhHh2FUt82Ev3J/+24D5LYz
MD5:	8FDCD24233A8602860259883B731AD91
SHA1:	BD4E4737C20BD276649C8160C6BCEA27A2FEDE8C
SHA-256:	81A90BF09C18C7F950353CCBC00BD0BBA216DDCF55A8C0FC0D4781E6F1D58CB9
SHA-512:	D36E0F326E7AEB7391DD9DBB1DCB225F698DF479E975A83CC859E8D2796109E070BB2711DD8B678AA5D29A90E2F1CB156B75E7C3A928DCEED159D953160DAE1E
Malicious:	false
Preview:	2024/09/04-07:13:12.171 1eb8 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/MANIFEST-000001.2024/09/04-07:13:12.173 1eb8 Recovering log #3.2024/09/04-07:13:12.175 1eb8 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	328
Entropy (8bit):	5.1842639454845525
Encrypted:	false
SSDEEP:	6:P31Iq2P923oH+TcwtpIFUt8231ZZmw+231zkwO923oH+Tcwta/WLJ:PFIv4YebmFUt82FZ/+2Fz5LYebaUJ
MD5:	08E9C42C4EEAF297F64F030DE44031C3
SHA1:	1A1A0C0E4485A248A39167D0304BF3B758BE1F0E
SHA-256:	B27A165CA1321D94CF2189C3979184680D9240AEED9079CC8CC5B1D04AD09016
SHA-512:	2FC3B206CE82C72F87DD7DA06ACA8029AE66BAF4471A1CEB778058C5B931145D0700BFEC34CA31B5E1494F131B780CCEAAAF5E11D0F0D5A68F2560E5CD89E578
Malicious:	false
Preview:	2024/09/04-07:13:19.463 1e24 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/MANIFEST-000001.2024/09/04-07:13:19.463 1e24 Recovering log #3.2024/09/04-07:13:19.463 1e24 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG.old (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	328
Entropy (8bit):	5.1842639454845525
Encrypted:	false
SSDEEP:	6:P31Iq2P923oH+TcwtpIFUt8231ZZmw+231zkwO923oH+Tcwta/WLJ:PFIv4YebmFUt82FZ/+2Fz5LYebaUJ
MD5:	08E9C42C4EEAF297F64F030DE44031C3
SHA1:	1A1A0C0E4485A248A39167D0304BF3B758BE1F0E
SHA-256:	B27A165CA1321D94CF2189C3979184680D9240AEED9079CC8CC5B1D04AD09016
SHA-512:	2FC3B206CE82C72F87DD7DA06ACA8029AE66BAF4471A1CEB778058C5B931145D0700BFEC34CA31B5E1494F131B780CCEAAAF5E11D0F0D5A68F2560E5CD89E578
Malicious:	false
Preview:	2024/09/04-07:13:19.463 1e24 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/MANIFEST-000001.2024/09/04-07:13:19.463 1e24 Recovering log #3.2024/09/04-07:13:19.463 1e24 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG.old~RF37cb3.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	328
Entropy (8bit):	5.1842639454845525
Encrypted:	false
SSDEEP:	6:P31Iq2P923oH+TcwtpIFUt8231ZZmw+231zkwO923oH+Tcwta/WLJ:PFIv4YebmFUt82FZ/+2Fz5LYebaUJ
MD5:	08E9C42C4EEAF297F64F030DE44031C3
SHA1:	1A1A0C0E4485A248A39167D0304BF3B758BE1F0E
SHA-256:	B27A165CA1321D94CF2189C3979184680D9240AEED9079CC8CC5B1D04AD09016
SHA-512:	2FC3B206CE82C72F87DD7DA06ACA8029AE66BAF4471A1CEB778058C5B931145D0700BFEC34CA31B5E1494F131B780CCEAAAF5E11D0F0D5A68F2560E5CD89E578
Malicious:	false
Preview:	2024/09/04-07:13:19.463 1e24 Reusing MANIFEST C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/MANIFEST-000001.2024/09/04-07:13:19.463 1e24 Recovering log #3.2024/09/04-07:13:19.463 1e24 Reusing old log C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB/000003.log .

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 10, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 10
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121311442920892
Encrypted:	false
SSDEEP:	384:b2qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:Kq+n0E9ELyKOMq+8y9/Ow
MD5:	54051EFED19B07096CD81BBE7F246FCC
SHA1:	18EAE3DCAD372D2BCDA6A3E4951944536BA497AB
SHA-256:	A9327205D50B1DF81A1735705F7341D2E3D6DD31978A34BCCC22073EA2A1A2F7
SHA-512:	DD8E8E25DC168994A29CF76342883C5EA9D0044A6A3A1BC8C4C0342889A01E9E7D08BDDE8F1B17CABCD495E2B4FE1FF635A9BD8479875315B3C9E1707DEED511
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\db053c8b-a0f5-4d88-ad8b-9db8ffbe0f37.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:L:L
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, writer version 2, read version 2, file counter 8, database pages 11, cookie 0x7, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	45056
Entropy (8bit):	0.4108834313259155
Encrypted:	false
SSDEEP:	24:TSWUYP5/ZrK/AxH1Aj5sAFWZmasamfDsCBjy8e+ZcI5fc:TnUYVAKAFXX+CcEc
MD5:	8593795778EA3EC8221366AA2FBBA867
SHA1:	2F307D4925183EA13E7BE637CB93ECAF2BA9810A
SHA-256:	F3C17873660988454A5A403D047FCE88379D1FE8917A89C98E6EB940F8929C03
SHA-512:	CC86DD61ACEDA6F2927C4C23CBD6D426F2C8CD1DF65E342C76D07153ACBF801F9B297F8EF182097CBABBDE6A49C90AF0E7A38E49AB53DF3FD2EC2D5BC675099A
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..................?.P................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-shm

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.049731726990245535
Encrypted:	false
SSDEEP:	6:Gd0JAmu8jH0JAmu8rtCL9XCChslotGLNl0ml/XoQDeX:zJXsJXQpEjVl/XoQ
MD5:	C54B3D1870E84B11D259971CBC7B34F7
SHA1:	5F3D7D108711BA075CC8DFD4A079363B4F36DADB
SHA-256:	AC3A97348BF70C13B6BA0618708EE0F39FCA5644BAC0D2CD12CD9B5647D18F15
SHA-512:	4A0033E46E0309DC121922D795DC011FF830BA85FA02681A80C1FC1F145820526C328980034B21F20DFE4F83FA15F8D9D7FBB6F85024A614021E73AD24CFEFAD
Malicious:	false
Preview:	..-.....................:Db.W.v..4..}..tT...l...-.....................:Db.W.v..4..}..tT...l.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Last Version

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	13
Entropy (8bit):	2.7192945256669794
Encrypted:	false
SSDEEP:	3:NYLFRQI:ap2I
MD5:	BF16C04B916ACE92DB941EBB1AF3CB18
SHA1:	FA8DAEAE881F91F61EE0EE21BE5156255429AA8A
SHA-256:	7FC23C9028A316EC0AC25B09B5B0D61A1D21E58DFCF84C2A5F5B529129729098
SHA-512:	F0B7DF5517596B38D57C57B5777E008D6229AB5B1841BBE74602C77EEA2252BF644B8650C7642BD466213F62E15CC7AB5A95B28E26D3907260ED1B96A74B65FB
Malicious:	false
Preview:	117.0.2045.47

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.0906986433323285
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMBwuF9hDO6vP6O+jtbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynE16Ctbz8hu3VlXr4CRo1
MD5:	B3BAADA935C065004E2385629EBD919D
SHA1:	641E65F56D6E71DD8B4276A53D046283B5FAD836
SHA-256:	D9A8C7F129EDD2F95F82D33F324508D342EEDDA6095937A1905E85D7F0E62C66
SHA-512:	68AD8C6755CD0B64A7A6EF87E9DA03578A65D00A3A032F20CAC57704A957FFD69F587F38BC1042A88E3DE78DF99F8B456C25382A9D28B7D5E04F16ACD6D2DDDA
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF36013.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.0906986433323285
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMBwuF9hDO6vP6O+jtbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynE16Ctbz8hu3VlXr4CRo1
MD5:	B3BAADA935C065004E2385629EBD919D
SHA1:	641E65F56D6E71DD8B4276A53D046283B5FAD836
SHA-256:	D9A8C7F129EDD2F95F82D33F324508D342EEDDA6095937A1905E85D7F0E62C66
SHA-512:	68AD8C6755CD0B64A7A6EF87E9DA03578A65D00A3A032F20CAC57704A957FFD69F587F38BC1042A88E3DE78DF99F8B456C25382A9D28B7D5E04F16ACD6D2DDDA
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF360af.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.0906986433323285
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMBwuF9hDO6vP6O+jtbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynE16Ctbz8hu3VlXr4CRo1
MD5:	B3BAADA935C065004E2385629EBD919D
SHA1:	641E65F56D6E71DD8B4276A53D046283B5FAD836
SHA-256:	D9A8C7F129EDD2F95F82D33F324508D342EEDDA6095937A1905E85D7F0E62C66
SHA-512:	68AD8C6755CD0B64A7A6EF87E9DA03578A65D00A3A032F20CAC57704A957FFD69F587F38BC1042A88E3DE78DF99F8B456C25382A9D28B7D5E04F16ACD6D2DDDA
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF361e7.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.0906986433323285
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMBwuF9hDO6vP6O+jtbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynE16Ctbz8hu3VlXr4CRo1
MD5:	B3BAADA935C065004E2385629EBD919D
SHA1:	641E65F56D6E71DD8B4276A53D046283B5FAD836
SHA-256:	D9A8C7F129EDD2F95F82D33F324508D342EEDDA6095937A1905E85D7F0E62C66
SHA-512:	68AD8C6755CD0B64A7A6EF87E9DA03578A65D00A3A032F20CAC57704A957FFD69F587F38BC1042A88E3DE78DF99F8B456C25382A9D28B7D5E04F16ACD6D2DDDA
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF37d30.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.0906986433323285
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMBwuF9hDO6vP6O+jtbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynE16Ctbz8hu3VlXr4CRo1
MD5:	B3BAADA935C065004E2385629EBD919D
SHA1:	641E65F56D6E71DD8B4276A53D046283B5FAD836
SHA-256:	D9A8C7F129EDD2F95F82D33F324508D342EEDDA6095937A1905E85D7F0E62C66
SHA-512:	68AD8C6755CD0B64A7A6EF87E9DA03578A65D00A3A032F20CAC57704A957FFD69F587F38BC1042A88E3DE78DF99F8B456C25382A9D28B7D5E04F16ACD6D2DDDA
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF37d7e.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.0906986433323285
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMBwuF9hDO6vP6O+jtbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynE16Ctbz8hu3VlXr4CRo1
MD5:	B3BAADA935C065004E2385629EBD919D
SHA1:	641E65F56D6E71DD8B4276A53D046283B5FAD836
SHA-256:	D9A8C7F129EDD2F95F82D33F324508D342EEDDA6095937A1905E85D7F0E62C66
SHA-512:	68AD8C6755CD0B64A7A6EF87E9DA03578A65D00A3A032F20CAC57704A957FFD69F587F38BC1042A88E3DE78DF99F8B456C25382A9D28B7D5E04F16ACD6D2DDDA
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State~RF37dbc.TMP (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44137
Entropy (8bit):	6.0906986433323285
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4kkBMBwuF9hDO6vP6O+jtbzy70FqHoPFkGoup1Xl3jVu:z/Ps+wsI7ynE16Ctbz8hu3VlXr4CRo1
MD5:	B3BAADA935C065004E2385629EBD919D
SHA1:	641E65F56D6E71DD8B4276A53D046283B5FAD836
SHA-256:	D9A8C7F129EDD2F95F82D33F324508D342EEDDA6095937A1905E85D7F0E62C66
SHA-512:	68AD8C6755CD0B64A7A6EF87E9DA03578A65D00A3A032F20CAC57704A957FFD69F587F38BC1042A88E3DE78DF99F8B456C25382A9D28B7D5E04F16ACD6D2DDDA
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\ShaderCache\data_1

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.0018238520723782249
Encrypted:	false
SSDEEP:	3:MsEllllkEthXllkl2zET:/M/xT02z8
MD5:	AC81EF9540AC3DDCC4546B82AC3801BD
SHA1:	1AC27855FABFA8AF62752DA91E2A6EADC815CBBC
SHA-256:	4A2C8BA05BE86A2182B9BCC9AEC916588CC9502F4F505CD79991AF8326EC11E4
SHA-512:	D27635D446F0AEA20E138F96BEDEDF118CCF0BC8560CB2E11AB0AACE9D320E989164E2971DAB20571A9B6D9A1B4A52CAAF78084D2141372D77516F52ABD222AB
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Variations

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	85
Entropy (8bit):	4.3488360343066725
Encrypted:	false
SSDEEP:	3:YQ3JYq9xSs0dMEJAELJ25AmIpozQw:YQ3Kq9X0dMgAEiLI2
MD5:	265DB1C9337422F9AF69EF2B4E1C7205
SHA1:	3E38976BB5CF035C75C9BC185F72A80E70F41C2E
SHA-256:	7CA5A3CCC077698CA62AC8157676814B3D8E93586364D0318987E37B4F8590BC
SHA-512:	3CC9B76D8D4B6EDB4C41677BE3483AC37785F3BBFEA4489F3855433EBF84EA25FC48EFEE9B74CAB268DC9CB7FB4789A81C94E75C7BF723721DE28AEF53D8B529
Malicious:	false
Preview:	{"user_experience_metrics.stability.exited_cleanly":true,"variations_crash_streak":2}

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\a81ae047-281b-4644-b2db-144980522ad4.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44673
Entropy (8bit):	6.0956765801362955
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4xkBBFuthDO6vP6OKJ9JipgK+zNcGoup1Xl3jVzXr4CW:z/Ps+wsI7yOEh6qJ9lchu3VlXr4CRo1
MD5:	DD00744B1421798B5A0CDC0FE95077CC
SHA1:	5E88B3F33FF2E0157402375266429E9F139AD531
SHA-256:	DD75560DB181C8F3E9E00B83DF1DA103D32DD3915899FCFA8A326AC2C8FA0C66
SHA-512:	C97638A6563DEB969269178C3FC44DD629B0DEBD8368EDAD58D400481B64CA84E5FD6B9CF47F07063A5E02D19E3C9EC116F210ED93C40A08B2EA305ED2A79979
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\bf7eddf8-9078-4411-a331-d6c2186bea70.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44672
Entropy (8bit):	6.095842788935105
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4xkBBwuthDO6vP6OKJ9RKpnxFWcGoup1Xl3jVzXr4CCz:z/Ps+wsI7yOEi6qJ9Rchu3VlXr4CRo1
MD5:	379BDB5E2DDFA3B3D4B593EF6A500EF3
SHA1:	35557EBB09B6FB6374EA2CEC680AD09377332C69
SHA-256:	B2C161CBBD5F0D7056702B1648FDEC3F617D8130FFC010E2E2A8A6FC307D5DDD
SHA-512:	F1A5E5F9C9E966173D5A5161C0897AC932532145B6EB5A8A023670FECD1535217347CAF5B2C44B633870B5ECBD6100A577ED4F02293154CE74967910204F61C4
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\c810553f-a0dc-4b05-be5f-3f77bdb4e6d2.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	modified
Size (bytes):	44673
Entropy (8bit):	6.095688100266986
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4xkBBFuthDO6vP6OKJ9JipgK+zNcGoup1Xl3jVzXr4CW:z/Ps+wsI7yOEh6qJ9Jchu3VlXr4CRo1
MD5:	FCAF459F4CFFCED758B1E0A7EB00DC20
SHA1:	5AFFB5081E597E94653EE09B25B6299D6505BBEC
SHA-256:	EC3D490E0183FAEC0AB87D4CFA8FBE3DB87B77F900B5A0F0AFF3A367BFB63BEA
SHA-512:	BF525A3A4F44F97C329E30617CEEBF4139FB6A4315CA7AC1F1ACDB7BF7D4AAA876D132E46F800D811ECAD8C6AB6AD66FC5B9E19795162B91ABC27A7743621B1F
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\cf1d0cfb-2324-4194-9557-fc6a3754d0b6.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	44673
Entropy (8bit):	6.095835787712181
Encrypted:	false
SSDEEP:	768:zDXzgWPsj/qlGJqIY8GB4xkBBFuthDO6vP6OKJ9RqpnxFWcGoup1Xl3jVzXr4CCz:z/Ps+wsI7yOEh6qJ9xchu3VlXr4CRo1
MD5:	B61F1261BA72E3E8DD373376D259D950
SHA1:	CDE068DD85CA0960E2F16872B3F192C911113BF8
SHA-256:	0566DD6732541DAD34C406E1D15EAD0499D2373CBD3549225A36C1C5C25D015A
SHA-512:	5285B0C845EBEA41BF53C3E15143952FF3A9F9BFB52ACC394A0CA8D80CA43745D5E27F4E738DADEADE2E8DF7566F1C9DD2358A0A52479335A508B20EC3500CC5
Malicious:	false
Preview:	{"abusive_adblocker_etag":"\"229EC35087C81534A88F41A12F3A505F330A0BE57C43F6CEB29F4718042EFC4F\"","desktop_mode":{"clear_prefs_once_applied":true,"is_on":false,"is_on_by_default_applied":true,"is_search_only_on_by_default_applied":true},"domain_actions_config":"H4sIAAAAAAAAAL19a4/cNpboXzH60+4gRbvbrzj7aTbj2Ql2MhlkswhwF4MGRVISWxQp81FVqkH++z2HUrXbLkndh51dBHba1XX4PDzvxz+v+P76VjipxG2teExe3YpWie7W7ZX3Wqqr7/55xYfBaMGjdjZcffc/8wdK3g4OPh+vvrv6aYg/pXj1zZV0PdcWPrEq1kYfmXD91W/fUEBCTFK7MEH+45urDKHVNLPlvXoIHMcB//3H/fX3uIk/T3v4HrcwfweHgL0EWPzVd9e/fXMlZE/dnTXjx+Pggvq74ePPisvx4bqD0bbZ2Og99K8w415b9RA4usTivgSy50f4WTHYRQE0r0TxkvcMIVQpvOHvmY4lkMdaWx3H0okPPIoWVi/cFl5uDqEbWICCMbxrAKlKh6lMUiL5PY4UWn5ggpcM0yp8Ynv4jYve2dLVCA978oD/ouXWKlM6jo08toiSpffjDoNXQdkYBpOKD3ffHgufVJtMKp0Vvs4+JS06uJShdJA/6dD+0Y6HVnm1TQAXSdJMDfEjnz/CJVxAPJh4Brj/5JJYZtZAI5d/gW/+WP9F7UWmyTTSsQFstY3KSrd5MJfw8x4ffriwzR5P5lZboOXq2cwPcaHxvO+5N1vU6gKw18K74OqIVMGrwcGWi+B3/fhgiJ2sSYzY4W5ZcE8FcFZJr/eKGfyLMJOray0KIOCL4cFk21LCwm0jIsXbWhuge7fO3sKot+GggT0

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	2278
Entropy (8bit):	3.8421230708481517
Encrypted:	false
SSDEEP:	48:uiTrlKxrgx13xl9Il8uE2ElzlFHn7ScAEb/wHCLjyVwDfBd1rc:m2DYelzlFHnOEjLjyVwDq
MD5:	522D99EB66DBA66C89E6F860FAB10A32
SHA1:	A713ACEAFE4398B317EB19E36EC94B03D8F3DBAE
SHA-256:	CFB391EB478D7352E5EAB7B623ECCC0E655F0A933312F1EF676429915E715FB3
SHA-512:	E37E25882F85A8ADD66805ADD638715BBC864893D6F25C73BD0CB04329C2C245E34EE130562FB95D2873D3E210CD8E28E19A854EBA53B44B28AE17552971C4E6
Malicious:	false
Preview:	{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".W.i.p.w.W.M.+.N.H.l.b.C.D.m.s.Z.p.8.S.O.s.j.h.t.F.B.s.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.B.R.P.x.s.P.+.2.g.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.c.D.h.M.r.a.

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\cf7513a936f7effbb38627e56f8d1fce10eb12cc.tbres

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	4622
Entropy (8bit):	3.9931099053874575
Encrypted:	false
SSDEEP:	96:nYE2QcPWVll6NxW+bBTInIaSXP1nHs6POU7JT:nSQFvoNFBEnIaSf9Hs6J7d
MD5:	9B61A96EF86029792764FB4FA6768692
SHA1:	C263FB14A12708CE3C35F1B29AF0B9F70B229A38
SHA-256:	936BB6C56DCF0E5DFAB1B445F20CB268FED7BA84F0185EC5CF401F9F2ABD04CE
SHA-512:	3984DDD61EBD374C97B857AE16BC496ED3571AB099601B463ABAD1881F6B616CDEAE189ADCDB49CAE3A2F9EA9B6476A9B08CCE0678A53F584070789B509DF263
Malicious:	false
Preview:	{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".z.3.U.T.q.T.b.3.7./.u.z.h.i.f.l.b.4.0.f.z.h.D.r.E.s.w.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".y.L.w.t.r.L.v.+.2.g.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.w.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.c.D.h.M.r.a.

C:\Users\user\AppData\Local\Temp\cv_debug.log

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1880
Entropy (8bit):	5.395246081770177
Encrypted:	false
SSDEEP:	48:Yzj57SnaJ57H57Uv5W1Sj5W175zuR5z+5zn071eDJk5c1903bj5jJp0gcU854Rr9:8e2Fa116uCntc5toYwu
MD5:	5451063A2D7F8CADCF4EF357923AD336
SHA1:	76F43E591F87205AA8E8E4DFA62C18EF15062F93
SHA-256:	4E54FD174A572269A001480B8E6AB8EA1D00F051AC9103253E164FED21D26C83
SHA-512:	C7AE2C24167E9E9A62B3B104035F619407060636BBA51806C65F5816B98B1B9ED235A19245B86B018C57F3F25EE051957C185ECBC7B02F210E54C605746836CB
Malicious:	false
Preview:	{"logTime": "1004/133448", "correlationVector":"vYS73lRT+EoO2Owh9jsc+Y","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1004/133448", "correlationVector":"n/KhuHPhHmYXokB31+JZz7","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1004/133448", "correlationVector":"fclQx26bUZO07waFEDe6Fn","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1004/133448", "correlationVector":"0757l0tkKt37vNrdCKAm8w","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1004/133449", "correlationVector":"uTRRkmbbqkgK/wPBCS4fct","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1004/133449", "correlationVector":"2DrXipL1ngF91RN7IemK0e","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1004/134324", "correlationVector":"d0GyjEgnW85fvDIojHVIXI","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1004/134324", "correlationVector":"PvfzGWRutB/kmuXUK+c8XA","action":"EXTENSION_UPDATER", "result":""}.{"logTime": "1004/134324", "correlationVector":"29CB75FBC4C942E0817A1F7A0E2CF647

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\875a60a09683c344.customDestinations-ms (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	3888
Entropy (8bit):	3.5138136977586854
Encrypted:	false
SSDEEP:	48:6EJedOLW+HsJ8rYzBdLXuHDkDpo2AhkdOLkHsJ8rYzngdLXuHDk+21:Ex3ujkDvknIujkz
MD5:	71D9B58C76D33332631699310564A436
SHA1:	5B6778224D1E5ACE4B1F83990658522D93AC013C
SHA-256:	4813375D5A68609156BB5F38AA461BE28FA7448F68720B952CBE940B2AB6D767
SHA-512:	6C9F7F0BD41EE05F54C6402CF98233148826A224748B4ECE7530180DAA43E9C5D1302651BBD7799C10A6A7E47177B979237B4C644977D3537764FB350578F556
Malicious:	false
Preview:	...................................FL..................F.@.. .....\|.K.....3e.....?......(>@.....................1....P.O. .:i.....+00.../C:\.....................1.....DW.r..PROGRA~2.........O.IDW.r....................V.....#.%.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....\.1.....DW.r..MICROS~1..D......(Ux.$Y.Y...........................Pa.M.i.c.r.o.s.o.f.t.....N.1.....CWaa0.Edge..:.......S8.DWUl...........................s..E.d.g.e.....`.1.....CWaa0.APPLIC~1..H.......S8.$Y.Y..............................A.p.p.l.i.c.a.t.i.o.n.....`.2.(>@.=W2b .msedge.exe..F.......S8.$Y.Y....u.......................q.m.s.e.d.g.e...e.x.e.......k...............-.......j............z.......C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe..<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.........%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe...............................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SFDZ0A8IMNJXKS0ETBUV.temp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	3888
Entropy (8bit):	3.5117677791487534
Encrypted:	false
SSDEEP:	48:6EhkdOLkHsJ8rYzBdLXuHDkDpo2AhkdOLkHsJ8rYzngdLXuHDk+21:T3ujkDvknIujkz
MD5:	6F67790E6D5C7BEFC9E9DD417855C283
SHA1:	918274B82581D990A087D9A07B2FE4084C7D06D5
SHA-256:	5FC549F27ADAC8D73CC2FEA70E247D573A6505BC0AB5BBD352A880B96187FA5B
SHA-512:	5356D1A1A95E64A5B58E5F7557BEE9E01FC31CCF7701AC63534417013071A06653A3BC72A48B2809F242ABC5DDA6091AF1C870C74B3DC6CC0E2D9EF6108BB309
Malicious:	false
Preview:	...................................FL..................F.@.. .....\|.K.....3e.....?......(>@.....................1....P.O. .:i.....+00.../C:\.....................1.....$Y.Y..PROGRA~2.........O.I$Y.Y....................V......J.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....\.1.....DW.r..MICROS~1..D......(Ux.$Y.Y...........................Pa.M.i.c.r.o.s.o.f.t.....N.1.....CWaa0.Edge..:.......S8.$Y.Y...........................s..E.d.g.e.....`.1.....CWaa0.APPLIC~1..H.......S8.$Y.Y..............................A.p.p.l.i.c.a.t.i.o.n.....`.2.(>@.=W2b .msedge.exe..F.......S8.$Y.Y....u.......................q.m.s.e.d.g.e...e.x.e.......k...............-.......j............z.......C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe..<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.........%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe...............................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TZTXGG3XLTT6JC0AK51C.temp

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	3888
Entropy (8bit):	3.5138136977586854
Encrypted:	false
SSDEEP:	48:6EJedOLW+HsJ8rYzBdLXuHDkDpo2AhkdOLkHsJ8rYzngdLXuHDk+21:Ex3ujkDvknIujkz
MD5:	71D9B58C76D33332631699310564A436
SHA1:	5B6778224D1E5ACE4B1F83990658522D93AC013C
SHA-256:	4813375D5A68609156BB5F38AA461BE28FA7448F68720B952CBE940B2AB6D767
SHA-512:	6C9F7F0BD41EE05F54C6402CF98233148826A224748B4ECE7530180DAA43E9C5D1302651BBD7799C10A6A7E47177B979237B4C644977D3537764FB350578F556
Malicious:	false
Preview:	...................................FL..................F.@.. .....\|.K.....3e.....?......(>@.....................1....P.O. .:i.....+00.../C:\.....................1.....DW.r..PROGRA~2.........O.IDW.r....................V.....#.%.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....\.1.....DW.r..MICROS~1..D......(Ux.$Y.Y...........................Pa.M.i.c.r.o.s.o.f.t.....N.1.....CWaa0.Edge..:.......S8.DWUl...........................s..E.d.g.e.....`.1.....CWaa0.APPLIC~1..H.......S8.$Y.Y..............................A.p.p.l.i.c.a.t.i.o.n.....`.2.(>@.=W2b .msedge.exe..F.......S8.$Y.Y....u.......................q.m.s.e.d.g.e...e.x.e.......k...............-.......j............z.......C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe..<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.........%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe...............................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
File Type:	data
Category:	dropped
Size (bytes):	3888
Entropy (8bit):	3.5117677791487534
Encrypted:	false
SSDEEP:	48:6EhkdOLkHsJ8rYzBdLXuHDkDpo2AhkdOLkHsJ8rYzngdLXuHDk+21:T3ujkDvknIujkz
MD5:	6F67790E6D5C7BEFC9E9DD417855C283
SHA1:	918274B82581D990A087D9A07B2FE4084C7D06D5
SHA-256:	5FC549F27ADAC8D73CC2FEA70E247D573A6505BC0AB5BBD352A880B96187FA5B
SHA-512:	5356D1A1A95E64A5B58E5F7557BEE9E01FC31CCF7701AC63534417013071A06653A3BC72A48B2809F242ABC5DDA6091AF1C870C74B3DC6CC0E2D9EF6108BB309
Malicious:	false
Preview:	...................................FL..................F.@.. .....\|.K.....3e.....?......(>@.....................1....P.O. .:i.....+00.../C:\.....................1.....$Y.Y..PROGRA~2.........O.I$Y.Y....................V......J.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....\.1.....DW.r..MICROS~1..D......(Ux.$Y.Y...........................Pa.M.i.c.r.o.s.o.f.t.....N.1.....CWaa0.Edge..:.......S8.$Y.Y...........................s..E.d.g.e.....`.1.....CWaa0.APPLIC~1..H.......S8.$Y.Y..............................A.p.p.l.i.c.a.t.i.o.n.....`.2.(>@.=W2b .msedge.exe..F.......S8.$Y.Y....u.......................q.m.s.e.d.g.e...e.x.e.......k...............-.......j............z.......C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe..<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.A.p.p.l.i.c.a.t.i.o.n.\.m.s.e.d.g.e...e.x.e.........%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe...............................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.5797662304129725
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	917'504 bytes
MD5:	7497f8786c80212a680b035b87405c7e
SHA1:	85cd0a08cf47dd1728e8eda794de064df856bcff
SHA256:	6dc7e77d27a0694d782fbb4a8c68afc57cf81d448ffe32efd0452cd6901f4e4c
SHA512:	16528ac5a9d32dfccf39c41b88a9b781268a257340007885a38b458d37464ed88b154584c561a65f889d43a1636a7c75d90251e9b2cbcd8bb9673eec2a5518b6
SSDEEP:	12288:RqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgacTu:RqDEvCTbMWu7rQYlBQcBiT6rprG8asu
TLSH:	B4159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66D836CD [Wed Sep 4 10:30:37 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F8760F16123h
jmp 00007F8760F15A2Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F8760F15C0Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F8760F15BDAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F8760F187CDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F8760F18818h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F8760F18801h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x95c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x95c8	0x9600	1432f8d1234834338b63280189aca9f2	False	0.28692708333333333	data	5.165417454870775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x890	data			1.0050182481751824
RT_GROUP_ICON	0xdd048	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd0c0	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd0d4	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd0e8	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd0fc	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd1d8	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 4, 2024 13:12:47.951020002 CEST	443	49712	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:47.951217890 CEST	49712	443	192.168.2.5	20.190.159.73
Sep 4, 2024 13:12:48.723753929 CEST	49712	443	192.168.2.5	20.190.159.73
Sep 4, 2024 13:12:48.723778963 CEST	443	49712	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:48.724165916 CEST	443	49712	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:48.724673986 CEST	49712	443	192.168.2.5	20.190.159.73
Sep 4, 2024 13:12:48.724775076 CEST	49712	443	192.168.2.5	20.190.159.73
Sep 4, 2024 13:12:48.724797010 CEST	443	49712	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:49.104875088 CEST	443	49712	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:49.104897976 CEST	443	49712	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:49.104934931 CEST	443	49712	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:49.104995966 CEST	443	49712	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:49.105082989 CEST	49712	443	192.168.2.5	20.190.159.73
Sep 4, 2024 13:12:49.107208014 CEST	49712	443	192.168.2.5	20.190.159.73
Sep 4, 2024 13:12:49.108429909 CEST	49712	443	192.168.2.5	20.190.159.73
Sep 4, 2024 13:12:49.108450890 CEST	443	49712	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:49.108496904 CEST	49712	443	192.168.2.5	20.190.159.73
Sep 4, 2024 13:12:49.108501911 CEST	443	49712	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:49.162992001 CEST	49714	443	192.168.2.5	20.190.159.73
Sep 4, 2024 13:12:49.163052082 CEST	443	49714	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:49.163136959 CEST	49714	443	192.168.2.5	20.190.159.73
Sep 4, 2024 13:12:49.167754889 CEST	49714	443	192.168.2.5	20.190.159.73
Sep 4, 2024 13:12:49.167771101 CEST	443	49714	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:49.733619928 CEST	49675	443	192.168.2.5	23.1.237.91
Sep 4, 2024 13:12:49.749243021 CEST	49674	443	192.168.2.5	23.1.237.91
Sep 4, 2024 13:12:49.858625889 CEST	49673	443	192.168.2.5	23.1.237.91
Sep 4, 2024 13:12:49.961791039 CEST	443	49714	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:49.961935043 CEST	49714	443	192.168.2.5	20.190.159.73
Sep 4, 2024 13:12:49.967876911 CEST	49714	443	192.168.2.5	20.190.159.73
Sep 4, 2024 13:12:49.967901945 CEST	443	49714	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:49.968197107 CEST	443	49714	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:49.969468117 CEST	49714	443	192.168.2.5	20.190.159.73
Sep 4, 2024 13:12:49.969533920 CEST	49714	443	192.168.2.5	20.190.159.73
Sep 4, 2024 13:12:49.969546080 CEST	443	49714	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:50.291047096 CEST	443	49714	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:50.291064978 CEST	443	49714	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:50.291142941 CEST	443	49714	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:50.291204929 CEST	49714	443	192.168.2.5	20.190.159.73
Sep 4, 2024 13:12:50.291248083 CEST	49714	443	192.168.2.5	20.190.159.73
Sep 4, 2024 13:12:50.291486979 CEST	49714	443	192.168.2.5	20.190.159.73
Sep 4, 2024 13:12:50.291503906 CEST	443	49714	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:50.291512966 CEST	49714	443	192.168.2.5	20.190.159.73
Sep 4, 2024 13:12:50.291520119 CEST	443	49714	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:50.316436052 CEST	49715	443	192.168.2.5	20.190.159.73
Sep 4, 2024 13:12:50.316489935 CEST	443	49715	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:50.316555977 CEST	49715	443	192.168.2.5	20.190.159.73
Sep 4, 2024 13:12:50.316751003 CEST	49715	443	192.168.2.5	20.190.159.73
Sep 4, 2024 13:12:50.316764116 CEST	443	49715	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:50.319416046 CEST	49716	443	192.168.2.5	20.190.159.73
Sep 4, 2024 13:12:50.319453001 CEST	443	49716	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:50.319509983 CEST	49716	443	192.168.2.5	20.190.159.73
Sep 4, 2024 13:12:50.319705963 CEST	49716	443	192.168.2.5	20.190.159.73
Sep 4, 2024 13:12:50.319720984 CEST	443	49716	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:51.086347103 CEST	443	49715	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:51.086500883 CEST	443	49716	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:51.087663889 CEST	49716	443	192.168.2.5	20.190.159.73
Sep 4, 2024 13:12:51.087685108 CEST	443	49716	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:51.087723017 CEST	49715	443	192.168.2.5	20.190.159.73
Sep 4, 2024 13:12:51.087733984 CEST	443	49715	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:51.088227034 CEST	49716	443	192.168.2.5	20.190.159.73
Sep 4, 2024 13:12:51.088232994 CEST	443	49716	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:51.088253975 CEST	49716	443	192.168.2.5	20.190.159.73
Sep 4, 2024 13:12:51.088263035 CEST	443	49716	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:51.088377953 CEST	49715	443	192.168.2.5	20.190.159.73
Sep 4, 2024 13:12:51.088382959 CEST	443	49715	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:51.088439941 CEST	49715	443	192.168.2.5	20.190.159.73
Sep 4, 2024 13:12:51.088447094 CEST	443	49715	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:51.415996075 CEST	443	49715	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:51.416013956 CEST	443	49715	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:51.416078091 CEST	49715	443	192.168.2.5	20.190.159.73
Sep 4, 2024 13:12:51.416093111 CEST	443	49715	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:51.416105032 CEST	443	49715	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:51.416168928 CEST	49715	443	192.168.2.5	20.190.159.73
Sep 4, 2024 13:12:51.416277885 CEST	49715	443	192.168.2.5	20.190.159.73
Sep 4, 2024 13:12:51.416296959 CEST	443	49715	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:51.416309118 CEST	49715	443	192.168.2.5	20.190.159.73
Sep 4, 2024 13:12:51.416315079 CEST	443	49715	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:52.821147919 CEST	443	49716	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:52.821173906 CEST	443	49716	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:52.821209908 CEST	443	49716	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:52.821239948 CEST	49716	443	192.168.2.5	20.190.159.73
Sep 4, 2024 13:12:52.821261883 CEST	443	49716	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:52.821273088 CEST	443	49716	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:52.821283102 CEST	49716	443	192.168.2.5	20.190.159.73
Sep 4, 2024 13:12:52.821325064 CEST	49716	443	192.168.2.5	20.190.159.73
Sep 4, 2024 13:12:52.888927937 CEST	49716	443	192.168.2.5	20.190.159.73
Sep 4, 2024 13:12:52.888959885 CEST	443	49716	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:52.888971090 CEST	49716	443	192.168.2.5	20.190.159.73
Sep 4, 2024 13:12:52.888978004 CEST	443	49716	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:53.023875952 CEST	49717	443	192.168.2.5	20.190.159.73
Sep 4, 2024 13:12:53.023924112 CEST	443	49717	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:53.023981094 CEST	49717	443	192.168.2.5	20.190.159.73
Sep 4, 2024 13:12:53.025672913 CEST	49717	443	192.168.2.5	20.190.159.73
Sep 4, 2024 13:12:53.025691986 CEST	443	49717	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:53.806057930 CEST	443	49717	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:53.858594894 CEST	49717	443	192.168.2.5	20.190.159.73
Sep 4, 2024 13:12:54.007076979 CEST	49717	443	192.168.2.5	20.190.159.73
Sep 4, 2024 13:12:54.007093906 CEST	443	49717	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:54.009028912 CEST	49717	443	192.168.2.5	20.190.159.73
Sep 4, 2024 13:12:54.009041071 CEST	443	49717	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:54.009191990 CEST	49717	443	192.168.2.5	20.190.159.73
Sep 4, 2024 13:12:54.009203911 CEST	443	49717	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:54.292771101 CEST	443	49717	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:54.292803049 CEST	443	49717	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:54.292810917 CEST	443	49717	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:54.292845011 CEST	443	49717	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:54.292861938 CEST	443	49717	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:54.292901993 CEST	49717	443	192.168.2.5	20.190.159.73
Sep 4, 2024 13:12:54.292938948 CEST	443	49717	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:54.292974949 CEST	49717	443	192.168.2.5	20.190.159.73
Sep 4, 2024 13:12:54.293176889 CEST	443	49717	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:54.294012070 CEST	49717	443	192.168.2.5	20.190.159.73
Sep 4, 2024 13:12:54.921660900 CEST	49717	443	192.168.2.5	20.190.159.73
Sep 4, 2024 13:12:54.921696901 CEST	443	49717	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:54.921709061 CEST	49717	443	192.168.2.5	20.190.159.73
Sep 4, 2024 13:12:54.921716928 CEST	443	49717	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:55.413105965 CEST	49718	443	192.168.2.5	20.190.159.73
Sep 4, 2024 13:12:55.413157940 CEST	443	49718	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:55.413220882 CEST	49718	443	192.168.2.5	20.190.159.73
Sep 4, 2024 13:12:55.460493088 CEST	49718	443	192.168.2.5	20.190.159.73
Sep 4, 2024 13:12:55.460530043 CEST	443	49718	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:56.229090929 CEST	443	49718	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:56.332784891 CEST	49718	443	192.168.2.5	20.190.159.73
Sep 4, 2024 13:12:56.332784891 CEST	49718	443	192.168.2.5	20.190.159.73
Sep 4, 2024 13:12:56.332797050 CEST	443	49718	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:56.332803965 CEST	443	49718	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:56.332906008 CEST	49718	443	192.168.2.5	20.190.159.73
Sep 4, 2024 13:12:56.332912922 CEST	443	49718	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:56.658497095 CEST	443	49718	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:56.658519030 CEST	443	49718	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:56.658529997 CEST	443	49718	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:56.658555984 CEST	443	49718	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:56.658562899 CEST	443	49718	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:56.658660889 CEST	49718	443	192.168.2.5	20.190.159.73
Sep 4, 2024 13:12:56.658679962 CEST	443	49718	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:56.658716917 CEST	49718	443	192.168.2.5	20.190.159.73
Sep 4, 2024 13:12:56.658955097 CEST	443	49718	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:56.659321070 CEST	49718	443	192.168.2.5	20.190.159.73
Sep 4, 2024 13:12:56.659589052 CEST	49718	443	192.168.2.5	20.190.159.73
Sep 4, 2024 13:12:56.659589052 CEST	49718	443	192.168.2.5	20.190.159.73
Sep 4, 2024 13:12:56.659610033 CEST	443	49718	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:56.659619093 CEST	443	49718	20.190.159.73	192.168.2.5
Sep 4, 2024 13:12:56.760631084 CEST	49727	443	192.168.2.5	20.42.65.92
Sep 4, 2024 13:12:56.760660887 CEST	443	49727	20.42.65.92	192.168.2.5
Sep 4, 2024 13:12:56.760746002 CEST	49727	443	192.168.2.5	20.42.65.92
Sep 4, 2024 13:12:56.761858940 CEST	49727	443	192.168.2.5	20.42.65.92
Sep 4, 2024 13:12:56.761873007 CEST	443	49727	20.42.65.92	192.168.2.5
Sep 4, 2024 13:12:57.327853918 CEST	443	49727	20.42.65.92	192.168.2.5
Sep 4, 2024 13:12:57.328037024 CEST	49727	443	192.168.2.5	20.42.65.92
Sep 4, 2024 13:12:57.408443928 CEST	49727	443	192.168.2.5	20.42.65.92
Sep 4, 2024 13:12:57.408485889 CEST	443	49727	20.42.65.92	192.168.2.5
Sep 4, 2024 13:12:57.408884048 CEST	443	49727	20.42.65.92	192.168.2.5
Sep 4, 2024 13:12:57.455702066 CEST	49727	443	192.168.2.5	20.42.65.92
Sep 4, 2024 13:12:57.467933893 CEST	49727	443	192.168.2.5	20.42.65.92
Sep 4, 2024 13:12:57.468777895 CEST	49727	443	192.168.2.5	20.42.65.92
Sep 4, 2024 13:12:58.826771975 CEST	49736	443	192.168.2.5	13.107.246.60
Sep 4, 2024 13:12:58.826822042 CEST	443	49736	13.107.246.60	192.168.2.5
Sep 4, 2024 13:12:58.826904058 CEST	49736	443	192.168.2.5	13.107.246.60
Sep 4, 2024 13:12:58.827183008 CEST	49736	443	192.168.2.5	13.107.246.60
Sep 4, 2024 13:12:58.827193975 CEST	443	49736	13.107.246.60	192.168.2.5
Sep 4, 2024 13:12:58.912059069 CEST	49737	443	192.168.2.5	13.107.246.60
Sep 4, 2024 13:12:58.912092924 CEST	443	49737	13.107.246.60	192.168.2.5
Sep 4, 2024 13:12:58.912157059 CEST	49737	443	192.168.2.5	13.107.246.60
Sep 4, 2024 13:12:58.912378073 CEST	49737	443	192.168.2.5	13.107.246.60
Sep 4, 2024 13:12:58.912389994 CEST	443	49737	13.107.246.60	192.168.2.5
Sep 4, 2024 13:12:59.346693039 CEST	49675	443	192.168.2.5	23.1.237.91
Sep 4, 2024 13:12:59.481057882 CEST	49674	443	192.168.2.5	23.1.237.91
Sep 4, 2024 13:12:59.505723000 CEST	443	49736	13.107.246.60	192.168.2.5
Sep 4, 2024 13:12:59.506246090 CEST	49736	443	192.168.2.5	13.107.246.60
Sep 4, 2024 13:12:59.506270885 CEST	443	49736	13.107.246.60	192.168.2.5
Sep 4, 2024 13:12:59.507334948 CEST	443	49736	13.107.246.60	192.168.2.5
Sep 4, 2024 13:12:59.507389069 CEST	49736	443	192.168.2.5	13.107.246.60
Sep 4, 2024 13:12:59.508831024 CEST	49736	443	192.168.2.5	13.107.246.60
Sep 4, 2024 13:12:59.508920908 CEST	443	49736	13.107.246.60	192.168.2.5
Sep 4, 2024 13:12:59.509385109 CEST	49736	443	192.168.2.5	13.107.246.60
Sep 4, 2024 13:12:59.509394884 CEST	443	49736	13.107.246.60	192.168.2.5
Sep 4, 2024 13:12:59.550117016 CEST	49673	443	192.168.2.5	23.1.237.91
Sep 4, 2024 13:12:59.550141096 CEST	49736	443	192.168.2.5	13.107.246.60
Sep 4, 2024 13:12:59.591743946 CEST	443	49737	13.107.246.60	192.168.2.5
Sep 4, 2024 13:12:59.642589092 CEST	49737	443	192.168.2.5	13.107.246.60
Sep 4, 2024 13:12:59.642602921 CEST	443	49737	13.107.246.60	192.168.2.5
Sep 4, 2024 13:12:59.643903017 CEST	443	49737	13.107.246.60	192.168.2.5
Sep 4, 2024 13:12:59.644030094 CEST	49737	443	192.168.2.5	13.107.246.60
Sep 4, 2024 13:12:59.667320967 CEST	49737	443	192.168.2.5	13.107.246.60
Sep 4, 2024 13:12:59.667438984 CEST	443	49737	13.107.246.60	192.168.2.5
Sep 4, 2024 13:12:59.667682886 CEST	49737	443	192.168.2.5	13.107.246.60
Sep 4, 2024 13:12:59.667695045 CEST	443	49737	13.107.246.60	192.168.2.5
Sep 4, 2024 13:12:59.670079947 CEST	443	49736	13.107.246.60	192.168.2.5
Sep 4, 2024 13:12:59.670101881 CEST	443	49736	13.107.246.60	192.168.2.5
Sep 4, 2024 13:12:59.670109987 CEST	443	49736	13.107.246.60	192.168.2.5
Sep 4, 2024 13:12:59.670137882 CEST	443	49736	13.107.246.60	192.168.2.5
Sep 4, 2024 13:12:59.670165062 CEST	443	49736	13.107.246.60	192.168.2.5
Sep 4, 2024 13:12:59.670263052 CEST	49736	443	192.168.2.5	13.107.246.60
Sep 4, 2024 13:12:59.670289993 CEST	443	49736	13.107.246.60	192.168.2.5
Sep 4, 2024 13:12:59.670420885 CEST	49736	443	192.168.2.5	13.107.246.60
Sep 4, 2024 13:12:59.751830101 CEST	443	49736	13.107.246.60	192.168.2.5
Sep 4, 2024 13:12:59.751852036 CEST	443	49736	13.107.246.60	192.168.2.5
Sep 4, 2024 13:12:59.751943111 CEST	49736	443	192.168.2.5	13.107.246.60
Sep 4, 2024 13:12:59.751977921 CEST	443	49736	13.107.246.60	192.168.2.5
Sep 4, 2024 13:12:59.751996994 CEST	49736	443	192.168.2.5	13.107.246.60
Sep 4, 2024 13:12:59.752024889 CEST	49736	443	192.168.2.5	13.107.246.60
Sep 4, 2024 13:12:59.761701107 CEST	443	49736	13.107.246.60	192.168.2.5
Sep 4, 2024 13:12:59.761718035 CEST	443	49736	13.107.246.60	192.168.2.5
Sep 4, 2024 13:12:59.761812925 CEST	49736	443	192.168.2.5	13.107.246.60
Sep 4, 2024 13:12:59.761821032 CEST	443	49736	13.107.246.60	192.168.2.5
Sep 4, 2024 13:12:59.761872053 CEST	49736	443	192.168.2.5	13.107.246.60
Sep 4, 2024 13:12:59.783833027 CEST	49737	443	192.168.2.5	13.107.246.60
Sep 4, 2024 13:12:59.843553066 CEST	443	49736	13.107.246.60	192.168.2.5
Sep 4, 2024 13:12:59.843575954 CEST	443	49736	13.107.246.60	192.168.2.5
Sep 4, 2024 13:12:59.843624115 CEST	443	49736	13.107.246.60	192.168.2.5
Sep 4, 2024 13:12:59.843702078 CEST	443	49736	13.107.246.60	192.168.2.5
Sep 4, 2024 13:12:59.843734026 CEST	49736	443	192.168.2.5	13.107.246.60
Sep 4, 2024 13:12:59.843801022 CEST	49736	443	192.168.2.5	13.107.246.60
Sep 4, 2024 13:12:59.897730112 CEST	443	49737	13.107.246.60	192.168.2.5
Sep 4, 2024 13:12:59.897763014 CEST	443	49737	13.107.246.60	192.168.2.5
Sep 4, 2024 13:12:59.897770882 CEST	443	49737	13.107.246.60	192.168.2.5
Sep 4, 2024 13:12:59.897797108 CEST	443	49737	13.107.246.60	192.168.2.5
Sep 4, 2024 13:12:59.897811890 CEST	443	49737	13.107.246.60	192.168.2.5
Sep 4, 2024 13:12:59.897819996 CEST	443	49737	13.107.246.60	192.168.2.5
Sep 4, 2024 13:12:59.897862911 CEST	49737	443	192.168.2.5	13.107.246.60
Sep 4, 2024 13:12:59.897886992 CEST	443	49737	13.107.246.60	192.168.2.5
Sep 4, 2024 13:12:59.897907019 CEST	443	49737	13.107.246.60	192.168.2.5
Sep 4, 2024 13:12:59.897923946 CEST	49737	443	192.168.2.5	13.107.246.60
Sep 4, 2024 13:12:59.897945881 CEST	49737	443	192.168.2.5	13.107.246.60
Sep 4, 2024 13:12:59.918997049 CEST	49737	443	192.168.2.5	13.107.246.60
Sep 4, 2024 13:12:59.919028044 CEST	443	49737	13.107.246.60	192.168.2.5
Sep 4, 2024 13:12:59.921080112 CEST	49736	443	192.168.2.5	13.107.246.60
Sep 4, 2024 13:12:59.921106100 CEST	443	49736	13.107.246.60	192.168.2.5
Sep 4, 2024 13:13:00.287254095 CEST	49743	443	192.168.2.5	184.28.90.27
Sep 4, 2024 13:13:00.287286997 CEST	443	49743	184.28.90.27	192.168.2.5
Sep 4, 2024 13:13:00.287415981 CEST	49743	443	192.168.2.5	184.28.90.27
Sep 4, 2024 13:13:00.289011955 CEST	49743	443	192.168.2.5	184.28.90.27
Sep 4, 2024 13:13:00.289021969 CEST	443	49743	184.28.90.27	192.168.2.5
Sep 4, 2024 13:13:00.435033083 CEST	49744	443	192.168.2.5	172.64.41.3
Sep 4, 2024 13:13:00.435077906 CEST	443	49744	172.64.41.3	192.168.2.5
Sep 4, 2024 13:13:00.435226917 CEST	49744	443	192.168.2.5	172.64.41.3
Sep 4, 2024 13:13:00.435550928 CEST	49744	443	192.168.2.5	172.64.41.3
Sep 4, 2024 13:13:00.435563087 CEST	443	49744	172.64.41.3	192.168.2.5
Sep 4, 2024 13:13:00.435834885 CEST	49745	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:00.435847044 CEST	443	49745	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:00.435933113 CEST	49745	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:00.436137915 CEST	49745	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:00.436146021 CEST	443	49745	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:00.436785936 CEST	49746	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:00.436799049 CEST	443	49746	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:00.436992884 CEST	49746	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:00.437091112 CEST	49747	443	192.168.2.5	172.64.41.3
Sep 4, 2024 13:13:00.437097073 CEST	443	49747	172.64.41.3	192.168.2.5
Sep 4, 2024 13:13:00.437138081 CEST	49747	443	192.168.2.5	172.64.41.3
Sep 4, 2024 13:13:00.437283993 CEST	49746	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:00.437295914 CEST	443	49746	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:00.437431097 CEST	49747	443	192.168.2.5	172.64.41.3
Sep 4, 2024 13:13:00.437439919 CEST	443	49747	172.64.41.3	192.168.2.5
Sep 4, 2024 13:13:00.486038923 CEST	49748	443	192.168.2.5	172.64.41.3
Sep 4, 2024 13:13:00.486063004 CEST	443	49748	172.64.41.3	192.168.2.5
Sep 4, 2024 13:13:00.486110926 CEST	49748	443	192.168.2.5	172.64.41.3
Sep 4, 2024 13:13:00.486671925 CEST	49748	443	192.168.2.5	172.64.41.3
Sep 4, 2024 13:13:00.486681938 CEST	443	49748	172.64.41.3	192.168.2.5
Sep 4, 2024 13:13:00.906254053 CEST	443	49746	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:00.906470060 CEST	49746	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:00.906493902 CEST	443	49746	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:00.907824993 CEST	443	49746	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:00.907890081 CEST	49746	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:00.908252954 CEST	443	49745	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:00.908591032 CEST	49745	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:00.908597946 CEST	443	49745	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:00.908633947 CEST	443	49744	172.64.41.3	192.168.2.5
Sep 4, 2024 13:13:00.908961058 CEST	49744	443	192.168.2.5	172.64.41.3
Sep 4, 2024 13:13:00.908968925 CEST	443	49744	172.64.41.3	192.168.2.5
Sep 4, 2024 13:13:00.909074068 CEST	49746	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:00.909226894 CEST	443	49746	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:00.909235954 CEST	443	49747	172.64.41.3	192.168.2.5
Sep 4, 2024 13:13:00.909446955 CEST	49746	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:00.909452915 CEST	443	49746	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:00.909648895 CEST	49747	443	192.168.2.5	172.64.41.3
Sep 4, 2024 13:13:00.909655094 CEST	443	49747	172.64.41.3	192.168.2.5
Sep 4, 2024 13:13:00.909904003 CEST	443	49745	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:00.909972906 CEST	49745	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:00.909998894 CEST	443	49744	172.64.41.3	192.168.2.5
Sep 4, 2024 13:13:00.910044909 CEST	49744	443	192.168.2.5	172.64.41.3
Sep 4, 2024 13:13:00.910954952 CEST	49745	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:00.911020994 CEST	443	49745	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:00.911355019 CEST	49744	443	192.168.2.5	172.64.41.3
Sep 4, 2024 13:13:00.911415100 CEST	443	49744	172.64.41.3	192.168.2.5
Sep 4, 2024 13:13:00.911509037 CEST	49745	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:00.911514044 CEST	443	49745	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:00.911621094 CEST	49744	443	192.168.2.5	172.64.41.3
Sep 4, 2024 13:13:00.911626101 CEST	443	49744	172.64.41.3	192.168.2.5
Sep 4, 2024 13:13:00.911720991 CEST	443	49747	172.64.41.3	192.168.2.5
Sep 4, 2024 13:13:00.911777020 CEST	49747	443	192.168.2.5	172.64.41.3
Sep 4, 2024 13:13:00.912749052 CEST	49747	443	192.168.2.5	172.64.41.3
Sep 4, 2024 13:13:00.912885904 CEST	443	49747	172.64.41.3	192.168.2.5
Sep 4, 2024 13:13:00.913013935 CEST	49747	443	192.168.2.5	172.64.41.3
Sep 4, 2024 13:13:00.913019896 CEST	443	49747	172.64.41.3	192.168.2.5
Sep 4, 2024 13:13:00.945141077 CEST	443	49748	172.64.41.3	192.168.2.5
Sep 4, 2024 13:13:00.945374966 CEST	49748	443	192.168.2.5	172.64.41.3
Sep 4, 2024 13:13:00.945383072 CEST	443	49748	172.64.41.3	192.168.2.5
Sep 4, 2024 13:13:00.947170973 CEST	443	49748	172.64.41.3	192.168.2.5
Sep 4, 2024 13:13:00.947223902 CEST	49748	443	192.168.2.5	172.64.41.3
Sep 4, 2024 13:13:00.948117018 CEST	49748	443	192.168.2.5	172.64.41.3
Sep 4, 2024 13:13:00.948170900 CEST	443	49748	172.64.41.3	192.168.2.5
Sep 4, 2024 13:13:00.948277950 CEST	49748	443	192.168.2.5	172.64.41.3
Sep 4, 2024 13:13:00.948282957 CEST	443	49748	172.64.41.3	192.168.2.5
Sep 4, 2024 13:13:00.949451923 CEST	443	49743	184.28.90.27	192.168.2.5
Sep 4, 2024 13:13:00.949528933 CEST	49743	443	192.168.2.5	184.28.90.27
Sep 4, 2024 13:13:00.951195002 CEST	49743	443	192.168.2.5	184.28.90.27
Sep 4, 2024 13:13:00.951206923 CEST	443	49743	184.28.90.27	192.168.2.5
Sep 4, 2024 13:13:00.951441050 CEST	443	49743	184.28.90.27	192.168.2.5
Sep 4, 2024 13:13:00.987312078 CEST	49745	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:00.987312078 CEST	49747	443	192.168.2.5	172.64.41.3
Sep 4, 2024 13:13:00.995332003 CEST	49743	443	192.168.2.5	184.28.90.27
Sep 4, 2024 13:13:01.027988911 CEST	443	49745	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:01.028060913 CEST	443	49745	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:01.028119087 CEST	49745	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:01.028426886 CEST	49745	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:01.028450012 CEST	443	49745	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:01.028774977 CEST	443	49744	172.64.41.3	192.168.2.5
Sep 4, 2024 13:13:01.028784990 CEST	443	49746	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:01.028830051 CEST	49744	443	192.168.2.5	172.64.41.3
Sep 4, 2024 13:13:01.028990030 CEST	49746	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:01.028990030 CEST	49746	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:01.029134989 CEST	49744	443	192.168.2.5	172.64.41.3
Sep 4, 2024 13:13:01.029139042 CEST	443	49744	172.64.41.3	192.168.2.5
Sep 4, 2024 13:13:01.036516905 CEST	443	49743	184.28.90.27	192.168.2.5
Sep 4, 2024 13:13:01.044039965 CEST	443	49747	172.64.41.3	192.168.2.5
Sep 4, 2024 13:13:01.044158936 CEST	443	49747	172.64.41.3	192.168.2.5
Sep 4, 2024 13:13:01.044210911 CEST	49747	443	192.168.2.5	172.64.41.3
Sep 4, 2024 13:13:01.044271946 CEST	49747	443	192.168.2.5	172.64.41.3
Sep 4, 2024 13:13:01.044284105 CEST	443	49747	172.64.41.3	192.168.2.5
Sep 4, 2024 13:13:01.080574989 CEST	443	49748	172.64.41.3	192.168.2.5
Sep 4, 2024 13:13:01.080662966 CEST	49748	443	192.168.2.5	172.64.41.3
Sep 4, 2024 13:13:01.080852985 CEST	49748	443	192.168.2.5	172.64.41.3
Sep 4, 2024 13:13:01.080866098 CEST	443	49748	172.64.41.3	192.168.2.5
Sep 4, 2024 13:13:01.130000114 CEST	443	49704	23.1.237.91	192.168.2.5
Sep 4, 2024 13:13:01.130112886 CEST	49704	443	192.168.2.5	23.1.237.91
Sep 4, 2024 13:13:01.223418951 CEST	443	49743	184.28.90.27	192.168.2.5
Sep 4, 2024 13:13:01.223494053 CEST	443	49743	184.28.90.27	192.168.2.5
Sep 4, 2024 13:13:01.223625898 CEST	49743	443	192.168.2.5	184.28.90.27
Sep 4, 2024 13:13:01.233248949 CEST	49743	443	192.168.2.5	184.28.90.27
Sep 4, 2024 13:13:01.233268023 CEST	443	49743	184.28.90.27	192.168.2.5
Sep 4, 2024 13:13:01.233297110 CEST	49743	443	192.168.2.5	184.28.90.27
Sep 4, 2024 13:13:01.233303070 CEST	443	49743	184.28.90.27	192.168.2.5
Sep 4, 2024 13:13:01.272804976 CEST	49749	443	192.168.2.5	184.28.90.27
Sep 4, 2024 13:13:01.272855997 CEST	443	49749	184.28.90.27	192.168.2.5
Sep 4, 2024 13:13:01.272989988 CEST	49749	443	192.168.2.5	184.28.90.27
Sep 4, 2024 13:13:01.273200989 CEST	49749	443	192.168.2.5	184.28.90.27
Sep 4, 2024 13:13:01.273211956 CEST	443	49749	184.28.90.27	192.168.2.5
Sep 4, 2024 13:13:01.330771923 CEST	49746	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:01.330816984 CEST	443	49746	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:01.753539085 CEST	49750	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:01.753590107 CEST	443	49750	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:01.753822088 CEST	49750	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:01.754055977 CEST	49751	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:01.754081011 CEST	443	49751	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:01.754261017 CEST	49750	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:01.754282951 CEST	443	49750	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:01.754322052 CEST	49751	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:01.754501104 CEST	49751	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:01.754509926 CEST	443	49751	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:01.931526899 CEST	443	49749	184.28.90.27	192.168.2.5
Sep 4, 2024 13:13:01.931617022 CEST	49749	443	192.168.2.5	184.28.90.27
Sep 4, 2024 13:13:01.933545113 CEST	49749	443	192.168.2.5	184.28.90.27
Sep 4, 2024 13:13:01.933558941 CEST	443	49749	184.28.90.27	192.168.2.5
Sep 4, 2024 13:13:01.933806896 CEST	443	49749	184.28.90.27	192.168.2.5
Sep 4, 2024 13:13:01.935328960 CEST	49749	443	192.168.2.5	184.28.90.27
Sep 4, 2024 13:13:01.980499029 CEST	443	49749	184.28.90.27	192.168.2.5
Sep 4, 2024 13:13:02.208378077 CEST	443	49750	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:02.211559057 CEST	443	49749	184.28.90.27	192.168.2.5
Sep 4, 2024 13:13:02.211617947 CEST	443	49749	184.28.90.27	192.168.2.5
Sep 4, 2024 13:13:02.211853027 CEST	49749	443	192.168.2.5	184.28.90.27
Sep 4, 2024 13:13:02.216651917 CEST	443	49751	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:02.252475023 CEST	49750	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:02.267748117 CEST	49751	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:02.394228935 CEST	49751	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:02.394246101 CEST	443	49751	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:02.394360065 CEST	49750	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:02.394368887 CEST	443	49750	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:02.394790888 CEST	443	49751	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:02.394855976 CEST	443	49750	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:02.417582035 CEST	49751	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:02.417675018 CEST	443	49751	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:02.417988062 CEST	49750	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:02.418092012 CEST	443	49750	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:02.460262060 CEST	49750	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:02.460262060 CEST	49751	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:02.530848026 CEST	49749	443	192.168.2.5	184.28.90.27
Sep 4, 2024 13:13:02.530848026 CEST	49749	443	192.168.2.5	184.28.90.27
Sep 4, 2024 13:13:02.530868053 CEST	443	49749	184.28.90.27	192.168.2.5
Sep 4, 2024 13:13:02.530879021 CEST	443	49749	184.28.90.27	192.168.2.5
Sep 4, 2024 13:13:02.606369019 CEST	49752	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:02.606403112 CEST	443	49752	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:02.606570959 CEST	49752	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:02.606643915 CEST	49753	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:02.606678009 CEST	443	49753	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:02.607247114 CEST	49752	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:02.607259035 CEST	443	49752	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:02.607296944 CEST	49753	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:02.607844114 CEST	49753	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:02.607853889 CEST	443	49753	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:02.849575043 CEST	49754	443	192.168.2.5	142.250.65.196
Sep 4, 2024 13:13:02.849621058 CEST	443	49754	142.250.65.196	192.168.2.5
Sep 4, 2024 13:13:02.849697113 CEST	49754	443	192.168.2.5	142.250.65.196
Sep 4, 2024 13:13:02.849900007 CEST	49754	443	192.168.2.5	142.250.65.196
Sep 4, 2024 13:13:02.849915981 CEST	443	49754	142.250.65.196	192.168.2.5
Sep 4, 2024 13:13:03.080935955 CEST	443	49753	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:03.081207991 CEST	49753	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:03.081229925 CEST	443	49753	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:03.081644058 CEST	443	49753	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:03.081697941 CEST	49753	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:03.082632065 CEST	443	49753	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:03.082680941 CEST	49753	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:03.082802057 CEST	443	49752	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:03.083220005 CEST	49752	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:03.083234072 CEST	443	49752	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:03.083612919 CEST	443	49752	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:03.083668947 CEST	49752	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:03.084127903 CEST	49753	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:03.084203959 CEST	443	49753	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:03.084320068 CEST	443	49752	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:03.084372044 CEST	49752	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:03.084527016 CEST	49752	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:03.084585905 CEST	443	49752	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:03.084676981 CEST	49753	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:03.084683895 CEST	443	49753	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:03.085011005 CEST	49752	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:03.085017920 CEST	443	49752	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:03.128621101 CEST	49752	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:03.128689051 CEST	49753	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:03.206969023 CEST	443	49753	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:03.207381010 CEST	443	49753	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:03.207432985 CEST	49753	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:03.207734108 CEST	49753	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:03.207756042 CEST	443	49753	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:03.207766056 CEST	49753	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:03.207804918 CEST	49753	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:03.211991072 CEST	443	49752	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:03.212361097 CEST	443	49752	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:03.212413073 CEST	49752	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:03.212454081 CEST	49752	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:03.212467909 CEST	443	49752	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:03.212485075 CEST	49752	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:03.212510109 CEST	49752	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:03.339864969 CEST	443	49754	142.250.65.196	192.168.2.5
Sep 4, 2024 13:13:03.340121984 CEST	49754	443	192.168.2.5	142.250.65.196
Sep 4, 2024 13:13:03.340151072 CEST	443	49754	142.250.65.196	192.168.2.5
Sep 4, 2024 13:13:03.341351986 CEST	443	49754	142.250.65.196	192.168.2.5
Sep 4, 2024 13:13:03.341411114 CEST	49754	443	192.168.2.5	142.250.65.196
Sep 4, 2024 13:13:03.342839003 CEST	49754	443	192.168.2.5	142.250.65.196
Sep 4, 2024 13:13:03.342920065 CEST	443	49754	142.250.65.196	192.168.2.5
Sep 4, 2024 13:13:03.343317986 CEST	49754	443	192.168.2.5	142.250.65.196
Sep 4, 2024 13:13:03.343324900 CEST	443	49754	142.250.65.196	192.168.2.5
Sep 4, 2024 13:13:03.383927107 CEST	49754	443	192.168.2.5	142.250.65.196
Sep 4, 2024 13:13:03.448972940 CEST	443	49754	142.250.65.196	192.168.2.5
Sep 4, 2024 13:13:03.449014902 CEST	443	49754	142.250.65.196	192.168.2.5
Sep 4, 2024 13:13:03.449048042 CEST	443	49754	142.250.65.196	192.168.2.5
Sep 4, 2024 13:13:03.449062109 CEST	49754	443	192.168.2.5	142.250.65.196
Sep 4, 2024 13:13:03.449084044 CEST	443	49754	142.250.65.196	192.168.2.5
Sep 4, 2024 13:13:03.449126959 CEST	49754	443	192.168.2.5	142.250.65.196
Sep 4, 2024 13:13:03.449134111 CEST	443	49754	142.250.65.196	192.168.2.5
Sep 4, 2024 13:13:03.449193954 CEST	443	49754	142.250.65.196	192.168.2.5
Sep 4, 2024 13:13:03.449235916 CEST	49754	443	192.168.2.5	142.250.65.196
Sep 4, 2024 13:13:03.471509933 CEST	49754	443	192.168.2.5	142.250.65.196
Sep 4, 2024 13:13:03.471529961 CEST	443	49754	142.250.65.196	192.168.2.5
Sep 4, 2024 13:13:03.542299032 CEST	49755	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:03.542331934 CEST	443	49755	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:03.542395115 CEST	49755	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:03.542612076 CEST	49756	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:03.542655945 CEST	443	49756	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:03.542710066 CEST	49756	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:03.542872906 CEST	49755	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:03.542885065 CEST	443	49755	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:03.543282032 CEST	49756	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:03.543296099 CEST	443	49756	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:04.005068064 CEST	443	49756	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:04.005121946 CEST	443	49755	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:04.005332947 CEST	49756	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:04.005357027 CEST	443	49756	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:04.005600929 CEST	49755	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:04.005613089 CEST	443	49755	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:04.005757093 CEST	443	49756	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:04.005832911 CEST	49756	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:04.005985022 CEST	443	49755	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:04.006092072 CEST	49755	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:04.006484985 CEST	443	49756	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:04.006596088 CEST	49756	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:04.006714106 CEST	443	49755	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:04.006743908 CEST	49756	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:04.006772041 CEST	49755	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:04.006813049 CEST	443	49756	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:04.006973028 CEST	49755	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:04.007030010 CEST	443	49755	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:04.049515963 CEST	49756	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:04.049516916 CEST	49755	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:04.049524069 CEST	443	49756	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:04.049525023 CEST	443	49755	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:04.096260071 CEST	49756	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:04.096267939 CEST	49755	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:10.152787924 CEST	49757	443	192.168.2.5	20.12.23.50
Sep 4, 2024 13:13:10.152816057 CEST	443	49757	20.12.23.50	192.168.2.5
Sep 4, 2024 13:13:10.152911901 CEST	49757	443	192.168.2.5	20.12.23.50
Sep 4, 2024 13:13:10.154520035 CEST	49757	443	192.168.2.5	20.12.23.50
Sep 4, 2024 13:13:10.154531002 CEST	443	49757	20.12.23.50	192.168.2.5
Sep 4, 2024 13:13:10.747766018 CEST	443	49757	20.12.23.50	192.168.2.5
Sep 4, 2024 13:13:10.747849941 CEST	49757	443	192.168.2.5	20.12.23.50
Sep 4, 2024 13:13:10.749944925 CEST	49757	443	192.168.2.5	20.12.23.50
Sep 4, 2024 13:13:10.749957085 CEST	443	49757	20.12.23.50	192.168.2.5
Sep 4, 2024 13:13:10.750271082 CEST	443	49757	20.12.23.50	192.168.2.5
Sep 4, 2024 13:13:10.799550056 CEST	49757	443	192.168.2.5	20.12.23.50
Sep 4, 2024 13:13:10.822762012 CEST	49757	443	192.168.2.5	20.12.23.50
Sep 4, 2024 13:13:10.864507914 CEST	443	49757	20.12.23.50	192.168.2.5
Sep 4, 2024 13:13:11.014003992 CEST	443	49757	20.12.23.50	192.168.2.5
Sep 4, 2024 13:13:11.014031887 CEST	443	49757	20.12.23.50	192.168.2.5
Sep 4, 2024 13:13:11.014039040 CEST	443	49757	20.12.23.50	192.168.2.5
Sep 4, 2024 13:13:11.014049053 CEST	443	49757	20.12.23.50	192.168.2.5
Sep 4, 2024 13:13:11.014075041 CEST	443	49757	20.12.23.50	192.168.2.5
Sep 4, 2024 13:13:11.014110088 CEST	49757	443	192.168.2.5	20.12.23.50
Sep 4, 2024 13:13:11.014139891 CEST	443	49757	20.12.23.50	192.168.2.5
Sep 4, 2024 13:13:11.014162064 CEST	49757	443	192.168.2.5	20.12.23.50
Sep 4, 2024 13:13:11.014167070 CEST	443	49757	20.12.23.50	192.168.2.5
Sep 4, 2024 13:13:11.014219046 CEST	49757	443	192.168.2.5	20.12.23.50
Sep 4, 2024 13:13:11.014621973 CEST	443	49757	20.12.23.50	192.168.2.5
Sep 4, 2024 13:13:11.014676094 CEST	443	49757	20.12.23.50	192.168.2.5
Sep 4, 2024 13:13:11.014719963 CEST	49757	443	192.168.2.5	20.12.23.50
Sep 4, 2024 13:13:11.031847000 CEST	49757	443	192.168.2.5	20.12.23.50
Sep 4, 2024 13:13:11.031868935 CEST	443	49757	20.12.23.50	192.168.2.5
Sep 4, 2024 13:13:11.031888008 CEST	49757	443	192.168.2.5	20.12.23.50
Sep 4, 2024 13:13:11.031893015 CEST	443	49757	20.12.23.50	192.168.2.5
Sep 4, 2024 13:13:11.457350016 CEST	49704	443	192.168.2.5	23.1.237.91
Sep 4, 2024 13:13:11.457690001 CEST	49704	443	192.168.2.5	23.1.237.91
Sep 4, 2024 13:13:11.458061934 CEST	49759	443	192.168.2.5	23.1.237.91
Sep 4, 2024 13:13:11.458091021 CEST	443	49759	23.1.237.91	192.168.2.5
Sep 4, 2024 13:13:11.458159924 CEST	49759	443	192.168.2.5	23.1.237.91
Sep 4, 2024 13:13:11.458411932 CEST	49759	443	192.168.2.5	23.1.237.91
Sep 4, 2024 13:13:11.458426952 CEST	443	49759	23.1.237.91	192.168.2.5
Sep 4, 2024 13:13:11.462155104 CEST	443	49704	23.1.237.91	192.168.2.5
Sep 4, 2024 13:13:11.462445021 CEST	443	49704	23.1.237.91	192.168.2.5
Sep 4, 2024 13:13:12.046158075 CEST	443	49759	23.1.237.91	192.168.2.5
Sep 4, 2024 13:13:12.046593904 CEST	49759	443	192.168.2.5	23.1.237.91
Sep 4, 2024 13:13:14.124747992 CEST	49759	443	192.168.2.5	23.1.237.91
Sep 4, 2024 13:13:14.124779940 CEST	443	49759	23.1.237.91	192.168.2.5
Sep 4, 2024 13:13:14.125175953 CEST	443	49759	23.1.237.91	192.168.2.5
Sep 4, 2024 13:13:14.125708103 CEST	49759	443	192.168.2.5	23.1.237.91
Sep 4, 2024 13:13:14.126348019 CEST	49759	443	192.168.2.5	23.1.237.91
Sep 4, 2024 13:13:14.126383066 CEST	443	49759	23.1.237.91	192.168.2.5
Sep 4, 2024 13:13:14.126728058 CEST	49759	443	192.168.2.5	23.1.237.91
Sep 4, 2024 13:13:14.126737118 CEST	443	49759	23.1.237.91	192.168.2.5
Sep 4, 2024 13:13:14.393106937 CEST	443	49759	23.1.237.91	192.168.2.5
Sep 4, 2024 13:13:14.393224001 CEST	443	49759	23.1.237.91	192.168.2.5
Sep 4, 2024 13:13:14.393313885 CEST	49759	443	192.168.2.5	23.1.237.91
Sep 4, 2024 13:13:14.393313885 CEST	49759	443	192.168.2.5	23.1.237.91
Sep 4, 2024 13:13:17.116450071 CEST	443	49750	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:17.116556883 CEST	443	49750	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:17.116688013 CEST	49750	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:17.124002934 CEST	443	49751	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:17.124089956 CEST	443	49751	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:17.124176025 CEST	49751	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:44.018435955 CEST	49710	80	192.168.2.5	199.232.210.172
Sep 4, 2024 13:13:44.023961067 CEST	80	49710	199.232.210.172	192.168.2.5
Sep 4, 2024 13:13:44.024041891 CEST	49710	80	192.168.2.5	199.232.210.172
Sep 4, 2024 13:13:47.619926929 CEST	49760	443	192.168.2.5	20.12.23.50
Sep 4, 2024 13:13:47.619972944 CEST	443	49760	20.12.23.50	192.168.2.5
Sep 4, 2024 13:13:47.620054007 CEST	49760	443	192.168.2.5	20.12.23.50
Sep 4, 2024 13:13:47.620536089 CEST	49760	443	192.168.2.5	20.12.23.50
Sep 4, 2024 13:13:47.620547056 CEST	443	49760	20.12.23.50	192.168.2.5
Sep 4, 2024 13:13:48.205380917 CEST	443	49760	20.12.23.50	192.168.2.5
Sep 4, 2024 13:13:48.205533981 CEST	49760	443	192.168.2.5	20.12.23.50
Sep 4, 2024 13:13:48.208642006 CEST	49760	443	192.168.2.5	20.12.23.50
Sep 4, 2024 13:13:48.208662033 CEST	443	49760	20.12.23.50	192.168.2.5
Sep 4, 2024 13:13:48.208906889 CEST	443	49760	20.12.23.50	192.168.2.5
Sep 4, 2024 13:13:48.209999084 CEST	49760	443	192.168.2.5	20.12.23.50
Sep 4, 2024 13:13:48.256500959 CEST	443	49760	20.12.23.50	192.168.2.5
Sep 4, 2024 13:13:48.409379959 CEST	443	49760	20.12.23.50	192.168.2.5
Sep 4, 2024 13:13:48.409404993 CEST	443	49760	20.12.23.50	192.168.2.5
Sep 4, 2024 13:13:48.409430981 CEST	443	49760	20.12.23.50	192.168.2.5
Sep 4, 2024 13:13:48.409601927 CEST	49760	443	192.168.2.5	20.12.23.50
Sep 4, 2024 13:13:48.409601927 CEST	49760	443	192.168.2.5	20.12.23.50
Sep 4, 2024 13:13:48.409616947 CEST	443	49760	20.12.23.50	192.168.2.5
Sep 4, 2024 13:13:48.409771919 CEST	49760	443	192.168.2.5	20.12.23.50
Sep 4, 2024 13:13:48.410363913 CEST	443	49760	20.12.23.50	192.168.2.5
Sep 4, 2024 13:13:48.410437107 CEST	49760	443	192.168.2.5	20.12.23.50
Sep 4, 2024 13:13:48.410437107 CEST	443	49760	20.12.23.50	192.168.2.5
Sep 4, 2024 13:13:48.410448074 CEST	443	49760	20.12.23.50	192.168.2.5
Sep 4, 2024 13:13:48.410499096 CEST	49760	443	192.168.2.5	20.12.23.50
Sep 4, 2024 13:13:48.410963058 CEST	443	49760	20.12.23.50	192.168.2.5
Sep 4, 2024 13:13:48.411005020 CEST	49760	443	192.168.2.5	20.12.23.50
Sep 4, 2024 13:13:48.411020994 CEST	443	49760	20.12.23.50	192.168.2.5
Sep 4, 2024 13:13:48.411067009 CEST	49760	443	192.168.2.5	20.12.23.50
Sep 4, 2024 13:13:48.419797897 CEST	49760	443	192.168.2.5	20.12.23.50
Sep 4, 2024 13:13:48.419814110 CEST	443	49760	20.12.23.50	192.168.2.5
Sep 4, 2024 13:13:48.419831038 CEST	49760	443	192.168.2.5	20.12.23.50
Sep 4, 2024 13:13:48.419836998 CEST	443	49760	20.12.23.50	192.168.2.5
Sep 4, 2024 13:13:49.065455914 CEST	49756	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:49.065464973 CEST	49755	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:49.065485954 CEST	443	49756	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:49.065486908 CEST	443	49755	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:53.929518938 CEST	49761	443	192.168.2.5	172.64.41.3
Sep 4, 2024 13:13:53.929580927 CEST	443	49761	172.64.41.3	192.168.2.5
Sep 4, 2024 13:13:53.929692984 CEST	49761	443	192.168.2.5	172.64.41.3
Sep 4, 2024 13:13:53.930301905 CEST	49762	443	192.168.2.5	172.64.41.3
Sep 4, 2024 13:13:53.930309057 CEST	443	49762	172.64.41.3	192.168.2.5
Sep 4, 2024 13:13:53.930367947 CEST	49762	443	192.168.2.5	172.64.41.3
Sep 4, 2024 13:13:53.930936098 CEST	49761	443	192.168.2.5	172.64.41.3
Sep 4, 2024 13:13:53.930948973 CEST	443	49761	172.64.41.3	192.168.2.5
Sep 4, 2024 13:13:53.931279898 CEST	49762	443	192.168.2.5	172.64.41.3
Sep 4, 2024 13:13:53.931292057 CEST	443	49762	172.64.41.3	192.168.2.5
Sep 4, 2024 13:13:54.387747049 CEST	443	49762	172.64.41.3	192.168.2.5
Sep 4, 2024 13:13:54.387871981 CEST	443	49761	172.64.41.3	192.168.2.5
Sep 4, 2024 13:13:54.388093948 CEST	49762	443	192.168.2.5	172.64.41.3
Sep 4, 2024 13:13:54.388129950 CEST	443	49762	172.64.41.3	192.168.2.5
Sep 4, 2024 13:13:54.388236046 CEST	49761	443	192.168.2.5	172.64.41.3
Sep 4, 2024 13:13:54.388242960 CEST	443	49761	172.64.41.3	192.168.2.5
Sep 4, 2024 13:13:54.388514042 CEST	443	49762	172.64.41.3	192.168.2.5
Sep 4, 2024 13:13:54.388606071 CEST	443	49761	172.64.41.3	192.168.2.5
Sep 4, 2024 13:13:54.388806105 CEST	49762	443	192.168.2.5	172.64.41.3
Sep 4, 2024 13:13:54.388886929 CEST	443	49762	172.64.41.3	192.168.2.5
Sep 4, 2024 13:13:54.389055967 CEST	49761	443	192.168.2.5	172.64.41.3
Sep 4, 2024 13:13:54.389204979 CEST	443	49761	172.64.41.3	192.168.2.5
Sep 4, 2024 13:13:54.440437078 CEST	49761	443	192.168.2.5	172.64.41.3
Sep 4, 2024 13:13:54.440485954 CEST	49762	443	192.168.2.5	172.64.41.3
Sep 4, 2024 13:13:57.107364893 CEST	49764	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:57.107403994 CEST	443	49764	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:57.107497931 CEST	49764	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:57.107562065 CEST	49765	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:57.107629061 CEST	443	49765	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:57.107697964 CEST	49765	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:57.107731104 CEST	49764	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:57.107744932 CEST	443	49764	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:57.107852936 CEST	49765	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:57.107881069 CEST	443	49765	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:57.570441961 CEST	443	49764	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:57.570962906 CEST	49764	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:57.570985079 CEST	443	49764	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:57.571429968 CEST	443	49764	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:57.571861029 CEST	49764	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:57.571969032 CEST	443	49764	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:57.582618952 CEST	443	49765	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:57.582811117 CEST	49765	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:57.582834005 CEST	443	49765	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:57.583132982 CEST	443	49765	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:57.583378077 CEST	49765	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:57.583430052 CEST	443	49765	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:57.620683908 CEST	49764	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:57.636320114 CEST	49765	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:57.668787003 CEST	49766	443	192.168.2.5	23.200.0.42
Sep 4, 2024 13:13:57.668828964 CEST	443	49766	23.200.0.42	192.168.2.5
Sep 4, 2024 13:13:57.668915033 CEST	49766	443	192.168.2.5	23.200.0.42
Sep 4, 2024 13:13:57.669117928 CEST	49766	443	192.168.2.5	23.200.0.42
Sep 4, 2024 13:13:57.669130087 CEST	443	49766	23.200.0.42	192.168.2.5
Sep 4, 2024 13:13:58.151191950 CEST	443	49766	23.200.0.42	192.168.2.5
Sep 4, 2024 13:13:58.151483059 CEST	49766	443	192.168.2.5	23.200.0.42
Sep 4, 2024 13:13:58.151509047 CEST	443	49766	23.200.0.42	192.168.2.5
Sep 4, 2024 13:13:58.151827097 CEST	443	49766	23.200.0.42	192.168.2.5
Sep 4, 2024 13:13:58.152139902 CEST	49766	443	192.168.2.5	23.200.0.42
Sep 4, 2024 13:13:58.152204990 CEST	443	49766	23.200.0.42	192.168.2.5
Sep 4, 2024 13:13:58.152416945 CEST	49766	443	192.168.2.5	23.200.0.42
Sep 4, 2024 13:13:58.196506023 CEST	443	49766	23.200.0.42	192.168.2.5
Sep 4, 2024 13:13:58.300920010 CEST	443	49766	23.200.0.42	192.168.2.5
Sep 4, 2024 13:13:58.301016092 CEST	443	49766	23.200.0.42	192.168.2.5
Sep 4, 2024 13:13:58.301101923 CEST	49766	443	192.168.2.5	23.200.0.42
Sep 4, 2024 13:13:58.301666975 CEST	49766	443	192.168.2.5	23.200.0.42
Sep 4, 2024 13:13:58.301683903 CEST	443	49766	23.200.0.42	192.168.2.5
Sep 4, 2024 13:14:02.127464056 CEST	49750	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:14:02.127464056 CEST	49751	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:14:02.127506018 CEST	443	49751	162.159.61.3	192.168.2.5
Sep 4, 2024 13:14:02.127506018 CEST	443	49750	162.159.61.3	192.168.2.5
Sep 4, 2024 13:14:09.299860001 CEST	443	49762	172.64.41.3	192.168.2.5
Sep 4, 2024 13:14:09.299956083 CEST	443	49762	172.64.41.3	192.168.2.5
Sep 4, 2024 13:14:09.300056934 CEST	49762	443	192.168.2.5	172.64.41.3
Sep 4, 2024 13:14:09.300632954 CEST	443	49761	172.64.41.3	192.168.2.5
Sep 4, 2024 13:14:09.300709963 CEST	443	49761	172.64.41.3	192.168.2.5
Sep 4, 2024 13:14:09.300757885 CEST	49761	443	192.168.2.5	172.64.41.3
Sep 4, 2024 13:14:12.477272034 CEST	443	49764	162.159.61.3	192.168.2.5
Sep 4, 2024 13:14:12.477349043 CEST	443	49764	162.159.61.3	192.168.2.5
Sep 4, 2024 13:14:12.477401018 CEST	49764	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:14:12.488670111 CEST	443	49765	162.159.61.3	192.168.2.5
Sep 4, 2024 13:14:12.488745928 CEST	443	49765	162.159.61.3	192.168.2.5
Sep 4, 2024 13:14:12.488801003 CEST	49765	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:14:30.114995003 CEST	49705	80	192.168.2.5	199.232.210.172
Sep 4, 2024 13:14:30.121635914 CEST	80	49705	199.232.210.172	192.168.2.5
Sep 4, 2024 13:14:30.121748924 CEST	49705	80	192.168.2.5	199.232.210.172
Sep 4, 2024 13:14:34.081311941 CEST	49755	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:14:34.081341028 CEST	443	49755	142.251.40.110	192.168.2.5
Sep 4, 2024 13:14:34.081406116 CEST	49756	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:14:34.081429005 CEST	443	49756	142.251.40.110	192.168.2.5
Sep 4, 2024 13:14:47.127554893 CEST	49750	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:14:47.127592087 CEST	443	49750	162.159.61.3	192.168.2.5
Sep 4, 2024 13:14:47.143035889 CEST	49751	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:14:47.143074989 CEST	443	49751	162.159.61.3	192.168.2.5
Sep 4, 2024 13:14:54.299561024 CEST	49762	443	192.168.2.5	172.64.41.3
Sep 4, 2024 13:14:54.299592018 CEST	443	49762	172.64.41.3	192.168.2.5
Sep 4, 2024 13:14:54.315078020 CEST	49761	443	192.168.2.5	172.64.41.3
Sep 4, 2024 13:14:54.315085888 CEST	443	49761	172.64.41.3	192.168.2.5
Sep 4, 2024 13:14:57.487607002 CEST	49764	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:14:57.487634897 CEST	443	49764	162.159.61.3	192.168.2.5
Sep 4, 2024 13:14:57.488771915 CEST	49765	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:14:57.488805056 CEST	443	49765	162.159.61.3	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 4, 2024 13:12:55.656090975 CEST	53	60548	1.1.1.1	192.168.2.5
Sep 4, 2024 13:12:57.107299089 CEST	58025	53	192.168.2.5	1.1.1.1
Sep 4, 2024 13:12:57.107609034 CEST	55154	53	192.168.2.5	1.1.1.1
Sep 4, 2024 13:12:57.992754936 CEST	53	49301	1.1.1.1	192.168.2.5
Sep 4, 2024 13:12:58.055814981 CEST	53	53266	1.1.1.1	192.168.2.5
Sep 4, 2024 13:13:00.427406073 CEST	50013	53	192.168.2.5	1.1.1.1
Sep 4, 2024 13:13:00.427732944 CEST	57344	53	192.168.2.5	1.1.1.1
Sep 4, 2024 13:13:00.428121090 CEST	64347	53	192.168.2.5	1.1.1.1
Sep 4, 2024 13:13:00.428498983 CEST	62526	53	192.168.2.5	1.1.1.1
Sep 4, 2024 13:13:00.429097891 CEST	54952	53	192.168.2.5	1.1.1.1
Sep 4, 2024 13:13:00.429097891 CEST	58529	53	192.168.2.5	1.1.1.1
Sep 4, 2024 13:13:00.429445028 CEST	64612	53	192.168.2.5	1.1.1.1
Sep 4, 2024 13:13:00.429677963 CEST	60401	53	192.168.2.5	1.1.1.1
Sep 4, 2024 13:13:00.434091091 CEST	53	50013	1.1.1.1	192.168.2.5
Sep 4, 2024 13:13:00.434504986 CEST	53	57344	1.1.1.1	192.168.2.5
Sep 4, 2024 13:13:00.435010910 CEST	53	62526	1.1.1.1	192.168.2.5
Sep 4, 2024 13:13:00.435075998 CEST	53	64347	1.1.1.1	192.168.2.5
Sep 4, 2024 13:13:00.435971975 CEST	53	58529	1.1.1.1	192.168.2.5
Sep 4, 2024 13:13:00.436008930 CEST	53	64612	1.1.1.1	192.168.2.5
Sep 4, 2024 13:13:00.436098099 CEST	53	54952	1.1.1.1	192.168.2.5
Sep 4, 2024 13:13:00.436351061 CEST	53	60401	1.1.1.1	192.168.2.5
Sep 4, 2024 13:13:00.476337910 CEST	54773	53	192.168.2.5	1.1.1.1
Sep 4, 2024 13:13:00.476516962 CEST	65231	53	192.168.2.5	1.1.1.1
Sep 4, 2024 13:13:00.485461950 CEST	53	54773	1.1.1.1	192.168.2.5
Sep 4, 2024 13:13:00.485480070 CEST	53	65231	1.1.1.1	192.168.2.5
Sep 4, 2024 13:13:01.450748920 CEST	52980	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:01.753170967 CEST	52980	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:01.905889034 CEST	443	52980	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:01.905901909 CEST	443	52980	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:01.905913115 CEST	443	52980	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:01.905925035 CEST	443	52980	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:01.905937910 CEST	443	52980	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:01.906506062 CEST	52980	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:01.908392906 CEST	52980	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:01.908557892 CEST	52980	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:01.909612894 CEST	52980	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:01.909944057 CEST	52980	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:02.006953955 CEST	443	52980	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:02.006973982 CEST	443	52980	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:02.006983995 CEST	443	52980	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:02.006993055 CEST	443	52980	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:02.008721113 CEST	443	52980	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:02.009742022 CEST	443	52980	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:02.009810925 CEST	443	52980	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:02.023567915 CEST	52980	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:02.023752928 CEST	52980	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:02.024131060 CEST	52980	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:02.122152090 CEST	443	52980	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:02.351548910 CEST	443	52980	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:02.394665003 CEST	52980	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:02.502700090 CEST	52980	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:02.502803087 CEST	52980	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:02.601727962 CEST	443	52980	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:02.602514029 CEST	443	52980	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:02.602834940 CEST	443	52980	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:02.605223894 CEST	52980	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:02.747237921 CEST	52980	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:02.747333050 CEST	52980	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:02.845892906 CEST	443	52980	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:02.847670078 CEST	443	52980	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:02.847779989 CEST	443	52980	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:02.848733902 CEST	52980	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:03.209397078 CEST	56056	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:03.541779041 CEST	56056	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:03.662000895 CEST	443	56056	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:03.662091970 CEST	443	56056	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:03.663357019 CEST	56056	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:03.666271925 CEST	443	56056	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:03.666306019 CEST	443	56056	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:03.666317940 CEST	443	56056	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:03.666348934 CEST	443	56056	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:03.666533947 CEST	56056	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:03.667087078 CEST	56056	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:03.667944908 CEST	56056	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:03.668061018 CEST	56056	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:03.668454885 CEST	56056	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:03.668592930 CEST	56056	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:03.767748117 CEST	443	56056	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:03.767781973 CEST	443	56056	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:03.768590927 CEST	443	56056	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:03.768621922 CEST	56056	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:03.794517040 CEST	443	56056	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:03.795942068 CEST	56056	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:03.799396038 CEST	443	56056	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:03.799941063 CEST	56056	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:03.800406933 CEST	443	56056	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:03.802375078 CEST	56056	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:03.802455902 CEST	443	56056	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:03.835946083 CEST	56056	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:03.905601978 CEST	443	56056	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:11.230809927 CEST	56056	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:11.230882883 CEST	56056	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:11.331105947 CEST	443	56056	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:11.372673988 CEST	56056	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:11.381037951 CEST	443	56056	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:11.381061077 CEST	443	56056	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:11.383663893 CEST	56056	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:11.413119078 CEST	56056	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:11.512454033 CEST	443	56056	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:32.521018982 CEST	56056	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:32.645860910 CEST	443	56056	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:32.649760008 CEST	443	56056	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:32.650173903 CEST	443	56056	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:32.650204897 CEST	56056	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:32.690116882 CEST	56056	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:32.775492907 CEST	443	56056	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:32.786256075 CEST	56056	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:32.786305904 CEST	56056	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:32.886404037 CEST	443	56056	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:32.917818069 CEST	443	56056	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:32.918186903 CEST	56056	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:32.918445110 CEST	443	56056	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:32.955542088 CEST	56056	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:33.045897961 CEST	443	56056	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:33.779362917 CEST	56056	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:33.905170918 CEST	443	56056	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:33.907593966 CEST	443	56056	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:33.908047915 CEST	443	56056	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:33.926140070 CEST	56056	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:33.952377081 CEST	56056	443	192.168.2.5	142.251.40.110
Sep 4, 2024 13:13:34.051057100 CEST	443	56056	142.251.40.110	192.168.2.5
Sep 4, 2024 13:13:53.929095984 CEST	62997	443	192.168.2.5	172.64.41.3
Sep 4, 2024 13:13:54.237689018 CEST	62997	443	192.168.2.5	172.64.41.3
Sep 4, 2024 13:13:54.375961065 CEST	443	62997	172.64.41.3	192.168.2.5
Sep 4, 2024 13:13:54.375977993 CEST	443	62997	172.64.41.3	192.168.2.5
Sep 4, 2024 13:13:54.375989914 CEST	443	62997	172.64.41.3	192.168.2.5
Sep 4, 2024 13:13:54.375994921 CEST	443	62997	172.64.41.3	192.168.2.5
Sep 4, 2024 13:13:54.376000881 CEST	443	62997	172.64.41.3	192.168.2.5
Sep 4, 2024 13:13:54.376686096 CEST	62997	443	192.168.2.5	172.64.41.3
Sep 4, 2024 13:13:54.378216028 CEST	62997	443	192.168.2.5	172.64.41.3
Sep 4, 2024 13:13:54.378509998 CEST	62997	443	192.168.2.5	172.64.41.3
Sep 4, 2024 13:13:54.378619909 CEST	62997	443	192.168.2.5	172.64.41.3
Sep 4, 2024 13:13:54.378858089 CEST	62997	443	192.168.2.5	172.64.41.3
Sep 4, 2024 13:13:54.378999949 CEST	62997	443	192.168.2.5	172.64.41.3
Sep 4, 2024 13:13:54.474358082 CEST	443	62997	172.64.41.3	192.168.2.5
Sep 4, 2024 13:13:54.474385977 CEST	443	62997	172.64.41.3	192.168.2.5
Sep 4, 2024 13:13:54.474394083 CEST	443	62997	172.64.41.3	192.168.2.5
Sep 4, 2024 13:13:54.474396944 CEST	443	62997	172.64.41.3	192.168.2.5
Sep 4, 2024 13:13:54.474400043 CEST	443	62997	172.64.41.3	192.168.2.5
Sep 4, 2024 13:13:54.475373030 CEST	443	62997	172.64.41.3	192.168.2.5
Sep 4, 2024 13:13:54.476175070 CEST	62997	443	192.168.2.5	172.64.41.3
Sep 4, 2024 13:13:54.476492882 CEST	62997	443	192.168.2.5	172.64.41.3
Sep 4, 2024 13:13:54.476646900 CEST	443	62997	172.64.41.3	192.168.2.5
Sep 4, 2024 13:13:54.476656914 CEST	443	62997	172.64.41.3	192.168.2.5
Sep 4, 2024 13:13:54.477008104 CEST	62997	443	192.168.2.5	172.64.41.3
Sep 4, 2024 13:13:54.571955919 CEST	443	62997	172.64.41.3	192.168.2.5
Sep 4, 2024 13:13:54.612816095 CEST	62997	443	192.168.2.5	172.64.41.3
Sep 4, 2024 13:13:57.107203960 CEST	61324	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:57.417871952 CEST	61324	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:57.566097975 CEST	443	61324	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:57.566128016 CEST	443	61324	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:57.566142082 CEST	443	61324	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:57.566152096 CEST	443	61324	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:57.566164017 CEST	443	61324	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:57.568114996 CEST	61324	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:57.569875956 CEST	61324	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:57.570373058 CEST	61324	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:57.570513010 CEST	61324	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:57.571360111 CEST	61324	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:57.571582079 CEST	61324	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:57.664243937 CEST	443	61324	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:57.664259911 CEST	443	61324	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:57.664268017 CEST	443	61324	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:57.664272070 CEST	443	61324	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:57.664920092 CEST	61324	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:57.664990902 CEST	61324	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:57.666121960 CEST	443	61324	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:57.667615891 CEST	443	61324	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:57.667629004 CEST	443	61324	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:57.668014050 CEST	61324	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:13:57.758878946 CEST	443	61324	162.159.61.3	192.168.2.5
Sep 4, 2024 13:13:57.785145998 CEST	61324	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:14:04.054820061 CEST	63693	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:14:04.054979086 CEST	63693	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:14:04.055335045 CEST	63693	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:14:04.055440903 CEST	63693	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:14:04.255414963 CEST	63693	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:14:04.255562067 CEST	63693	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:14:04.455728054 CEST	63693	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:14:04.499278069 CEST	443	63693	162.159.61.3	192.168.2.5
Sep 4, 2024 13:14:04.500165939 CEST	63693	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:14:04.533744097 CEST	63693	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:14:04.551135063 CEST	443	63693	162.159.61.3	192.168.2.5
Sep 4, 2024 13:14:04.551148891 CEST	443	63693	162.159.61.3	192.168.2.5
Sep 4, 2024 13:14:04.551156998 CEST	443	63693	162.159.61.3	192.168.2.5
Sep 4, 2024 13:14:04.551161051 CEST	443	63693	162.159.61.3	192.168.2.5
Sep 4, 2024 13:14:04.551652908 CEST	63693	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:14:04.551652908 CEST	63693	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:14:04.595741034 CEST	443	63693	162.159.61.3	192.168.2.5
Sep 4, 2024 13:14:04.627702951 CEST	63693	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:14:04.646209955 CEST	443	63693	162.159.61.3	192.168.2.5
Sep 4, 2024 13:14:04.646631956 CEST	63693	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:14:04.743212938 CEST	443	63693	162.159.61.3	192.168.2.5
Sep 4, 2024 13:14:04.743902922 CEST	443	63693	162.159.61.3	192.168.2.5
Sep 4, 2024 13:14:04.743957043 CEST	443	63693	162.159.61.3	192.168.2.5
Sep 4, 2024 13:14:04.744368076 CEST	63693	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:14:04.744388103 CEST	443	63693	162.159.61.3	192.168.2.5
Sep 4, 2024 13:14:04.744580984 CEST	443	63693	162.159.61.3	192.168.2.5
Sep 4, 2024 13:14:04.745093107 CEST	63693	443	192.168.2.5	162.159.61.3
Sep 4, 2024 13:14:04.745481014 CEST	54253	443	192.168.2.5	142.250.80.110
Sep 4, 2024 13:14:04.745661974 CEST	54253	443	192.168.2.5	142.250.80.110
Sep 4, 2024 13:14:04.746624947 CEST	58082	443	192.168.2.5	172.253.115.84
Sep 4, 2024 13:14:04.746752024 CEST	58082	443	192.168.2.5	172.253.115.84
Sep 4, 2024 13:14:05.106204987 CEST	54253	443	192.168.2.5	142.250.80.110
Sep 4, 2024 13:14:05.196265936 CEST	443	58082	172.253.115.84	192.168.2.5
Sep 4, 2024 13:14:05.196914911 CEST	443	58082	172.253.115.84	192.168.2.5
Sep 4, 2024 13:14:05.196949005 CEST	443	58082	172.253.115.84	192.168.2.5
Sep 4, 2024 13:14:05.196959972 CEST	443	58082	172.253.115.84	192.168.2.5
Sep 4, 2024 13:14:05.197388887 CEST	58082	443	192.168.2.5	172.253.115.84
Sep 4, 2024 13:14:05.202991962 CEST	443	54253	142.250.80.110	192.168.2.5
Sep 4, 2024 13:14:05.203274965 CEST	58082	443	192.168.2.5	172.253.115.84
Sep 4, 2024 13:14:05.209444046 CEST	443	54253	142.250.80.110	192.168.2.5
Sep 4, 2024 13:14:05.209523916 CEST	443	54253	142.250.80.110	192.168.2.5
Sep 4, 2024 13:14:05.210141897 CEST	54253	443	192.168.2.5	142.250.80.110
Sep 4, 2024 13:14:05.210205078 CEST	54253	443	192.168.2.5	142.250.80.110
Sep 4, 2024 13:14:05.210494041 CEST	54253	443	192.168.2.5	142.250.80.110
Sep 4, 2024 13:14:05.210520983 CEST	54253	443	192.168.2.5	142.250.80.110
Sep 4, 2024 13:14:05.210622072 CEST	54253	443	192.168.2.5	142.250.80.110
Sep 4, 2024 13:14:05.210648060 CEST	54253	443	192.168.2.5	142.250.80.110
Sep 4, 2024 13:14:05.227746964 CEST	443	54253	142.250.80.110	192.168.2.5
Sep 4, 2024 13:14:05.300446987 CEST	443	58082	172.253.115.84	192.168.2.5
Sep 4, 2024 13:14:05.301521063 CEST	58082	443	192.168.2.5	172.253.115.84
Sep 4, 2024 13:14:05.301803112 CEST	58082	443	192.168.2.5	172.253.115.84
Sep 4, 2024 13:14:05.303102016 CEST	443	54253	142.250.80.110	192.168.2.5
Sep 4, 2024 13:14:05.303658009 CEST	443	54253	142.250.80.110	192.168.2.5
Sep 4, 2024 13:14:05.303668022 CEST	443	54253	142.250.80.110	192.168.2.5
Sep 4, 2024 13:14:05.303885937 CEST	54253	443	192.168.2.5	142.250.80.110
Sep 4, 2024 13:14:05.303930998 CEST	443	54253	142.250.80.110	192.168.2.5
Sep 4, 2024 13:14:05.318372965 CEST	443	54253	142.250.80.110	192.168.2.5
Sep 4, 2024 13:14:05.318764925 CEST	54253	443	192.168.2.5	142.250.80.110
Sep 4, 2024 13:14:05.318825006 CEST	443	54253	142.250.80.110	192.168.2.5
Sep 4, 2024 13:14:05.331757069 CEST	443	54253	142.250.80.110	192.168.2.5
Sep 4, 2024 13:14:05.332235098 CEST	54253	443	192.168.2.5	142.250.80.110
Sep 4, 2024 13:14:05.332319975 CEST	443	54253	142.250.80.110	192.168.2.5
Sep 4, 2024 13:14:05.362976074 CEST	54253	443	192.168.2.5	142.250.80.110
Sep 4, 2024 13:14:05.405654907 CEST	443	58082	172.253.115.84	192.168.2.5
Sep 4, 2024 13:14:05.405752897 CEST	443	58082	172.253.115.84	192.168.2.5
Sep 4, 2024 13:14:05.406011105 CEST	443	58082	172.253.115.84	192.168.2.5
Sep 4, 2024 13:14:05.406009912 CEST	58082	443	192.168.2.5	172.253.115.84
Sep 4, 2024 13:14:05.425158978 CEST	443	54253	142.250.80.110	192.168.2.5
Sep 4, 2024 13:14:05.440923929 CEST	58082	443	192.168.2.5	172.253.115.84
Sep 4, 2024 13:14:05.460416079 CEST	443	58082	172.253.115.84	192.168.2.5
Sep 4, 2024 13:14:05.460445881 CEST	443	58082	172.253.115.84	192.168.2.5
Sep 4, 2024 13:14:05.460479021 CEST	443	58082	172.253.115.84	192.168.2.5
Sep 4, 2024 13:14:05.464643002 CEST	58082	443	192.168.2.5	172.253.115.84
Sep 4, 2024 13:14:05.464741945 CEST	58082	443	192.168.2.5	172.253.115.84
Sep 4, 2024 13:14:05.592844009 CEST	443	58082	172.253.115.84	192.168.2.5
Sep 4, 2024 13:14:35.239823103 CEST	51443	443	192.168.2.5	142.250.80.110
Sep 4, 2024 13:14:35.239923954 CEST	51443	443	192.168.2.5	142.250.80.110
Sep 4, 2024 13:14:35.671681881 CEST	51443	443	192.168.2.5	142.250.80.110
Sep 4, 2024 13:14:35.704660892 CEST	443	51443	142.250.80.110	192.168.2.5
Sep 4, 2024 13:14:35.704679012 CEST	443	51443	142.250.80.110	192.168.2.5
Sep 4, 2024 13:14:35.717859983 CEST	51443	443	192.168.2.5	142.250.80.110
Sep 4, 2024 13:14:35.717891932 CEST	51443	443	192.168.2.5	142.250.80.110
Sep 4, 2024 13:14:35.717991114 CEST	51443	443	192.168.2.5	142.250.80.110
Sep 4, 2024 13:14:35.723253012 CEST	443	51443	142.250.80.110	192.168.2.5
Sep 4, 2024 13:14:35.727981091 CEST	51443	443	192.168.2.5	142.250.80.110
Sep 4, 2024 13:14:35.728068113 CEST	51443	443	192.168.2.5	142.250.80.110
Sep 4, 2024 13:14:35.766412973 CEST	443	51443	142.250.80.110	192.168.2.5
Sep 4, 2024 13:14:35.781462908 CEST	51443	443	192.168.2.5	142.250.80.110
Sep 4, 2024 13:14:35.811793089 CEST	443	51443	142.250.80.110	192.168.2.5
Sep 4, 2024 13:14:35.812165022 CEST	51443	443	192.168.2.5	142.250.80.110
Sep 4, 2024 13:14:35.822173119 CEST	443	51443	142.250.80.110	192.168.2.5
Sep 4, 2024 13:14:35.822268963 CEST	443	51443	142.250.80.110	192.168.2.5
Sep 4, 2024 13:14:35.822699070 CEST	51443	443	192.168.2.5	142.250.80.110
Sep 4, 2024 13:14:35.850564957 CEST	443	51443	142.250.80.110	192.168.2.5
Sep 4, 2024 13:14:35.851030111 CEST	443	51443	142.250.80.110	192.168.2.5
Sep 4, 2024 13:14:35.851063013 CEST	51443	443	192.168.2.5	142.250.80.110
Sep 4, 2024 13:14:35.875086069 CEST	443	51443	142.250.80.110	192.168.2.5
Sep 4, 2024 13:14:35.878467083 CEST	51443	443	192.168.2.5	142.250.80.110
Sep 4, 2024 13:14:35.945013046 CEST	443	51443	142.250.80.110	192.168.2.5
Sep 4, 2024 13:14:37.677484035 CEST	51443	443	192.168.2.5	142.250.80.110
Sep 4, 2024 13:14:38.108515024 CEST	443	51443	142.250.80.110	192.168.2.5
Sep 4, 2024 13:14:38.108530998 CEST	443	51443	142.250.80.110	192.168.2.5
Sep 4, 2024 13:14:38.108540058 CEST	443	51443	142.250.80.110	192.168.2.5
Sep 4, 2024 13:14:38.108647108 CEST	443	51443	142.250.80.110	192.168.2.5
Sep 4, 2024 13:14:38.119776011 CEST	51443	443	192.168.2.5	142.250.80.110
Sep 4, 2024 13:14:38.129880905 CEST	51443	443	192.168.2.5	142.250.80.110
Sep 4, 2024 13:14:38.215136051 CEST	443	51443	142.250.80.110	192.168.2.5
Sep 4, 2024 13:14:38.215425014 CEST	51443	443	192.168.2.5	142.250.80.110

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 4, 2024 13:12:57.107299089 CEST	192.168.2.5	1.1.1.1	0x5c20	Standard query (0)	bzib.nelreports.net	A (IP address)	IN (0x0001)	false
Sep 4, 2024 13:12:57.107609034 CEST	192.168.2.5	1.1.1.1	0xa7aa	Standard query (0)	bzib.nelreports.net	65	IN (0x0001)	false
Sep 4, 2024 13:13:00.427406073 CEST	192.168.2.5	1.1.1.1	0x5623	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Sep 4, 2024 13:13:00.427732944 CEST	192.168.2.5	1.1.1.1	0x6140	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Sep 4, 2024 13:13:00.428121090 CEST	192.168.2.5	1.1.1.1	0x7269	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Sep 4, 2024 13:13:00.428498983 CEST	192.168.2.5	1.1.1.1	0x1c2	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Sep 4, 2024 13:13:00.429097891 CEST	192.168.2.5	1.1.1.1	0x6ad6	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Sep 4, 2024 13:13:00.429097891 CEST	192.168.2.5	1.1.1.1	0x6fbb	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Sep 4, 2024 13:13:00.429445028 CEST	192.168.2.5	1.1.1.1	0xcc4	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Sep 4, 2024 13:13:00.429677963 CEST	192.168.2.5	1.1.1.1	0x95ba	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false
Sep 4, 2024 13:13:00.476337910 CEST	192.168.2.5	1.1.1.1	0x6e32	Standard query (0)	chrome.cloudflare-dns.com	A (IP address)	IN (0x0001)	false
Sep 4, 2024 13:13:00.476516962 CEST	192.168.2.5	1.1.1.1	0xadef	Standard query (0)	chrome.cloudflare-dns.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 4, 2024 13:12:57.115366936 CEST	1.1.1.1	192.168.2.5	0x5c20	No error (0)	bzib.nelreports.net	bzib.nelreports.net.akamaized.net		CNAME (Canonical name)	IN (0x0001)	false
Sep 4, 2024 13:12:57.118985891 CEST	1.1.1.1	192.168.2.5	0xa7aa	No error (0)	bzib.nelreports.net	bzib.nelreports.net.akamaized.net		CNAME (Canonical name)	IN (0x0001)	false
Sep 4, 2024 13:12:58.826066971 CEST	1.1.1.1	192.168.2.5	0x6cb8	No error (0)	shed.dual-low.s-part-0032.t-0009.t-msedge.net	s-part-0032.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Sep 4, 2024 13:12:58.826066971 CEST	1.1.1.1	192.168.2.5	0x6cb8	No error (0)	s-part-0032.t-0009.t-msedge.net		13.107.246.60	A (IP address)	IN (0x0001)	false
Sep 4, 2024 13:13:00.434091091 CEST	1.1.1.1	192.168.2.5	0x5623	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Sep 4, 2024 13:13:00.434091091 CEST	1.1.1.1	192.168.2.5	0x5623	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Sep 4, 2024 13:13:00.434504986 CEST	1.1.1.1	192.168.2.5	0x6140	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Sep 4, 2024 13:13:00.435010910 CEST	1.1.1.1	192.168.2.5	0x1c2	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Sep 4, 2024 13:13:00.435075998 CEST	1.1.1.1	192.168.2.5	0x7269	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Sep 4, 2024 13:13:00.435075998 CEST	1.1.1.1	192.168.2.5	0x7269	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Sep 4, 2024 13:13:00.435971975 CEST	1.1.1.1	192.168.2.5	0x6fbb	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Sep 4, 2024 13:13:00.435971975 CEST	1.1.1.1	192.168.2.5	0x6fbb	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Sep 4, 2024 13:13:00.436008930 CEST	1.1.1.1	192.168.2.5	0xcc4	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Sep 4, 2024 13:13:00.436008930 CEST	1.1.1.1	192.168.2.5	0xcc4	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Sep 4, 2024 13:13:00.436098099 CEST	1.1.1.1	192.168.2.5	0x6ad6	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Sep 4, 2024 13:13:00.436351061 CEST	1.1.1.1	192.168.2.5	0x95ba	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false
Sep 4, 2024 13:13:00.485461950 CEST	1.1.1.1	192.168.2.5	0x6e32	No error (0)	chrome.cloudflare-dns.com		172.64.41.3	A (IP address)	IN (0x0001)	false
Sep 4, 2024 13:13:00.485461950 CEST	1.1.1.1	192.168.2.5	0x6e32	No error (0)	chrome.cloudflare-dns.com		162.159.61.3	A (IP address)	IN (0x0001)	false
Sep 4, 2024 13:13:00.485480070 CEST	1.1.1.1	192.168.2.5	0xadef	No error (0)	chrome.cloudflare-dns.com			65	IN (0x0001)	false

HTTP Request Dependency Graph

umwatson.events.data.microsoft.com

edgeassetservice.azureedge.net

chrome.cloudflare-dns.com

fs.microsoft.com

https:

www.google.com

www.bing.com

slscr.update.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.2.5	49712	20.190.159.73	443

Timestamp	Bytes transferred	Direction	Data
2024-09-04 11:12:48 UTC	422	OUT	POST /RST2.srf HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68}) Content-Length: 3592 Host: login.live.com
2024-09-04 11:12:48 UTC	3592	OUT	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
2024-09-04 11:12:49 UTC	653	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: application/soap+xml; charset=utf-8 Expires: Wed, 04 Sep 2024 11:11:48 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" FdrTelemetry: &481=21&59=33&213=10&215=0&315=1&215=0&315=1&214=56&288=16.0.30345.2 Referrer-Policy: strict-origin-when-cross-origin x-ms-route-info: C531_BL2 x-ms-request-id: 94503c84-d4d6-452a-ac5a-643411717d52 PPServer: PPV: 30 H: BL02EPF0001D89A V: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 1; mode=block Date: Wed, 04 Sep 2024 11:12:48 GMT Connection: close Content-Length: 11389
2024-09-04 11:12:49 UTC	11389	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200

Session ID	Source IP	Source Port	Destination IP	Destination Port
1	192.168.2.5	49714	20.190.159.73	443

Timestamp	Bytes transferred	Direction	Data
2024-09-04 11:12:49 UTC	422	OUT	POST /RST2.srf HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68}) Content-Length: 4775 Host: login.live.com
2024-09-04 11:12:49 UTC	4775	OUT	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
2024-09-04 11:12:50 UTC	568	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: application/soap+xml; charset=utf-8 Expires: Wed, 04 Sep 2024 11:11:50 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" Referrer-Policy: strict-origin-when-cross-origin x-ms-route-info: C555_BL2 x-ms-request-id: 0fc49c97-3937-4f21-861b-929f97bfd5d6 PPServer: PPV: 30 H: BL02EPF0001D782 V: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 1; mode=block Date: Wed, 04 Sep 2024 11:12:49 GMT Connection: close Content-Length: 1918
2024-09-04 11:12:50 UTC	1918	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200

Session ID	Source IP	Source Port	Destination IP	Destination Port
2	192.168.2.5	49716	20.190.159.73	443

Timestamp	Bytes transferred	Direction	Data
2024-09-04 11:12:51 UTC	422	OUT	POST /RST2.srf HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68}) Content-Length: 4775 Host: login.live.com
2024-09-04 11:12:51 UTC	4775	OUT	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
2024-09-04 11:12:52 UTC	653	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: application/soap+xml; charset=utf-8 Expires: Wed, 04 Sep 2024 11:11:51 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" FdrTelemetry: &481=21&59=33&213=10&215=0&315=1&215=0&315=1&214=56&288=16.0.30345.2 Referrer-Policy: strict-origin-when-cross-origin x-ms-route-info: C531_BL2 x-ms-request-id: d73b6752-f6e9-4776-bdb9-c7d0fc0df6d8 PPServer: PPV: 30 H: BL02EPF0001D89D V: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 1; mode=block Date: Wed, 04 Sep 2024 11:12:51 GMT Connection: close Content-Length: 11409
2024-09-04 11:12:52 UTC	11409	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200

Session ID	Source IP	Source Port	Destination IP	Destination Port
3	192.168.2.5	49715	20.190.159.73	443

Timestamp	Bytes transferred	Direction	Data
2024-09-04 11:12:51 UTC	422	OUT	POST /RST2.srf HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68}) Content-Length: 4775 Host: login.live.com
2024-09-04 11:12:51 UTC	4775	OUT	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
2024-09-04 11:12:51 UTC	568	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: application/soap+xml; charset=utf-8 Expires: Wed, 04 Sep 2024 11:11:51 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" Referrer-Policy: strict-origin-when-cross-origin x-ms-route-info: C555_BAY x-ms-request-id: 0b69f370-c24d-4de0-8a5a-efece2336814 PPServer: PPV: 30 H: PH1PEPF00011D7B V: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 1; mode=block Date: Wed, 04 Sep 2024 11:12:50 GMT Connection: close Content-Length: 1918
2024-09-04 11:12:51 UTC	1918	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200

Session ID	Source IP	Source Port	Destination IP	Destination Port
4	192.168.2.5	49717	20.190.159.73	443

Timestamp	Bytes transferred	Direction	Data
2024-09-04 11:12:54 UTC	422	OUT	POST /RST2.srf HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68}) Content-Length: 4775 Host: login.live.com
2024-09-04 11:12:54 UTC	4775	OUT	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
2024-09-04 11:12:54 UTC	569	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: application/soap+xml; charset=utf-8 Expires: Wed, 04 Sep 2024 11:11:54 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" Referrer-Policy: strict-origin-when-cross-origin x-ms-route-info: C531_SN1 x-ms-request-id: fad70bfe-3c90-43a6-a4c4-c87a37c57968 PPServer: PPV: 30 H: SN1PEPF0002FA82 V: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 1; mode=block Date: Wed, 04 Sep 2024 11:12:53 GMT Connection: close Content-Length: 11409
2024-09-04 11:12:54 UTC	11409	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200

Session ID	Source IP	Source Port	Destination IP	Destination Port
5	192.168.2.5	49718	20.190.159.73	443

Timestamp	Bytes transferred	Direction	Data
2024-09-04 11:12:56 UTC	422	OUT	POST /RST2.srf HTTP/1.0 Connection: Keep-Alive Content-Type: application/soap+xml Accept: / User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68}) Content-Length: 4775 Host: login.live.com
2024-09-04 11:12:56 UTC	4775	OUT	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
2024-09-04 11:12:56 UTC	569	IN	HTTP/1.1 200 OK Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: application/soap+xml; charset=utf-8 Expires: Wed, 04 Sep 2024 11:11:56 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" Referrer-Policy: strict-origin-when-cross-origin x-ms-route-info: C531_BAY x-ms-request-id: 6bbf41e0-0e0e-41b9-9ee3-17780f5c61a1 PPServer: PPV: 30 H: PH1PEPF00011DC7 V: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 X-XSS-Protection: 1; mode=block Date: Wed, 04 Sep 2024 11:12:55 GMT Connection: close Content-Length: 11409
2024-09-04 11:12:56 UTC	11409	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200

Session ID	Source IP	Source Port	Destination IP	Destination Port
6	192.168.2.5	49727	20.42.65.92	443

Timestamp	Bytes transferred	Direction	Data
2024-09-04 11:12:57 UTC	178	OUT	POST /Telemetry.Request HTTP/1.1 Connection: Keep-Alive User-Agent: MSDW MSA_DeviceTicket_Error: 0x80004004 Content-Length: 5110 Host: umwatson.events.data.microsoft.com

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49736	13.107.246.60	443	7352	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-04 11:12:59 UTC	711	OUT	GET /assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtractionDomainsConfig HTTP/1.1 Host: edgeassetservice.azureedge.net Connection: keep-alive Edge-Asset-Group: EntityExtractionDomainsConfig Sec-Mesh-Client-Edge-Version: 117.0.2045.47 Sec-Mesh-Client-Edge-Channel: stable Sec-Mesh-Client-OS: Windows Sec-Mesh-Client-OS-Version: 10.0.19045 Sec-Mesh-Client-Arch: x86_64 Sec-Mesh-Client-WebView: 0 Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-09-04 11:12:59 UTC	555	IN	HTTP/1.1 200 OK Date: Wed, 04 Sep 2024 11:12:59 GMT Content-Type: application/octet-stream Content-Length: 70207 Connection: close Content-Encoding: gzip Last-Modified: Fri, 02 Aug 2024 18:10:35 GMT ETag: 0x8DCB31E67C22927 x-ms-request-id: 3afe9785-e01e-0066-3464-fbda5d000000 x-ms-version: 2009-09-19 x-ms-lease-status: unlocked x-ms-blob-type: BlockBlob x-azure-ref: 20240904T111259Z-16579567576p25xcxh3nycmsaw0000000ah000000000593c Cache-Control: public, max-age=604800 x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-09-04 11:12:59 UTC	15829	IN	Data Raw: 1f 8b 08 08 1a 21 ad 66 02 ff 61 73 73 65 74 00 ec bd 0b 97 db 36 b2 30 f8 57 b2 b9 33 b3 dd 89 d5 d6 5b dd d9 cd fa f4 d3 f1 f8 39 6d 3b 19 db f1 d5 01 49 48 a2 45 91 0c 1f 6a ab c3 be bf 7d 0b 05 80 00 08 50 52 db ce 77 ef b7 67 67 9c 16 09 14 0a 40 a1 50 a8 2a 14 c0 3f bf f7 93 78 16 ce bf ff e9 bb 3f bf 2f 92 25 8d a7 51 b8 0a 0b 78 ef 8d bb dd 07 df 7d 9f 92 39 9d fa 65 91 cc 66 90 38 1c f4 59 62 40 67 a4 8c 8a 69 94 f8 24 a2 d3 15 49 11 81 c7 f0 c0 df 0e 3c 00 94 97 e3 6b de f1 08 7b a5 11 7b a5 51 67 9e e1 6b 8c af 71 a7 cc f1 15 81 69 de 59 7d c6 d7 02 5f 8b 0e a5 ec d5 c7 5c 3f ef f8 b7 ec 35 20 ec 35 20 9d 60 89 af 14 5f 69 27 40 e0 19 e6 ce 48 27 c4 8a 66 21 be 86 1d 78 60 af 19 be 66 9d 19 e6 2e b0 ec 82 76 c2 08 5f 31 77 91 75 16 3c b7 c4 d7 Data Ascii: !fasset60W3[9m;IHEj}PRwgg@P*?x?/%Qx}9ef8Yb@gi$I<k{{QgkqiY}_\?5 5 `_i'@H'f!x`f.v_1wu<
2024-09-04 11:12:59 UTC	16384	IN	Data Raw: c0 2a 8a c3 88 95 9c 7c 3e a9 79 09 d4 fa 9a 9f 30 4a 49 28 2b d7 97 ff 7a 7b f9 fa cd f4 c9 05 68 2b 37 9c c1 08 01 cb 2f 28 f3 02 34 de 08 0c a6 34 da 38 c6 ec 48 27 33 28 96 9f 45 d9 4f 9f 12 f7 54 d2 47 a6 39 87 08 81 e9 6d 4f c1 43 97 10 bf ad 59 55 67 39 13 fe 1e 05 67 65 16 87 6c 9b f5 cb 90 60 eb 3d ea 25 09 33 8b f9 4a fb 10 ef 11 3b 7c e8 61 60 14 a0 60 b9 7c 16 e7 69 54 b1 c3 22 c0 e0 29 df c2 05 4c 8f bc f0 67 5e 04 75 33 51 9a b7 e1 61 1a 61 48 f5 c3 30 f7 62 91 d5 a8 34 39 2a 97 ff 2d f5 aa c1 c2 6c 78 e0 35 33 d1 42 b3 75 c4 be 3b f4 d0 68 83 51 a7 81 2d a0 ff 0d 5d 10 62 ed 7f 55 a5 99 9f 25 2b 2f a4 4d 09 21 65 43 c7 04 cf 93 19 f3 c1 d0 b6 e9 14 38 59 31 29 8b 4d 52 3a c4 97 c1 d0 1d 5d d0 58 b3 51 22 09 e8 37 c0 b1 dc 86 43 a9 41 db b1 Data Ascii: \|>y0JI(+z{h+7/(448H'3(EOTG9mOCYUg9gel`=%3J;\|a``\|iT")Lg^u3QaaH0b49-lx53Bu;hQ-]bU%+/M!eC8Y1)MR:]XQ"7CA
2024-09-04 11:12:59 UTC	16384	IN	Data Raw: 15 b1 bc 1f 82 9a 8d 98 a7 af db 80 6b 74 e7 ab 7c e6 18 7d 9a 2b 3e 34 2d 1a e7 c0 d5 e8 b4 a0 0e d4 7d 19 bb 69 52 58 a2 33 32 78 db 4b 2d cd 54 dd d2 2b 9c a0 29 69 1a ba 4a ee 0a 4d 33 5a 7b a7 1a 83 5f f3 f7 fe 2c 2f 84 3b 39 d0 56 82 ef 75 a4 f3 69 57 af 58 09 8c 2a 1d 24 b9 4e 6b cf 63 d0 74 99 e3 02 0f 26 7f 1a 86 a9 a8 69 fa 5a d8 25 83 c1 ea f8 fd 12 62 16 86 38 17 5a 19 6f 13 03 00 e6 6a 07 a4 40 be bb 20 de a6 de bf d1 06 75 32 1f c3 4f 67 41 ad 31 bd b0 9c ee 44 47 33 2a 92 9c d3 f6 35 64 a9 b1 d3 f6 b1 c7 a7 b4 80 af ea c1 2a 6c dd 81 a0 0b 67 ca d2 b2 11 7c 8d dc 39 47 56 d1 bd 08 e8 ec 3e 4f c9 56 d6 7a d3 9a 56 4d 17 50 41 9b 17 9b 37 36 da 2e 7c a4 ba 63 f5 72 cd 6b 58 b5 9b 70 5a 19 73 3e 85 d2 c6 f8 80 22 71 cd f5 40 34 cd c4 ce 27 1e Data Ascii: kt\|}+>4-}iRX32xK-T+)iJM3Z{_,/;9VuiWX$Nkct&iZ%b8Zoj@ u2OgA1DG35d*lg\|9GV>OVzVMPA76.\|crkXpZs>"q@4'
2024-09-04 11:12:59 UTC	16384	IN	Data Raw: 43 54 c9 8d d7 76 7a 14 e4 6f 3b 80 f7 6a 61 e8 6f 47 e9 2d cb 60 84 66 2b c0 b9 77 09 1b c0 32 5c aa 6c 0e 25 81 ed a0 5e 61 25 37 6f 3c a5 bc 1f 04 1a dd b1 04 1d c9 73 16 3a 58 a8 69 4d 12 c1 5e e9 66 5f 14 6c e4 9e d4 61 25 e1 2f c3 fc b8 ed df 80 5d 2b 3a 5b 4c 56 c9 72 1f 59 1d 6a 72 0b d2 b0 4c 8e d5 67 db 16 79 41 90 65 4f 4b 68 63 f6 d1 e5 db b6 6a 18 e6 ca 5f 04 79 2e 71 69 5d 0e 19 cc d9 f6 58 27 58 af 1c 18 04 f1 98 d2 bf 15 1e 37 ce e0 1e 88 54 83 3c 82 f8 a8 05 5f b0 1b 3f 2f 02 8f 31 a4 e9 1d ed 45 e6 e4 85 e6 b9 66 4c fd cd 8d e4 58 f7 79 73 8b 47 40 25 b6 0d 7f 78 ff a8 fe e7 7d 69 4a fc 00 c7 b0 37 a9 44 f0 40 1e e8 bd 41 8a b4 0a 5d 5a 2c 0e 60 f7 fb 81 3b 35 42 38 50 3b bc 9c d4 76 22 35 66 3f 5d d9 fb 8e 7d 65 84 fb 4f 5b 04 9b a8 7d Data Ascii: CTvzo;jaoG-`f+w2\l%^a%7o<s:XiM^f_la%/]+:[LVrYjrLgyAeOKhcj_y.qi]X'X7T<_?/1EfLXysG@%x}iJ7D@A]Z,`;5B8P;v"5f?]}eO[}
2024-09-04 11:12:59 UTC	5226	IN	Data Raw: b1 61 ca d2 f5 ed 38 df 10 b9 60 88 4c 48 ac b1 cd 10 b5 8f 76 49 19 f2 b6 d5 54 1d d1 9c b1 20 7a d3 64 f7 91 a2 0c 4d 73 6d e0 da be ee e6 87 03 9f 5e f7 4f 98 9c 12 cd 88 68 4c 2e b1 48 00 60 c3 31 74 31 8d 87 b4 32 56 02 4f bf e1 a9 3b c0 40 d6 24 8e 10 55 c7 c3 e7 8c f3 78 28 78 d3 94 de b0 5a 4d 22 eb 28 5c 22 00 98 8e 15 1a f8 ab ac 54 f4 5d 80 d0 a5 aa 6e 87 83 fd d6 f1 b0 c0 82 f7 f4 5e ef 2f 2b b8 62 a2 13 a1 4d ae 60 cf 59 3c b1 b1 f4 40 4d 41 74 7c ac 2c 5a 9e ef f4 d2 81 6d 69 e1 d3 8b 73 2c 84 2c 06 37 fd 72 38 10 a5 b2 13 51 f1 a0 a2 06 7d 3f 89 8f 72 35 a0 58 a0 46 79 2f b7 1f cc 57 92 ec c8 b4 b5 f2 5c 65 e7 30 5a 93 e3 b1 8e 5f f5 91 44 87 44 19 1d 59 83 cf 54 85 de 92 34 2e 26 d2 d8 ca 80 2c 56 f9 34 27 86 21 28 e6 0e 92 0c 4e 75 b7 c0 Data Ascii: a8`LHvIT zdMsm^OhL.H`1t12VO;@$Ux(xZM"(\"T]n^/+bM`Y<@MAt\|,Zmis,,7r8Q}?r5XFy/W\e0Z_DDYT4.&,V4'!(Nu

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49737	13.107.246.60	443	7352	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-04 11:12:59 UTC	486	OUT	GET /assets/arbitration_priority_list/4.0.5/asset?assetgroup=ArbitrationService HTTP/1.1 Host: edgeassetservice.azureedge.net Connection: keep-alive Edge-Asset-Group: ArbitrationService Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-09-04 11:12:59 UTC	531	IN	HTTP/1.1 200 OK Date: Wed, 04 Sep 2024 11:12:59 GMT Content-Type: application/octet-stream Content-Length: 11989 Connection: close Last-Modified: Fri, 30 Aug 2024 17:05:10 GMT ETag: 0x8DCC915E7CD8385 x-ms-request-id: 1b6aa40f-801e-0039-70c1-fc28a3000000 x-ms-version: 2009-09-19 x-ms-lease-status: unlocked x-ms-blob-type: BlockBlob x-azure-ref: 20240904T111259Z-16579567576gnfmq2acf56mm700000000apg000000008gdq Cache-Control: public, max-age=604800 x-fd-int-roxy-purgeid: 0 X-Cache: TCP_HIT Accept-Ranges: bytes
2024-09-04 11:12:59 UTC	11989	IN	Data Raw: 7b 0d 0a 20 20 22 63 6f 6e 66 69 67 56 65 72 73 69 6f 6e 22 3a 20 33 32 2c 0d 0a 20 20 22 50 72 69 76 69 6c 65 67 65 64 45 78 70 65 72 69 65 6e 63 65 73 22 3a 20 5b 0d 0a 20 20 20 20 22 53 68 6f 72 65 6c 69 6e 65 50 72 69 76 69 6c 65 67 65 64 45 78 70 65 72 69 65 6e 63 65 49 44 22 2c 0d 0a 20 20 20 20 22 53 48 4f 50 50 49 4e 47 5f 41 55 54 4f 5f 53 48 4f 57 5f 43 4f 55 50 4f 4e 53 5f 43 48 45 43 4b 4f 55 54 22 2c 0d 0a 20 20 20 20 22 53 48 4f 50 50 49 4e 47 5f 41 55 54 4f 5f 53 48 4f 57 5f 4c 4f 57 45 52 5f 50 52 49 43 45 5f 46 4f 55 4e 44 22 2c 0d 0a 20 20 20 20 22 53 48 4f 50 50 49 4e 47 5f 41 55 54 4f 5f 53 48 4f 57 5f 42 49 4e 47 5f 53 45 41 52 43 48 22 2c 0d 0a 20 20 20 20 22 53 48 4f 50 50 49 4e 47 5f 41 55 54 4f 5f 53 48 4f 57 5f 52 45 42 41 54 45 Data Ascii: { "configVersion": 32, "PrivilegedExperiences": [ "ShorelinePrivilegedExperienceID", "SHOPPING_AUTO_SHOW_COUPONS_CHECKOUT", "SHOPPING_AUTO_SHOW_LOWER_PRICE_FOUND", "SHOPPING_AUTO_SHOW_BING_SEARCH", "SHOPPING_AUTO_SHOW_REBATE

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49746	162.159.61.3	443	7352	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-04 11:13:00 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-09-04 11:13:00 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-09-04 11:13:01 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Wed, 04 Sep 2024 11:13:00 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8bdd8c3d2a284346-EWR alt-svc: h3=":443"; ma=86400
2024-09-04 11:13:01 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 01 1a 00 04 8e fb 23 a3 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom#)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49745	162.159.61.3	443	7352	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-04 11:13:00 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-09-04 11:13:00 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-09-04 11:13:01 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Wed, 04 Sep 2024 11:13:00 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8bdd8c3d2b5543d3-EWR alt-svc: h3=":443"; ma=86400
2024-09-04 11:13:01 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 00 d3 00 04 8e fb 28 a3 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom()

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49744	172.64.41.3	443	7352	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-04 11:13:00 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-09-04 11:13:00 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-09-04 11:13:01 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Wed, 04 Sep 2024 11:13:00 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8bdd8c3d2d6c183d-EWR alt-svc: h3=":443"; ma=86400
2024-09-04 11:13:01 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 01 10 00 04 8e fb 28 e3 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom()

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49747	172.64.41.3	443	7352	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-04 11:13:00 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-09-04 11:13:00 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-09-04 11:13:01 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Wed, 04 Sep 2024 11:13:00 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8bdd8c3d3d4a5e82-EWR alt-svc: h3=":443"; ma=86400
2024-09-04 11:13:01 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 01 14 00 04 8e fb 29 03 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom))

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49748	172.64.41.3	443	7352	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-04 11:13:00 UTC	245	OUT	POST /dns-query HTTP/1.1 Host: chrome.cloudflare-dns.com Connection: keep-alive Content-Length: 128 Accept: application/dns-message Accept-Language: * User-Agent: Chrome Accept-Encoding: identity Content-Type: application/dns-message
2024-09-04 11:13:00 UTC	128	OUT	Data Raw: 00 00 01 00 00 01 00 00 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 00 00 29 10 00 00 00 00 00 00 54 00 0c 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom)TP
2024-09-04 11:13:01 UTC	247	IN	HTTP/1.1 200 OK Server: cloudflare Date: Wed, 04 Sep 2024 11:13:01 GMT Content-Type: application/dns-message Connection: close Access-Control-Allow-Origin: * Content-Length: 468 CF-RAY: 8bdd8c3d7c9d422d-EWR alt-svc: h3=":443"; ma=86400
2024-09-04 11:13:01 UTC	468	IN	Data Raw: 00 00 81 80 00 01 00 01 00 00 00 01 03 77 77 77 07 67 73 74 61 74 69 63 03 63 6f 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 01 1a 00 04 8e fb 20 63 00 00 29 04 d0 00 00 00 00 01 98 00 0c 01 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: wwwgstaticcom c)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49743	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-09-04 11:13:00 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-09-04 11:13:01 UTC	467	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF67) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=192759 Date: Wed, 04 Sep 2024 11:13:01 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49749	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-09-04 11:13:01 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-09-04 11:13:02 UTC	515	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=192812 Date: Wed, 04 Sep 2024 11:13:02 GMT Content-Length: 55 Connection: close X-CID: 2
2024-09-04 11:13:02 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49753	142.251.40.110	443	7352	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-04 11:13:03 UTC	567	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9
2024-09-04 11:13:03 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Wed, 04 Sep 2024 11:13:03 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49752	142.251.40.110	443	7352	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-04 11:13:03 UTC	567	OUT	OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1 Host: play.google.com Connection: keep-alive Accept: / Access-Control-Request-Method: POST Access-Control-Request-Headers: x-goog-authuser Origin: https://accounts.google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-Fetch-Dest: empty Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9
2024-09-04 11:13:03 UTC	520	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: https://accounts.google.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Max-Age: 86400 Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser Content-Type: text/plain; charset=UTF-8 Date: Wed, 04 Sep 2024 11:13:03 GMT Server: Playlog Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	49754	142.250.65.196	443	7352	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-04 11:13:03 UTC	887	OUT	GET /favicon.ico HTTP/1.1 Host: www.google.com Connection: keep-alive sec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 sec-ch-ua-arch: "x86" sec-ch-ua-full-version: "117.0.2045.47" sec-ch-ua-platform-version: "10.0.0" sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132" sec-ch-ua-bitness: "64" sec-ch-ua-model: "" sec-ch-ua-wow64: ?0 sec-ch-ua-platform: "Windows" Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://accounts.google.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9
2024-09-04 11:13:03 UTC	705	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="static-on-bigtable" Report-To: {"group":"static-on-bigtable","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/static-on-bigtable"}]} Content-Length: 5430 X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Date: Wed, 04 Sep 2024 10:23:09 GMT Expires: Thu, 12 Sep 2024 10:23:09 GMT Cache-Control: public, max-age=691200 Last-Modified: Tue, 22 Oct 2019 18:30:00 GMT Content-Type: image/x-icon Vary: Accept-Encoding Age: 2994 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-09-04 11:13:03 UTC	685	IN	Data Raw: 00 00 01 00 02 00 10 10 00 00 01 00 20 00 68 04 00 00 26 00 00 00 20 20 00 00 01 00 20 00 a8 10 00 00 8e 04 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 20 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 30 fd fd fd 96 fd fd fd d8 fd fd fd f9 fd fd fd f9 fd fd fd d7 fd fd fd 94 fe fe fe 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd 99 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 95 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd c1 ff ff ff ff fa fd f9 ff b4 d9 a7 ff 76 ba 5d ff 58 ab 3a ff 58 aa 3a ff 72 b8 59 ff ac d5 9d ff f8 fb f6 ff ff Data Ascii: h& ( 0.v]X:X:rY
2024-09-04 11:13:03 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d8 fd fd fd 99 ff ff ff ff 92 cf fb ff 37 52 ec ff 38 46 ea ff d0 d4 fa ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 96 fe fe fe 32 ff ff ff ff f9 f9 fe ff 56 62 ed ff 35 43 ea ff 3b 49 eb ff 95 9c f4 ff cf d2 fa ff d1 d4 fa ff 96 9d f4 ff 52 5e ed ff e1 e3 fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 30 00 00 00 00 fd fd fd 9d ff ff ff ff e8 ea fd ff 58 63 ee ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 6c 76 f0 ff ff ff ff ff ff ff ff ff fd fd fd 98 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd c3 ff ff ff ff f9 f9 fe ff a5 ac f6 ff 5d 69 ee ff 3c 4a Data Ascii: 7R8F2Vb5C;IR^0Xc5C5C5C5C5C5Clv]i<J
2024-09-04 11:13:03 UTC	1390	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff fd fd fd d0 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fd fd fd 8b ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff b1 d8 a3 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 60 a5 35 ff ca 8e 3e ff f9 c1 9f ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 87 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 25 fd fd fd fb ff ff ff ff ff ff ff ff ff ff ff ff c2 e0 b7 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 6e b6 54 ff 9f ce 8d ff b7 da aa ff b8 db ab ff a5 d2 95 ff 7b bc 64 ff 54 a8 35 ff 53 a8 34 ff 77 a0 37 ff e3 89 41 ff f4 85 42 ff f4 85 42 ff Data Ascii: S4S4S4S4S4S4S4S4S4S4S4S4S4S4`5>%S4S4S4S4S4S4nT{dT5S4w7ABB
2024-09-04 11:13:03 UTC	1390	IN	Data Raw: ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff fb d5 bf ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd ea fd fd fd cb ff ff ff ff ff ff ff ff ff ff ff ff 46 cd fc ff 05 bc fb ff 05 bc fb ff 05 bc fb ff 21 ae f9 ff fb fb ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd c8 fd fd fd 9c ff ff ff ff ff ff ff ff ff ff ff ff 86 df fd ff 05 bc fb ff 05 bc fb ff 15 93 f5 ff 34 49 eb ff b3 b8 f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: BBBBBBF!4I
2024-09-04 11:13:03 UTC	575	IN	Data Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d2 fe fe fe 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd 8d fd fd fd fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd fb fd fd fd 8b fe fe fe 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 27 fd fd fd 9f fd fd fd f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Data Ascii: $'

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	49757	20.12.23.50	443

Timestamp	Bytes transferred	Direction	Data
2024-09-04 11:13:10 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=afZbmkM1trbov72&MD=fEzD+wNS HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-09-04 11:13:11 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: 5b69f983-a0c2-47e7-9c16-a21e0cf48b08 MS-RequestId: d6be6337-62da-4c73-98a3-518c4b1f7f7d MS-CV: wrKMRoZPikmxTeZu.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Wed, 04 Sep 2024 11:13:10 GMT Connection: close Content-Length: 24490
2024-09-04 11:13:11 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-09-04 11:13:11 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port
20	192.168.2.5	49759	23.1.237.91	443

Timestamp	Bytes transferred	Direction	Data
2024-09-04 11:13:14 UTC	2148	OUT	POST /threshold/xls.aspx HTTP/1.1 Origin: https://www.bing.com Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init Accept: / Accept-Language: en-CH Content-type: text/xml X-Agent-DeviceId: 01000A410900D492 X-BM-CBT: 1696428841 X-BM-DateFormat: dd/MM/yyyy X-BM-DeviceDimensions: 784x984 X-BM-DeviceDimensionsLogical: 784x984 X-BM-DeviceScale: 100 X-BM-DTZ: 120 X-BM-Market: CH X-BM-Theme: 000000;0078d7 X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66E X-Device-ClientSession: DB0AFB19004F47BC80E5208C7478FF22 X-Device-isOptin: false X-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A} X-Device-OSSKU: 48 X-Device-Touch: false X-DeviceID: 01000A410900D492 X-MSEdge-ExternalExp: d-thshld39,d-thshld42,d-thshld77,d-thshld78,staticsh X-MSEdge-ExternalExpType: JointCoord X-PositionerType: Desktop X-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI X-Search-CortanaAvailableCapabilities: None X-Search-SafeSearch: Moderate X-Search-TimeZone: Bias=-60; DaylightBias=-60; TimeZoneKeyName=W. Europe Standard Time X-UserAgeClass: Unknown Accept-Encoding: gzip, deflate, br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045 Host: www.bing.com Content-Length: 2484 Connection: Keep-Alive Cache-Control: no-cache Cookie: MUID=2F4E96DB8B7049E59AD4484C3C00F7CF; _SS=SID=1A6DEABB468B65843EB5F91B47916435&CPID=1725448359792&AC=1&CPH=d1a4eb75; _EDGE_S=SID=1A6DEABB468B65843EB5F91B47916435; SRCHUID=V=2&GUID=3D32B8AC657C4AD781A584E283227995&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231004; SRCHHPGUSR=SRCHLANG=en&IPMH=986d886c&IPMID=1696428841029&HV=1696428756; CortanaAppUID=5A290E2CC4B523E2D8B5E2E3E4CB7CB7; MUIDB=2F4E96DB8B7049E59AD4484C3C00F7CF
2024-09-04 11:13:14 UTC	1	OUT	Data Raw: 3c Data Ascii: <
2024-09-04 11:13:14 UTC	2483	OUT	Data Raw: 43 6c 69 65 6e 74 49 6e 73 74 52 65 71 75 65 73 74 3e 3c 43 49 44 3e 33 36 34 34 46 44 37 34 44 46 31 36 36 31 38 46 30 38 46 37 45 43 30 33 44 45 35 35 36 30 30 31 3c 2f 43 49 44 3e 3c 45 76 65 6e 74 73 3e 3c 45 3e 3c 54 3e 45 76 65 6e 74 2e 43 6c 69 65 6e 74 49 6e 73 74 3c 2f 54 3e 3c 49 47 3e 37 35 32 32 38 31 35 36 37 30 33 41 34 30 44 35 42 39 37 45 35 41 36 38 33 36 46 32 41 31 43 45 3c 2f 49 47 3e 3c 44 3e 3c 21 5b 43 44 41 54 41 5b 7b 22 43 75 72 55 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 69 6e 67 2e 63 6f 6d 2f 41 53 2f 41 50 49 2f 57 69 6e 64 6f 77 73 43 6f 72 74 61 6e 61 50 61 6e 65 2f 56 32 2f 49 6e 69 74 22 2c 22 50 69 76 6f 74 22 3a 22 51 46 22 2c 22 54 22 3a 22 43 49 2e 42 6f 78 4d 6f 64 65 6c 22 2c 22 46 49 44 22 3a 22 43 49 Data Ascii: ClientInstRequest><CID>3644FD74DF16618F08F7EC03DE556001</CID><Events><E><T>Event.ClientInst</T><IG>75228156703A40D5B97E5A6836F2A1CE</IG><D><![CDATA[{"CurUrl":"https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init","Pivot":"QF","T":"CI.BoxModel","FID":"CI
2024-09-04 11:13:14 UTC	480	IN	HTTP/1.1 204 No Content Access-Control-Allow-Origin: * Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version X-MSEdge-Ref: Ref A: 164AABC21D0F4614A6A8FCAB47B6D741 Ref B: LAX311000111031 Ref C: 2024-09-04T11:13:14Z Date: Wed, 04 Sep 2024 11:13:14 GMT Connection: close Alt-Svc: h3=":443"; ma=93600 X-CDN-TraceID: 0.5fed0117.1725448394.44d9dace

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.5	49760	20.12.23.50	443

Timestamp	Bytes transferred	Direction	Data
2024-09-04 11:13:48 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=afZbmkM1trbov72&MD=fEzD+wNS HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-09-04 11:13:48 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440" MS-CorrelationId: 0e03bdcb-acb8-446f-9835-959820b09e34 MS-RequestId: f407fd5d-8968-46a0-a7ea-b0b02e0f5430 MS-CV: E0IkY34/OUmti8uA.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Wed, 04 Sep 2024 11:13:47 GMT Connection: close Content-Length: 30005
2024-09-04 11:13:48 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK\|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
2024-09-04 11:13:48 UTC	14181	IN	Data Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.5	49766	23.200.0.42	443	7352	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-04 11:13:58 UTC	442	OUT	OPTIONS /api/report?cat=bingbusiness HTTP/1.1 Host: bzib.nelreports.net Connection: keep-alive Origin: https://business.bing.com Access-Control-Request-Method: POST Access-Control-Request-Headers: content-type User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.9,en-US;q=0.8
2024-09-04 11:13:58 UTC	378	IN	HTTP/1.1 503 Service Unavailable Content-Length: 326 Content-Type: text/html; charset=us-ascii Date: Wed, 04 Sep 2024 11:13:58 GMT Connection: close PMUSER_FORMAT_QS: X-CDN-TraceId: 0.2aac2d17.1725448438.bd4d3d9 Access-Control-Allow-Credentials: false Access-Control-Allow-Methods: * Access-Control-Allow-Methods: GET, OPTIONS, POST Access-Control-Allow-Origin: *
2024-09-04 11:13:58 UTC	326	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 32 3e 0d 0a 3c Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Service Unavailable</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Service Unavailable</h2><

Target ID:	0
Start time:	07:12:51
Start date:	04/09/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x140000
File size:	917'504 bytes
MD5 hash:	7497F8786C80212A680B035B87405C7E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	07:12:51
Start date:	04/09/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	07:12:52
Start date:	04/09/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=2108,i,5888293748213067249,16022808129124843531,262144 --disable-features=TranslateUI /prefetch:3
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	07:12:52
Start date:	04/09/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --kiosk --edge-kiosk-type=fullscreen --no-first-run --disable-features=TranslateUI --disable-popup-blocking --disable-extensions --no-default-browser-check --app=https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	07:12:53
Start date:	04/09/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=3144 --field-trial-handle=2908,i,17488071377627107958,1550055064269729580,262144 --disable-features=TranslateUI /prefetch:3
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	07:12:57
Start date:	04/09/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=5960 --field-trial-handle=2908,i,17488071377627107958,1550055064269729580,262144 --disable-features=TranslateUI /prefetch:8
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	07:12:57
Start date:	04/09/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=7712 --field-trial-handle=2908,i,17488071377627107958,1550055064269729580,262144 --disable-features=TranslateUI /prefetch:8
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	07:13:11
Start date:	04/09/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	07:13:12
Start date:	04/09/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2796 --field-trial-handle=2688,i,5125173307123777852,16502443808865598765,262144 /prefetch:3
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	07:13:12
Start date:	04/09/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=2788 --field-trial-handle=2688,i,5125173307123777852,16502443808865598765,262144 /prefetch:8
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	07:13:19
Start date:	04/09/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	07:13:19
Start date:	04/09/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=3244 --field-trial-handle=2076,i,8293865724591621169,13876514649448464305,262144 /prefetch:3
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	07:13:19
Start date:	04/09/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=1460 --field-trial-handle=2076,i,8293865724591621169,13876514649448464305,262144 /prefetch:8
Imagebase:	0x7ff6c1cf0000
File size:	4'210'216 bytes
MD5 hash:	69222B8101B0601CC6663F8381E7E00F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.1%
Total number of Nodes:	1399
Total number of Limit Nodes:	32

Executed Functions

Function 001442DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0014430D

Part of subcall function 00146B57: _wcslen.LIBCMT ref: 00146B6A

GetCurrentProcess.KERNEL32(?,001DCB64,00000000,?,?), ref: 00144422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00144429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00144454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00144466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00144474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0014447B
GetSystemInfo.KERNEL32(?,?,?), ref: 001444A0

Strings

GetNativeSystemInfo, xrefs: 00144460
|O, xrefs: 001836F8
kernel32.dll, xrefs: 0014444F

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: b1ad9c8795d6014eb96b83267237341a534f071edab4a02c9d9efb826878949f
Instruction ID: 74a03edb0a0015d1920fcd8189615d1a0b2f188872c7bce5a95707bfeeba449e
Opcode Fuzzy Hash: b1ad9c8795d6014eb96b83267237341a534f071edab4a02c9d9efb826878949f
Instruction Fuzzy Hash: 0BA1D46190A2D4CFCB15D7687C4C3D97FA46B36700B1CC8DAE27193A79DB3146A4CB61

Function 001442A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,001450AA,?,?,00000000,00000000), ref: 001442B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,001450AA,?,?,00000000,00000000), ref: 001442C9
LoadResource.KERNEL32(?,00000000,?,?,001450AA,?,?,00000000,00000000,?,?,?,?,?,?,00144F20), ref: 001835BE
SizeofResource.KERNEL32(?,00000000,?,?,001450AA,?,?,00000000,00000000,?,?,?,?,?,?,00144F20), ref: 001835D3
LockResource.KERNEL32(001450AA,?,?,001450AA,?,?,00000000,00000000,?,?,?,?,?,?,00144F20,?), ref: 001835E6

Strings

SCRIPT, xrefs: 001442BF

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: f0ec60015a511fb7322c291f0113e54b8e48c2face4de46b32436dacd25ed868
Instruction ID: b830b4bb7428af1d13fb697ab4139691a0ca3471ae15e9ebb2317921b9a543d8
Opcode Fuzzy Hash: f0ec60015a511fb7322c291f0113e54b8e48c2face4de46b32436dacd25ed868
Instruction Fuzzy Hash: A1118EB0202701BFDB218BA5EC48F677BB9EBC5B51F14456EF442D66A0DBB1DC41CA60

Function 00182BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00142B6B

Part of subcall function 00143A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00211418,?,00142E7F,?,?,?,00000000), ref: 00143A78

Part of subcall function 00149CB3: _wcslen.LIBCMT ref: 00149CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00202224), ref: 00182C10
ShellExecuteW.SHELL32(00000000,?,?,00202224), ref: 00182C17

Strings

runas, xrefs: 00182C0B

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: a9d8b6c893ef205adf515b4424bf9a48d6528dfba9d6555dd5417485d8fc9910
Instruction ID: c5f9640444f3808b05de9fbc0ddf77db07d28595759662aa469e6f1400564307
Opcode Fuzzy Hash: a9d8b6c893ef205adf515b4424bf9a48d6528dfba9d6555dd5417485d8fc9910
Instruction Fuzzy Hash: 42110331209306AAC704FF60E8559AEB7A4AFB1700F84042DF196130B3CF318A99C752

Function 001ADBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00185222), ref: 001ADBCE
GetFileAttributesW.KERNELBASE(?), ref: 001ADBDD
FindFirstFileW.KERNEL32(?,?), ref: 001ADBEE
FindClose.KERNEL32(00000000), ref: 001ADBFA

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: ae002422ecffec8c64097ae954572e9abd3a19118f75b27373efa784f302b656
Instruction ID: 7e36bb20015d51904a3908a75ac94ac23edfad18cfab676dfb3c8092ea877029
Opcode Fuzzy Hash: ae002422ecffec8c64097ae954572e9abd3a19118f75b27373efa784f302b656
Instruction Fuzzy Hash: 61F0A0308129215782206B78EC0D8AA376D9F03334B904B1BF876C28E0EBB45D94C6D5

Function 001CAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 001CB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 001CB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 001CB1D4
_wcslen.LIBCMT ref: 001CB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 001CB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 001CB236
_wcslen.LIBCMT ref: 001CB332

Part of subcall function 001B05A7: GetStdHandle.KERNEL32(000000F6), ref: 001B05C6

_wcslen.LIBCMT ref: 001CB34B
_wcslen.LIBCMT ref: 001CB366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 001CB3B6
GetLastError.KERNEL32(00000000), ref: 001CB407
CloseHandle.KERNEL32(?), ref: 001CB439
CloseHandle.KERNEL32(00000000), ref: 001CB44A
CloseHandle.KERNEL32(00000000), ref: 001CB45C
CloseHandle.KERNEL32(00000000), ref: 001CB46E
CloseHandle.KERNEL32(?), ref: 001CB4E3

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: bb3edbe42d7a9814431bc4a3c4464b202d4601c0861e5b7487956992b89473e7
Instruction ID: c45250d5be4f05b8bb22d0bc195ca18d51145d7a9950b1d6026a047552e87b21
Opcode Fuzzy Hash: bb3edbe42d7a9814431bc4a3c4464b202d4601c0861e5b7487956992b89473e7
Instruction Fuzzy Hash: 50F17B315083409FD714EF24C892B6EBBE5BFA5314F14895DF8999B2A2CB31EC45CB92

Function 0014D730 Relevance: 21.6, APIs: 14, Instructions: 631windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0014D807
timeGetTime.WINMM ref: 0014DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0014DB28
TranslateMessage.USER32(?), ref: 0014DB7B
DispatchMessageW.USER32(?), ref: 0014DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0014DB9F
Sleep.KERNELBASE(0000000A), ref: 0014DBB1

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 03f17f11b4aaaa4c02870357279c25a02534d9222682913a3b9954f585ec3c6f
Instruction ID: 35bd73503aba653dad6c34fdd03a75bdd7385fba166a76968859282d0e8c44d5
Opcode Fuzzy Hash: 03f17f11b4aaaa4c02870357279c25a02534d9222682913a3b9954f585ec3c6f
Instruction Fuzzy Hash: 3342D130604342EFEF28CF24D889BAAB7E1FF56314F55855DE466872A1D770E884CB92

Function 00142CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00142D07
RegisterClassExW.USER32(00000030), ref: 00142D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00142D42
InitCommonControlsEx.COMCTL32(?), ref: 00142D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00142D6F
LoadIconW.USER32(000000A9), ref: 00142D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00142D94

Strings

0, xrefs: 00142CE9
+, xrefs: 00142CF0
TaskbarCreated, xrefs: 00142D37
AutoIt v3 GUI, xrefs: 00142D23

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 071ca7cb5caddd635e1fefcd16f41e9d7bff53223f9d201984eaa0498af64087
Instruction ID: be970012decfd0d3f55c93d3912a25682f92e352ad7c97aeb0c961ddd479c093
Opcode Fuzzy Hash: 071ca7cb5caddd635e1fefcd16f41e9d7bff53223f9d201984eaa0498af64087
Instruction Fuzzy Hash: B121C7B5902319EFDB00DFA4ED49BDDBBB8FB08705F00851AF621A62A0DBB54554CF91

Function 0018065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0018039A: CreateFileW.KERNELBASE(00000000,00000000,?,00180704,?,?,00000000,?,00180704,00000000,0000000C), ref: 001803B7

GetLastError.KERNEL32 ref: 0018076F
__dosmaperr.LIBCMT ref: 00180776
GetFileType.KERNELBASE(00000000), ref: 00180782
GetLastError.KERNEL32 ref: 0018078C
__dosmaperr.LIBCMT ref: 00180795
CloseHandle.KERNEL32(00000000), ref: 001807B5
CloseHandle.KERNEL32(?), ref: 001808FF
GetLastError.KERNEL32 ref: 00180931
__dosmaperr.LIBCMT ref: 00180938

Strings

H, xrefs: 001808BD

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 06d4e71afce8f837d2a4df43e05c23aa22d688b847b9fcf38d785f3fd1f81467
Instruction ID: 6174ac79a36075fd76cff8b962cc09c35afabc9019e42a57b06dcf0f9f581ddb
Opcode Fuzzy Hash: 06d4e71afce8f837d2a4df43e05c23aa22d688b847b9fcf38d785f3fd1f81467
Instruction Fuzzy Hash: 12A12932A001089FDF1AAF68DC967AD7BA0AB1A320F24415DF8159B3D1DB319E57CF91

Function 0014344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00143A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00211418,?,00142E7F,?,?,?,00000000), ref: 00143A78

Part of subcall function 00143357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00143379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0014356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0018318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 001831CE
RegCloseKey.ADVAPI32(?), ref: 00183210
_wcslen.LIBCMT ref: 00183277
_wcslen.LIBCMT ref: 00183286

Strings

\, xrefs: 0018328C
Include, xrefs: 00183184, 001831C5
Software\AutoIt v3\AutoIt, xrefs: 00143560
\Include\, xrefs: 00143527

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 12a5a4ebefdc4b778ad1c3dccb709afabd061a5e9b00bf6d7e62de6b768ba139
Instruction ID: 95e938aeb7315032f519daae46a82d76581e84b55849a23ad47db056ba58c2be
Opcode Fuzzy Hash: 12a5a4ebefdc4b778ad1c3dccb709afabd061a5e9b00bf6d7e62de6b768ba139
Instruction Fuzzy Hash: D0719D71405305DEC314EF29EC869ABBBE8FFA4740F40482EF565971B1EB309A58CB92

Function 00142B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00142B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00142B9D
LoadIconW.USER32(00000063), ref: 00142BB3
LoadIconW.USER32(000000A4), ref: 00142BC5
LoadIconW.USER32(000000A2), ref: 00142BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00142BEF
RegisterClassExW.USER32(?), ref: 00142C40

Part of subcall function 00142CD4: GetSysColorBrush.USER32(0000000F), ref: 00142D07
Part of subcall function 00142CD4: RegisterClassExW.USER32(00000030), ref: 00142D31
Part of subcall function 00142CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00142D42
Part of subcall function 00142CD4: InitCommonControlsEx.COMCTL32(?), ref: 00142D5F
Part of subcall function 00142CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00142D6F
Part of subcall function 00142CD4: LoadIconW.USER32(000000A9), ref: 00142D85
Part of subcall function 00142CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00142D94

Strings

AutoIt v3, xrefs: 00142C2F
#, xrefs: 00142C16
0, xrefs: 00142C0F

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 3e0c959d06d48fb1c3eb13acd035ed84af3a04a5421d3c9e0e98e97b26a9fea6
Instruction ID: 9757f2bc64a2c0886aab0693405d45996ca3f8e2b0c6523b546fb2b9e128e33a
Opcode Fuzzy Hash: 3e0c959d06d48fb1c3eb13acd035ed84af3a04a5421d3c9e0e98e97b26a9fea6
Instruction Fuzzy Hash: 4C214C70E02314ABDB109FA5FC59AD9BFB4FB18B50F10849AF620A66A4DBB10560CF90

Function 0014B710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0014BB4E

Strings

p%!, xrefs: 0014B8DC
p#!, xrefs: 0014BB6B
p%!, xrefs: 0014BB32
x#!, xrefs: 00190168
x#!, xrefs: 00190207
p#!, xrefs: 00190263
p#!, xrefs: 0019024F
p#!, xrefs: 0014BA72

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: p#!$p#!$p#!$p#!$p%!$p%!$x#!$x#!
API String ID: 1385522511-4272460735
Opcode ID: 2a0ad5ab44293946f24c71f573e59bda8cd6566f0e32a61367afc294a0b3dcbe
Instruction ID: 2165d5ba08758ea8bcba404a260d04c91d206bac00c391c2145a126ee32fe529
Opcode Fuzzy Hash: 2a0ad5ab44293946f24c71f573e59bda8cd6566f0e32a61367afc294a0b3dcbe
Instruction Fuzzy Hash: 4132CD70A08209DFCF29CF54C894ABEB7B9FF58304F158069E915AB261C774EE91CB91

Function 00143170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0014316A,?,?), ref: 001431D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0014316A,?,?), ref: 00143204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00143227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0014316A,?,?), ref: 00143232
CreatePopupMenu.USER32 ref: 00143246
PostQuitMessage.USER32(00000000), ref: 00143267

Strings

TaskbarCreated, xrefs: 0014322D

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 7502735d5187cd7edca8a0092d7b962a93cb0104939b098e69282e13fdba4578
Instruction ID: 6ed78ae63e93be2787c63c8c024563292799a1b45960dbc48d9585dc9dae7703
Opcode Fuzzy Hash: 7502735d5187cd7edca8a0092d7b962a93cb0104939b098e69282e13fdba4578
Instruction Fuzzy Hash: E8414835210205ABDF192F78AC4DFF93B59E725700F044226FA32862B5DBB19F91DBA1

Function 00142C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00142C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00142CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00141CAD,?), ref: 00142CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00141CAD,?), ref: 00142CCF

Strings

edit, xrefs: 00142CAC
AutoIt v3, xrefs: 00142C89, 00142C8E, 00142C8F

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 98eb3e34cd1e58c0e890594f72b606a219bd82088c682b6b97e6d1aec551d998
Instruction ID: c702d8f6037fe6b1c26705cf1f54a44c921ae58f2df8a44c0fbae6b58c9d5625
Opcode Fuzzy Hash: 98eb3e34cd1e58c0e890594f72b606a219bd82088c682b6b97e6d1aec551d998
Instruction Fuzzy Hash: F3F0DA755412907AEB311717BC4CEB77EBDD7D6F50B0081AAFA10A26A4CA711860DAB0

Function 001AE97B Relevance: 7.5, APIs: 5, Instructions: 47
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 001AE997
QueryPerformanceFrequency.KERNEL32(?), ref: 001AE9A5
Sleep.KERNEL32(00000000), ref: 001AE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 001AE9B7
Sleep.KERNELBASE ref: 001AE9F3

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: b32fc3f218b8e1b3138e89ae8873a42bcbb3fb547bc835d9c665b419d39f6e9b
Instruction ID: db1c8caa1e2102530ea7501b3dee6dddc860311284dbe74bec94bc30cec00fb1
Opcode Fuzzy Hash: b32fc3f218b8e1b3138e89ae8873a42bcbb3fb547bc835d9c665b419d39f6e9b
Instruction Fuzzy Hash: CA012D35C0262ADBCF04AFE5DC59AEEBBB8FF0A705F010556E502B2141CB309595CBA1

Function 00143B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00143B0F,SwapMouseButtons,00000004,?), ref: 00143B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00143B0F,SwapMouseButtons,00000004,?), ref: 00143B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00143B0F,SwapMouseButtons,00000004,?), ref: 00143B83

Strings

Control Panel\Mouse, xrefs: 00143B3E

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 022867eb696bea49f260880f4ca58205ecf9351c107aacc981200d662693c84f
Instruction ID: 05c8c34c3dd679a1e2d532110c64d2e34b23004a63b7025dffab3d925e26d23c
Opcode Fuzzy Hash: 022867eb696bea49f260880f4ca58205ecf9351c107aacc981200d662693c84f
Instruction Fuzzy Hash: 5A1127B5611208FFDB218FA5DC84AAEBBB8EF44744B10896AB815D7120E3319E449BA0

Function 00143923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 001833A2

Part of subcall function 00146B57: _wcslen.LIBCMT ref: 00146B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00143A04

Strings

Line: , xrefs: 001833EB

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: d93f9f9eb77077bb1c1289a5999ab156348554ab5b16575df6432f37ba318039
Instruction ID: 81110704e350a6b4b1baeef3ac90c5834fc29471585895165c33ad2552354d52
Opcode Fuzzy Hash: d93f9f9eb77077bb1c1289a5999ab156348554ab5b16575df6432f37ba318039
Instruction Fuzzy Hash: 0631D471408301AAD725EB20DC49BEBB7D8AF65714F10492AF5A9831E1DF709758C7C3

Function 00142DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00182C8C

Part of subcall function 00143AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00143A97,?,?,00142E7F,?,?,?,00000000), ref: 00143AC2

Part of subcall function 00142DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00142DC4

Strings

X, xrefs: 00182C5A
`e , xrefs: 00182C85

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`e
API String ID: 779396738-2317500276
Opcode ID: 336dfa3ceb6bac2fd25ff9c912dda595ccffe57d0520d7dcbd20beab474e227b
Instruction ID: 9da59205d3814f4b84aa35fe828db8ea1ee6616943ff8b0c8a7dfe2fb11d8cc6
Opcode Fuzzy Hash: 336dfa3ceb6bac2fd25ff9c912dda595ccffe57d0520d7dcbd20beab474e227b
Instruction Fuzzy Hash: 7121A571A102589FCB01EF94C849BEE7BFCAF59314F008059F505B7291DBB45A99CFA1

Function 0015FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00160668

Part of subcall function 001632A4: RaiseException.KERNEL32(?,?,?,0016068A,?,00211444,?,?,?,?,?,?,0016068A,00141129,00208738,00141129), ref: 00163304

__CxxThrowException@8.LIBVCRUNTIME ref: 00160685

Strings

Unknown exception, xrefs: 00160692

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 0f0e28f3ec19ea913aeb42599915ae6c6c8ad24037aadb371343cf1bb2085d42
Instruction ID: 2585f8eee538a08e19a4bd40b75c0c5592a7a4af6d6b1bc37809aded8bf6d051
Opcode Fuzzy Hash: 0f0e28f3ec19ea913aeb42599915ae6c6c8ad24037aadb371343cf1bb2085d42
Instruction Fuzzy Hash: FFF0C23490030DB7CB05BAA4DC46C9F7B7C5E14310B604539BD249A5D2EF71DA7AC581

Function 001410F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00141BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00141BF4
Part of subcall function 00141BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00141BFC
Part of subcall function 00141BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00141C07
Part of subcall function 00141BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00141C12
Part of subcall function 00141BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00141C1A
Part of subcall function 00141BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00141C22

Part of subcall function 00141B4A: RegisterWindowMessageW.USER32(00000004,?,001412C4), ref: 00141BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0014136A
OleInitialize.OLE32 ref: 00141388
CloseHandle.KERNEL32(00000000,00000000), ref: 001824AB

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: a059e15df7d8b3e45a1b5de2e2e65ce205378d908c5edacbbc385f43a88ae017
Instruction ID: 7918de0e5dee6fd50aa8001c640f892856d01649ae258b52ffa407ad9ccc3375
Opcode Fuzzy Hash: a059e15df7d8b3e45a1b5de2e2e65ce205378d908c5edacbbc385f43a88ae017
Instruction Fuzzy Hash: 1271CCB4912201AED788DF79B9496D57BE6FBB8344395C22AD20AC7371EF304461CF84

Function 001AC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00143923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00143A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 001AC259
KillTimer.USER32(?,00000001,?,?), ref: 001AC261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 001AC270

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 3e970d3142886b2fc6772772f8741cc548f3b6a6c299686979377b8923dbf032
Instruction ID: 47acbcbf482960067926ee105ede80147e982f509bf72847f224b3f6030f19f9
Opcode Fuzzy Hash: 3e970d3142886b2fc6772772f8741cc548f3b6a6c299686979377b8923dbf032
Instruction Fuzzy Hash: 36319374905344AFEB229F748895BEBBBECAB17308F00449AD6DAA7241C7745A84CB91

Function 001786AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,001785CC,?,00208CC8,0000000C), ref: 00178704
GetLastError.KERNEL32(?,001785CC,?,00208CC8,0000000C), ref: 0017870E
__dosmaperr.LIBCMT ref: 00178739

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: 4ec592fc25d98bbefa69ffd4faf057bd59d02dc65a4e8f4f3b891256e0737c7f
Instruction ID: 4bbf35634205e431151b91b1eb9d6a99bedba808aeaf31efbf71d60c225a6e22
Opcode Fuzzy Hash: 4ec592fc25d98bbefa69ffd4faf057bd59d02dc65a4e8f4f3b891256e0737c7f
Instruction Fuzzy Hash: C3010432E4562036D6286234A84EB6E677B5BA2774F39C119F81C8B1E2DFF09CC18190

Function 0014DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0014DB7B
DispatchMessageW.USER32(?), ref: 0014DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0014DB9F
Sleep.KERNELBASE(0000000A), ref: 0014DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00191CC9

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: d45438a6b7af1f1a99c67d68272403ae039c34c30633fe1d2efe5f9342513114
Instruction ID: daa743885c038589f375939a22c5fdcf43a5ed3c9240040ceaebfc3de75be701
Opcode Fuzzy Hash: d45438a6b7af1f1a99c67d68272403ae039c34c30633fe1d2efe5f9342513114
Instruction Fuzzy Hash: A9F0FE316553429BEF34CBA09C49FEA73A8EF55311F104A19E65A874D0DB34A488CB55

Function 00151310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 001517F6

Strings

CALL, xrefs: 001517C6

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 8444e9af3895f5b5a0ed34128abaf662b9255dc163de4935654f4d994f4b56ed
Instruction ID: d48d9ec6863c544d75128a64984a79e5ee85a17114b60794709e7c9a6a64b0b9
Opcode Fuzzy Hash: 8444e9af3895f5b5a0ed34128abaf662b9255dc163de4935654f4d994f4b56ed
Instruction Fuzzy Hash: D0229B70608201EFCB15DF14C480B2ABBF1BF99315F15891DF8AA8B3A1D771E949CB92

Function 00143837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00143908

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: aab16b3b30b57e62e47cb3bb349f9861b6bcf864598d8bf45c06c8c784d49e88
Instruction ID: 9411a5b253101be341d46321de6befe05518de3dd0355abdef6061c2b6f043d7
Opcode Fuzzy Hash: aab16b3b30b57e62e47cb3bb349f9861b6bcf864598d8bf45c06c8c784d49e88
Instruction Fuzzy Hash: 2031A2B05057019FD720DF24D8857D7FBE8FB59708F00096EFAA983250EB71AA54CB92

Function 0015F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0015F661

Part of subcall function 0014D730: GetInputState.USER32 ref: 0014D807

Sleep.KERNEL32(00000000), ref: 0019F2DE

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 7d7e08aceba28a6a8c5b03babf6a891131da42ea9e835eaabed3d84dee4c0e87
Instruction ID: 801e4f8f7ddb1aedcc9ba7975321b5de6a7bb76d88c2b5a1fc99e80cb8e58d16
Opcode Fuzzy Hash: 7d7e08aceba28a6a8c5b03babf6a891131da42ea9e835eaabed3d84dee4c0e87
Instruction Fuzzy Hash: 10F08C31244205AFD714EF69E549BAAB7E8EF55761F00002AE85DCB2A0DB70A840CB90

Function 001D2598 Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,000000FE,00000000,00000000,00000000,00000000,00000013,00000001,?), ref: 001D2649

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 2cf5e3efc8b90e1fb6ea626f96504680e5be1215dc8891aea524966d45aad726
Instruction ID: a007dc91928d79a4cfe6f42fb2b8aab16ee84336080274cc86c62a50f8820183
Opcode Fuzzy Hash: 2cf5e3efc8b90e1fb6ea626f96504680e5be1215dc8891aea524966d45aad726
Instruction Fuzzy Hash: 3921D474204315AFD714DF28C8D0D76B79AEF65368B24816EE8668B3A2C771ED41CB90

Function 001D13B7 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000001,?), ref: 001D1420

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 09a4022656c4e2e16526f0974afbd042ecb72c7a90a04dcb882a6abf9dce67b0
Instruction ID: bdb01e20e1084859880a776b016469cf443baa7b379da6c53f5dbb0c6847269f
Opcode Fuzzy Hash: 09a4022656c4e2e16526f0974afbd042ecb72c7a90a04dcb882a6abf9dce67b0
Instruction Fuzzy Hash: 14317C70604602BFD754EF29C491B69B7A2FF55328F04826AE82A4B392DB75EC45CBD0

Function 00144ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00144E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00144EDD,?,00211418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00144E9C
Part of subcall function 00144E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00144EAE
Part of subcall function 00144E90: FreeLibrary.KERNEL32(00000000,?,?,00144EDD,?,00211418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00144EC0

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00211418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00144EFD

Part of subcall function 00144E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00183CDE,?,00211418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00144E62
Part of subcall function 00144E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00144E74
Part of subcall function 00144E59: FreeLibrary.KERNEL32(00000000,?,?,00183CDE,?,00211418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00144E87

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 2078805050c0e78f77aaf7426b0e072f1bfa5ee583f24d5ce6aaf659a201d639
Instruction ID: a4aa1862ad92137c0a85e13f3992fee2b44a760dede1f04af7f7d0f325fea66c
Opcode Fuzzy Hash: 2078805050c0e78f77aaf7426b0e072f1bfa5ee583f24d5ce6aaf659a201d639
Instruction Fuzzy Hash: 4E11E332600205ABDF14BB64DC02FAD77A5AF60B10F10882EF542B61E1EF759A499B90

Function 00178402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00178440

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: d612ad91ba4fe8eec4871fd71cf52115811780082cd4112405490dbcacefd360
Instruction ID: 594a49c1b32aa92fca752eeb5f2722b3f5da8ed7bba543b7b1da96cbc26c1c9f
Opcode Fuzzy Hash: d612ad91ba4fe8eec4871fd71cf52115811780082cd4112405490dbcacefd360
Instruction Fuzzy Hash: 7111487190810AAFCB05DF58E944A9A7BF4EF48314F108059F809AB312DB70EA11CBA4

Function 00175000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00174C7D: RtlAllocateHeap.NTDLL(00000008,00141129,00000000,?,00172E29,00000001,00000364,?,?,?,0016F2DE,00173863,00211444,?,0015FDF5,?), ref: 00174CBE

_free.LIBCMT ref: 0017506C

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: c6b0e97005bb097bc09479a45bcf41d0f0afd96596ed0a0f532df9eda933734a
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 550126722047086BE3218E659881A5AFBF9FB89370F25451DF19883280EB70A805C6B4

Function 001D29BF Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?,?,?,001D14B5,?), ref: 001D2A01

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: a5d87405a3f4213ebac11ff5b117f9c389d2c0471a69812fe6820b1794cf1998
Instruction ID: 1714a62d06b8ebb0402b9139813e32aeb07ff601861ab5a9b19ccace219a2231
Opcode Fuzzy Hash: a5d87405a3f4213ebac11ff5b117f9c389d2c0471a69812fe6820b1794cf1998
Instruction Fuzzy Hash: 7A01B5363006519FD329CA2CC494F227792EFE5318F29856AC0678B755D732FC42C7A0

Function 0016E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: c1ea313cb3774b737b3be2df8261359b3ea34258dfcead8edd5c43737755358c
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: A1F02836910A24ABC7313A79DC05B9A33E89F72334F104719F428931D2DB70D8128AA6

Function 001D149E Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?), ref: 001D14EB

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 2c8023d1a76ac289e11dcf9631c0c29547835e2a5abb51fe1f88509e373a5554
Instruction ID: e7760d59301f3b5553d21bda2799526e05799fd436b5ecc2b5d04e1f2ef51d16
Opcode Fuzzy Hash: 2c8023d1a76ac289e11dcf9631c0c29547835e2a5abb51fe1f88509e373a5554
Instruction Fuzzy Hash: FF01DF35309651AF9320CF6AC450826BB95FF9432875480AAE84A8B712E732DD82CBC0

Function 00174C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00141129,00000000,?,00172E29,00000001,00000364,?,?,?,0016F2DE,00173863,00211444,?,0015FDF5,?), ref: 00174CBE

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: bb59b219a21df14828178fc8661ffb297078275a5d542256e29b77733a85e138
Instruction ID: 547e0c8cf05e84190e67337b3ea12b595278b0d1d6acd138f603f7a2d6323be2
Opcode Fuzzy Hash: bb59b219a21df14828178fc8661ffb297078275a5d542256e29b77733a85e138
Instruction Fuzzy Hash: 17F0E931603224A7DB235F629C09B5A37A8BF517A0B19C515FD1DA61C4CB30DC1196E0

Function 00173820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00211444,?,0015FDF5,?,?,0014A976,00000010,00211440,001413FC,?,001413C6,?,00141129), ref: 00173852

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 812f083da1367f407daeba73e9299c55a921428dbb80a105c6d2592700a5a109
Instruction ID: 3b23d3ba147a3b449f34fdcd8a37c9c489372a684e45fedcd1fb4df464786819
Opcode Fuzzy Hash: 812f083da1367f407daeba73e9299c55a921428dbb80a105c6d2592700a5a109
Instruction Fuzzy Hash: B7E0E53110122597D7212A669C04F9A3768AB527B0F158326BC3C929D5CB31DD11A1E2

Function 00144F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00211418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00144F6D

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 4fc2bb5d2ed9c7e1fbbc4c7ee26e15af878170a2e9d4896bfcc359c2a111a86a
Instruction ID: dcb2052d327225042689df4894b5ba4f835fdb0f91579ace7abd540d2136860c
Opcode Fuzzy Hash: 4fc2bb5d2ed9c7e1fbbc4c7ee26e15af878170a2e9d4896bfcc359c2a111a86a
Instruction Fuzzy Hash: 13F03071105752CFDB389F68D490922B7E4AF143193108A7EE1EA82531C7319848DF50

Function 001D2A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 001D2A66

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 5916f9f1f96e704cc3a16547775bff5ab4b06875dfb8b78e0f9e0e54f4202599
Instruction ID: 7c90c802e5d6f869f5eb3dc84db962b5eb034ae499e33a70bfa103a43e218f6e
Opcode Fuzzy Hash: 5916f9f1f96e704cc3a16547775bff5ab4b06875dfb8b78e0f9e0e54f4202599
Instruction Fuzzy Hash: CBE04F3A351116ABC714EA34DC809FAB35CEBB53957114537FC26C3600EB30D99586E0

Function 00142DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00142DC4

Part of subcall function 00146B57: _wcslen.LIBCMT ref: 00146B6A

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 6b7b017d2cc831c445b4a56803db14909f96509123d6842af102fd86e2de3527
Instruction ID: 7b58332a982d034d5c1443cad7ff2861919dde146e009e9ac800466e52156d1b
Opcode Fuzzy Hash: 6b7b017d2cc831c445b4a56803db14909f96509123d6842af102fd86e2de3527
Instruction Fuzzy Hash: 9DE0CD726011245BCB10A2589C05FDA77DDDFC8794F040071FD09D7258DA60AD84C691

Function 00142B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00143837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00143908

Part of subcall function 0014D730: GetInputState.USER32 ref: 0014D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00142B6B

Part of subcall function 001430F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0014314E

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: f21425c047bd2e7623290250902744fe2089d0d912c086ccfa507dfd466c1409
Instruction ID: 5ca5d3463da08ae5ce1070a56c7c57a96e687ce5d32eebc98785916cf379bcf1
Opcode Fuzzy Hash: f21425c047bd2e7623290250902744fe2089d0d912c086ccfa507dfd466c1409
Instruction Fuzzy Hash: A1E0262230020503CA04BB74B8124AEB3499BF1315F40063EF15243173CF7045958251

Function 001A3D03 Relevance: 1.5, APIs: 1, Instructions: 18windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 001A3D18

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: MessageSendTimeout
String ID:
API String ID: 1599653421-0
Opcode ID: 7eafd7ceef00316a8cffb8fb7b26c4f94d3880ef833227f5f3ef771e24c5d470
Instruction ID: 42d1b63c1248d016d8f64a3f9195b9e2cf19ca61190b3a0922f5b50e32f8be34
Opcode Fuzzy Hash: 7eafd7ceef00316a8cffb8fb7b26c4f94d3880ef833227f5f3ef771e24c5d470
Instruction Fuzzy Hash: C8D012E06A03087EFF0083718C0BEBB339CC316A81F004BA57A02D69C1E9A0DE084170

Function 0018039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00180704,?,?,00000000,?,00180704,00000000,0000000C), ref: 001803B7

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2496a1cfd18e288c6b21449ed6dcabde4280d34920d435af07548f90903a2aad
Instruction ID: cc8f5daa0c94d63df840f0f805e9a8a177b8b43bf6a5b6a9109cb31f1539746f
Opcode Fuzzy Hash: 2496a1cfd18e288c6b21449ed6dcabde4280d34920d435af07548f90903a2aad
Instruction Fuzzy Hash: 31D06C3204010DFBDF029F84DD06EDA3BAAFB48714F014000BE1856020C732E861EB90

Function 00141CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00141CBC

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 920f538ebc21d1f25ad5ff26f5633bf5c13deca1ce2fd04f77f25179a98b3485
Instruction ID: fcc3d4383b3596f7fe73fa7007c1ec634076f994e0c9fa848cb374729e250db2
Opcode Fuzzy Hash: 920f538ebc21d1f25ad5ff26f5633bf5c13deca1ce2fd04f77f25179a98b3485
Instruction Fuzzy Hash: BBC09B36381305EFF6144B80BC4EF507755E358B00F44C501F709655E3C7B11470D650

Non-executed Functions

Function 001D9576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00159BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00159BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 001D961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001D965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 001D969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001D96C9
SendMessageW.USER32 ref: 001D96F2
GetKeyState.USER32(00000011), ref: 001D978B
GetKeyState.USER32(00000009), ref: 001D9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001D97AE
GetKeyState.USER32(00000010), ref: 001D97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001D97E9
SendMessageW.USER32 ref: 001D9810
SendMessageW.USER32(?,00001030,?,001D7E95), ref: 001D9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 001D992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 001D9941
SetCapture.USER32(?), ref: 001D994A
ClientToScreen.USER32(?,?), ref: 001D99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 001D99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 001D99D6
ReleaseCapture.USER32 ref: 001D99E1
GetCursorPos.USER32(?), ref: 001D9A19
ScreenToClient.USER32(?,?), ref: 001D9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 001D9A80
SendMessageW.USER32 ref: 001D9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 001D9AEB
SendMessageW.USER32 ref: 001D9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 001D9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 001D9B4A
GetCursorPos.USER32(?), ref: 001D9B68
ScreenToClient.USER32(?,?), ref: 001D9B75
GetParent.USER32(?), ref: 001D9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 001D9BFA
SendMessageW.USER32 ref: 001D9C2B
ClientToScreen.USER32(?,?), ref: 001D9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 001D9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 001D9CDE
SendMessageW.USER32 ref: 001D9D01
ClientToScreen.USER32(?,?), ref: 001D9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 001D9D82

Part of subcall function 00159944: GetWindowLongW.USER32(?,000000EB), ref: 00159952

GetWindowLongW.USER32(?,000000F0), ref: 001D9E05

Strings

@GUI_DRAGID, xrefs: 001D997D
F, xrefs: 001D9D07
p#!, xrefs: 001D9990

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#!
API String ID: 3429851547-2808124883
Opcode ID: 80b02b0ed285cc368df9b30442a3354654e4ea4cb91b067e6d5725ae0c9e3e6a
Instruction ID: 22712d5d21ecc5f1d449b435e0e2588e40adcfa11e9820f69a3e897d642878ef
Opcode Fuzzy Hash: 80b02b0ed285cc368df9b30442a3354654e4ea4cb91b067e6d5725ae0c9e3e6a
Instruction Fuzzy Hash: 2F428D74205241AFDB24CF24CC48EAABBE5FF49310F154A1AF699973A1DB31E864CF91

Function 001D4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 001D48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 001D4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 001D4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 001D494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 001D495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 001D497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 001D49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 001D49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 001D4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 001D4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 001D4A7E
IsMenu.USER32(?), ref: 001D4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001D4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001D4B20
GetWindowLongW.USER32(?,000000F0), ref: 001D4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 001D4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 001D4C82
wsprintfW.USER32 ref: 001D4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 001D4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 001D4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 001D4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 001D4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 001D4D5A

Strings

%d/%02d/%02d, xrefs: 001D4CA8

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 7b85a1ed30393222955a56c93943762ac1a7dcd60617604759caddb837e0fc9d
Instruction ID: 7fbb24637270aa10c47803bcb07031852d7f34274d0ea444a66e059ca0b2ffe4
Opcode Fuzzy Hash: 7b85a1ed30393222955a56c93943762ac1a7dcd60617604759caddb837e0fc9d
Instruction Fuzzy Hash: E112DD71601215ABEB248F68CC49FAE7BF8EF45710F10462AF916EB3E1DB749941CB90

Function 0015F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0015F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0019F474
IsIconic.USER32(00000000), ref: 0019F47D
ShowWindow.USER32(00000000,00000009), ref: 0019F48A
SetForegroundWindow.USER32(00000000), ref: 0019F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0019F4AA
GetCurrentThreadId.KERNEL32 ref: 0019F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0019F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0019F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0019F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0019F4DE
SetForegroundWindow.USER32(00000000), ref: 0019F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0019F4F6
keybd_event.USER32(00000012,00000000), ref: 0019F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0019F50B
keybd_event.USER32(00000012,00000000), ref: 0019F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0019F519
keybd_event.USER32(00000012,00000000), ref: 0019F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0019F528
keybd_event.USER32(00000012,00000000), ref: 0019F52D
SetForegroundWindow.USER32(00000000), ref: 0019F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0019F557

Strings

Shell_TrayWnd, xrefs: 0019F46F

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 34cef7181c4f1180d105340934ffff2537283f5302040cf1182b9201a29a70c4
Instruction ID: bd06cc3e7933db354b363e710678f90685a46ac18a06e140c2a8409241de2487
Opcode Fuzzy Hash: 34cef7181c4f1180d105340934ffff2537283f5302040cf1182b9201a29a70c4
Instruction Fuzzy Hash: 58315E71B41219BAEF206BB55C4AFBF7F6CEB44B50F11046AFA00E61D1C7B09941EAA0

Function 001A1201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 001A16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 001A170D
Part of subcall function 001A16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 001A173A
Part of subcall function 001A16C3: GetLastError.KERNEL32 ref: 001A174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 001A1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 001A12A8
CloseHandle.KERNEL32(?), ref: 001A12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 001A12D1
GetProcessWindowStation.USER32 ref: 001A12EA
SetProcessWindowStation.USER32(00000000), ref: 001A12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 001A1310

Part of subcall function 001A10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,001A11FC), ref: 001A10D4
Part of subcall function 001A10BF: CloseHandle.KERNEL32(?,?,001A11FC), ref: 001A10E9

Strings

, xrefs: 001A125A
default, xrefs: 001A130B
winsta0, xrefs: 001A12CC
Z , xrefs: 001A1392

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Z
API String ID: 22674027-3366205268
Opcode ID: b6b3ad716ef1c4b015d493a7c47bb93895850ca1b887e4f8f79d06670c37cf33
Instruction ID: c4fa168453d38354dfdf4c9fa5984e1e3d64aef37214109ed5a827202125bff7
Opcode Fuzzy Hash: b6b3ad716ef1c4b015d493a7c47bb93895850ca1b887e4f8f79d06670c37cf33
Instruction Fuzzy Hash: 0D819B7594120ABFDF219FA8DC49FEE7BB9EF09704F14452AF910A62A1C7308994CB60

Function 001A0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001A10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 001A1114
Part of subcall function 001A10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,001A0B9B,?,?,?), ref: 001A1120
Part of subcall function 001A10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,001A0B9B,?,?,?), ref: 001A112F
Part of subcall function 001A10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,001A0B9B,?,?,?), ref: 001A1136
Part of subcall function 001A10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 001A114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 001A0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 001A0C00
GetLengthSid.ADVAPI32(?), ref: 001A0C17
GetAce.ADVAPI32(?,00000000,?), ref: 001A0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 001A0C6D
GetLengthSid.ADVAPI32(?), ref: 001A0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 001A0C8C
HeapAlloc.KERNEL32(00000000), ref: 001A0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 001A0CB4
CopySid.ADVAPI32(00000000), ref: 001A0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 001A0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 001A0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 001A0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001A0D45
HeapFree.KERNEL32(00000000), ref: 001A0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001A0D55
HeapFree.KERNEL32(00000000), ref: 001A0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001A0D65
HeapFree.KERNEL32(00000000), ref: 001A0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 001A0D78
HeapFree.KERNEL32(00000000), ref: 001A0D7F

Part of subcall function 001A1193: GetProcessHeap.KERNEL32(00000008,001A0BB1,?,00000000,?,001A0BB1,?), ref: 001A11A1
Part of subcall function 001A1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,001A0BB1,?), ref: 001A11A8
Part of subcall function 001A1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,001A0BB1,?), ref: 001A11B7

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 982d1e5d97bd5f79d60d7f0e8fdbfec642382bc16a3a8d331b98f252f88a6c61
Instruction ID: 575d18aab3b8a2c59edfeee611f77bc42fbc8e2e83b34864a54624a206542a3c
Opcode Fuzzy Hash: 982d1e5d97bd5f79d60d7f0e8fdbfec642382bc16a3a8d331b98f252f88a6c61
Instruction Fuzzy Hash: 1B717B7A90121AEBDF11DFE4DC44FAEBBB8BF09310F044615F914A7291D771AA45CBA0

Function 001BEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(001DCC08), ref: 001BEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 001BEB37
GetClipboardData.USER32(0000000D), ref: 001BEB43
CloseClipboard.USER32 ref: 001BEB4F
GlobalLock.KERNEL32(00000000), ref: 001BEB87
CloseClipboard.USER32 ref: 001BEB91
GlobalUnlock.KERNEL32(00000000,00000000), ref: 001BEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 001BEBC9
GetClipboardData.USER32(00000001), ref: 001BEBD1
GlobalLock.KERNEL32(00000000), ref: 001BEBE2
GlobalUnlock.KERNEL32(00000000,?), ref: 001BEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 001BEC38
GetClipboardData.USER32(0000000F), ref: 001BEC44
GlobalLock.KERNEL32(00000000), ref: 001BEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 001BEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 001BEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 001BECD2
GlobalUnlock.KERNEL32(00000000,?,?), ref: 001BECF3
CountClipboardFormats.USER32 ref: 001BED14
CloseClipboard.USER32 ref: 001BED59

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 9051d8630654b163ef58e1259a39ae3eeccd35ae787a30ae76094b4730c18988
Instruction ID: 8fc718e0e73b273499e13ee450636fa88d3d793f49655b059b842ae38e2b3dc4
Opcode Fuzzy Hash: 9051d8630654b163ef58e1259a39ae3eeccd35ae787a30ae76094b4730c18988
Instruction Fuzzy Hash: 6561D2352053029FD300EF64D888FAA77E8EF94714F14491EF456972A2CB71DD85CBA2

Function 001B698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 001B69BE
FindClose.KERNEL32(00000000), ref: 001B6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 001B6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 001B6A75

Part of subcall function 00149CB3: _wcslen.LIBCMT ref: 00149CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 001B6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 001B6ADF

Strings

%4d, xrefs: 001B6BB1
%4d%02d%02d%02d%02d%02d%03d, xrefs: 001B6B32
%03d, xrefs: 001B6DA2
%4d%02d%02d%02d%02d%02d, xrefs: 001B6B6A
%02d, xrefs: 001B6C00, 001B6C0A, 001B6C5A, 001B6CAA, 001B6CFA, 001B6D4A

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 9f8bf00ab914542d7427e53e30467cb8c3a9ec91ec0a88e7dbd94d2a98c4e12a
Instruction ID: b363b33c2f2a2b20c561079e730a94289c976e43239faa5dc57d539463a1f36a
Opcode Fuzzy Hash: 9f8bf00ab914542d7427e53e30467cb8c3a9ec91ec0a88e7dbd94d2a98c4e12a
Instruction Fuzzy Hash: 17D17271508300AFC714EBA4D891EAFB7ECAFA9704F44491DF585D71A1EB34DA48CBA2

Function 001B9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 001B9663
GetFileAttributesW.KERNEL32(?), ref: 001B96A1
SetFileAttributesW.KERNEL32(?,?), ref: 001B96BB
FindNextFileW.KERNEL32(00000000,?), ref: 001B96D3
FindClose.KERNEL32(00000000), ref: 001B96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 001B96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 001B974A
SetCurrentDirectoryW.KERNEL32(00206B7C), ref: 001B9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 001B9772
FindClose.KERNEL32(00000000), ref: 001B977F
FindClose.KERNEL32(00000000), ref: 001B978F

Strings

*.*, xrefs: 001B96F5

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: db18c2fa0c99ba2b717eb38ef472f5bfa9f3e0e29bacdefc11be97f87bef9ef0
Instruction ID: 3ec6a01ba28fd3cbdde3f344a5ba05b88bd3e501bfccb4f00e216375309551cf
Opcode Fuzzy Hash: db18c2fa0c99ba2b717eb38ef472f5bfa9f3e0e29bacdefc11be97f87bef9ef0
Instruction Fuzzy Hash: 0F31E47254221A6EDF14EFB4DC48ADE77ECAF09320F104556FA05E21A1EB30DD91CE90

Function 001B979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 001B97BE
FindNextFileW.KERNEL32(00000000,?), ref: 001B9819
FindClose.KERNEL32(00000000), ref: 001B9824
FindFirstFileW.KERNEL32(*.*,?), ref: 001B9840
SetCurrentDirectoryW.KERNEL32(?), ref: 001B9890
SetCurrentDirectoryW.KERNEL32(00206B7C), ref: 001B98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 001B98B8
FindClose.KERNEL32(00000000), ref: 001B98C5
FindClose.KERNEL32(00000000), ref: 001B98D5

Part of subcall function 001ADAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 001ADB00

Strings

*.*, xrefs: 001B983B

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: a2660e9c33dd03fdf8231f50ddcd9de09f27a2006043955d1e2fadd560335eca
Instruction ID: 5ebfb528ac21e9be1df646d224f41bb4f302c31639098593abb823f61c3b8380
Opcode Fuzzy Hash: a2660e9c33dd03fdf8231f50ddcd9de09f27a2006043955d1e2fadd560335eca
Instruction Fuzzy Hash: 0031127250121E6ADF10EFB4EC48ADE77BCAF06320F104556EA00E20E1DB30DA96CAA0

Function 001CBE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 001CC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001CB6AE,?,?), ref: 001CC9B5
Part of subcall function 001CC998: _wcslen.LIBCMT ref: 001CC9F1
Part of subcall function 001CC998: _wcslen.LIBCMT ref: 001CCA68
Part of subcall function 001CC998: _wcslen.LIBCMT ref: 001CCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001CBF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 001CBFA9
RegCloseKey.ADVAPI32(00000000), ref: 001CBFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 001CC02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 001CC0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 001CC154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 001CC1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 001CC23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 001CC2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 001CC382
RegCloseKey.ADVAPI32(00000000), ref: 001CC38F

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: ba75143217bbace0e37581e11a2e3d6234ec96ab8aed9f2f5be2c7e4812b04d1
Instruction ID: 9ec6fd9a766bbd706a350abf68f1c6114390a46658d944db47dc2d2d7e873d88
Opcode Fuzzy Hash: ba75143217bbace0e37581e11a2e3d6234ec96ab8aed9f2f5be2c7e4812b04d1
Instruction Fuzzy Hash: EE023A716042409FD714CF28C895F2ABBE5EF99318F19889DF84ACB2A2D731ED45CB91

Function 001B8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 001B8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 001B8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 001B8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 001B8310
SetCurrentDirectoryW.KERNEL32(?), ref: 001B8324
SetCurrentDirectoryW.KERNEL32(?), ref: 001B8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 001B838C
SetCurrentDirectoryW.KERNEL32(?), ref: 001B8395

Strings

*.*, xrefs: 001B839B

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: fdd964d0929e29ca5514a5a0300a148153c204be66a397aeb15e12dc89bbc532
Instruction ID: 9b49178c694891e401f93924861950f2c7bacafe958dfe418cd09dc738b7247b
Opcode Fuzzy Hash: fdd964d0929e29ca5514a5a0300a148153c204be66a397aeb15e12dc89bbc532
Instruction Fuzzy Hash: F26159725083459FCB10EF64D8809AEB3ECFF99714F04491AF999C7261DB31E945CB92

Function 001AD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00143AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00143A97,?,?,00142E7F,?,?,?,00000000), ref: 00143AC2

Part of subcall function 001AE199: GetFileAttributesW.KERNEL32(?,001ACF95), ref: 001AE19A

FindFirstFileW.KERNEL32(?,?), ref: 001AD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 001AD1DD
MoveFileW.KERNEL32(?,?), ref: 001AD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 001AD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 001AD237

Part of subcall function 001AD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,001AD21C,?,?), ref: 001AD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 001AD253
FindClose.KERNEL32(00000000), ref: 001AD264

Strings

\*.*, xrefs: 001AD0CD, 001AD0D6, 001AD0EB

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 53d8555e26bb3cde7e4999d50bbfd682da559161dca4d5808bde9a67f1e2150e
Instruction ID: e94fe19ac2b6f85d99f35bbadbaaacdeb927d10a88c753362bd079bab7d20636
Opcode Fuzzy Hash: 53d8555e26bb3cde7e4999d50bbfd682da559161dca4d5808bde9a67f1e2150e
Instruction Fuzzy Hash: 8961603580110D9FCF05EBE0E992AEDB7B5AF66304F604166E406771A2EB305F09DB60

Function 001BED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 001BED91
EmptyClipboard.USER32 ref: 001BED97
GlobalAlloc.KERNEL32(00000002,?), ref: 001BEDAC
CloseClipboard.USER32 ref: 001BEEA3

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 2e7e903bdebf3f315500f55df17264010b5b044bd6b4ed649e38427e4a658f8e
Instruction ID: 2e681123ae6cfbf8ee5eb1d80282386f79ca5ccaa28f2aec17fe753a22acc445
Opcode Fuzzy Hash: 2e7e903bdebf3f315500f55df17264010b5b044bd6b4ed649e38427e4a658f8e
Instruction Fuzzy Hash: 7541BE35606612AFE720DF19E888B99BBE5EF44318F14C49AE4158FB62C775EC81CBD0

Function 001AE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 001A16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 001A170D
Part of subcall function 001A16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 001A173A
Part of subcall function 001A16C3: GetLastError.KERNEL32 ref: 001A174A

ExitWindowsEx.USER32(?,00000000), ref: 001AE932

Strings

, xrefs: 001AE95C
@, xrefs: 001AE925
, xrefs: 001AE920
SeShutdownPrivilege, xrefs: 001AE902

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: e6ad180fda822dfe47621d64569b90339bb9f75bcf578710b6e575ad2caca6b9
Instruction ID: 7d5f24cc18d3cf24a4cac72ab988cabe195133fd25b153d88768e39c808b3433
Opcode Fuzzy Hash: e6ad180fda822dfe47621d64569b90339bb9f75bcf578710b6e575ad2caca6b9
Instruction Fuzzy Hash: 6001D67A611311ABEB5426B89C8ABBB729CAB16758F154922F802E21D2D7A05C84C5E4

Function 001C1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 001C1276
WSAGetLastError.WSOCK32 ref: 001C1283
bind.WSOCK32(00000000,?,00000010), ref: 001C12BA
WSAGetLastError.WSOCK32 ref: 001C12C5
closesocket.WSOCK32(00000000), ref: 001C12F4
listen.WSOCK32(00000000,00000005), ref: 001C1303
WSAGetLastError.WSOCK32 ref: 001C130D
closesocket.WSOCK32(00000000), ref: 001C133C

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 3f6a58d3e1d20f38102ad23a6be20ebe58aaeadfec7798f16f17b8e80e710bfa
Instruction ID: d92cc8cfa6f6d6e16bd2b72ba7efc64be6f0677521fa1c04255536caf4069e4a
Opcode Fuzzy Hash: 3f6a58d3e1d20f38102ad23a6be20ebe58aaeadfec7798f16f17b8e80e710bfa
Instruction Fuzzy Hash: 1A416E35601141AFD710DF24C488F29BBE6AF56318F28858DE8568F2A3C771EC81CBE1

Function 0017B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0017B9D4
_free.LIBCMT ref: 0017B9F8
_free.LIBCMT ref: 0017BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,001E3700), ref: 0017BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0021121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0017BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00211270,000000FF,?,0000003F,00000000,?), ref: 0017BC36
_free.LIBCMT ref: 0017BD4B

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 4343a6f2d91b320eb58ac05cbd318b768275657fb18bd014ca00e97e6b5a46a9
Instruction ID: d8e50a08684c964bd3aa1b0f7c7bfe28d868566dbcc9fba96314416af102be4c
Opcode Fuzzy Hash: 4343a6f2d91b320eb58ac05cbd318b768275657fb18bd014ca00e97e6b5a46a9
Instruction Fuzzy Hash: 59C12971908219AFCB25AF78DC85BAA7BB8EF51310F14C19AE99CD7251EB308E41C750

Function 001AD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00143AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00143A97,?,?,00142E7F,?,?,?,00000000), ref: 00143AC2

Part of subcall function 001AE199: GetFileAttributesW.KERNEL32(?,001ACF95), ref: 001AE19A

FindFirstFileW.KERNEL32(?,?), ref: 001AD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 001AD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 001AD481
FindClose.KERNEL32(00000000), ref: 001AD498
FindClose.KERNEL32(00000000), ref: 001AD4A1

Strings

\*.*, xrefs: 001AD3F2

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 84817cf0349e9a1d25855319b76103cf9b54f326e54ebbc8c78286372b7e123c
Instruction ID: f6ab44dc650406ffa4e0fb9360131d7211e4e47f0b97b92457efac5a86242c15
Opcode Fuzzy Hash: 84817cf0349e9a1d25855319b76103cf9b54f326e54ebbc8c78286372b7e123c
Instruction Fuzzy Hash: 343170710093459FC304EF64D8558AF77A8BFA6314F444E1EF4D6935A1EB30AA09C763

Function 0017E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0017E645

Strings

1#IND, xrefs: 0017F83D
1#QNAN, xrefs: 0017F84B
1#SNAN, xrefs: 0017F844
1#INF, xrefs: 0017F852

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 44b2aba24df5de21a78a234cf013e4b0a3a59c267238b4e76a173c11773f76c9
Instruction ID: 587800f399d3e97c7064dddcab1d8cf1a1dbd40b6f0cd93bf47d5a76b552fe8d
Opcode Fuzzy Hash: 44b2aba24df5de21a78a234cf013e4b0a3a59c267238b4e76a173c11773f76c9
Instruction Fuzzy Hash: BCC21A71E086298FDB29CE28DD407EAB7F5EB49305F1581EAD44DE7241E774AE828F40

Function 001B648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001B64DC
CoInitialize.OLE32(00000000), ref: 001B6639
CoCreateInstance.OLE32(001DFCF8,00000000,00000001,001DFB68,?), ref: 001B6650
CoUninitialize.OLE32 ref: 001B68D4

Strings

.lnk, xrefs: 001B64BA, 001B6524, 001B65E0

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: bb53d128ff063f15dae857c3af4bf3d5e17fc517a161f32f7c283e4ca162d67f
Instruction ID: eba0de6e904314fba357371ac1f3a6ca80b1b6e37aa15dd3f962e3003c1fec1d
Opcode Fuzzy Hash: bb53d128ff063f15dae857c3af4bf3d5e17fc517a161f32f7c283e4ca162d67f
Instruction Fuzzy Hash: 90D139715083019FC314EF24C881DABB7E9FFA9744F10496DF5958B2A1DB71E909CB92

Function 001C22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 001C22E8

Part of subcall function 001BE4EC: GetWindowRect.USER32(?,?), ref: 001BE504

GetDesktopWindow.USER32 ref: 001C2312
GetWindowRect.USER32(00000000), ref: 001C2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 001C2355
GetCursorPos.USER32(?), ref: 001C2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 001C23DF

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: bee0e231f3f861855b7baef2262e634b3d3a60ca585be2fce166fe8cbc4f4cf3
Instruction ID: a33c9695d29398b64e4dcbe09c29d51b316a266c3045bbdf9f70cd73f7023948
Opcode Fuzzy Hash: bee0e231f3f861855b7baef2262e634b3d3a60ca585be2fce166fe8cbc4f4cf3
Instruction Fuzzy Hash: 3731DC72106346ABC720DF54D808F9BBBA9FB98714F000A1EF88497181DB34EA48CBD2

Function 001B9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00149CB3: _wcslen.LIBCMT ref: 00149CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 001B9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 001B9C8B

Part of subcall function 001B3874: GetInputState.USER32 ref: 001B38CB
Part of subcall function 001B3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001B3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 001B9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 001B9C75

Strings

*.*, xrefs: 001B9B5D

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: e99f56d6f64485c4e6ebbb372425d899faf294feba4221a76163c5c00a5e8196
Instruction ID: d78c28f151339c6dc2429afcab1b6d973d78961cca4642fa97fcd07648fae118
Opcode Fuzzy Hash: e99f56d6f64485c4e6ebbb372425d899faf294feba4221a76163c5c00a5e8196
Instruction Fuzzy Hash: 9041807194120AAFCF14DFA4C989AEEBBB4EF15310F204156F505A71A1EB309E95CFA0

Function 00148060 Relevance: 8.7, Strings: 6, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 001483FA
VUUU, xrefs: 001483E8
ERCP, xrefs: 0014813C
VUUU, xrefs: 00185DF0
VUUU, xrefs: 0014843C
_______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{, xrefs: 00185D55

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU$_______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{
API String ID: 0-2009957334
Opcode ID: ec53f2ae3c28bea9cd28bad2d19a40c54220da0ae65aeffdb00d686f5cf7bcab
Instruction ID: 92b0f601a77e8414bd6f43fdfb0462bdfe0b7f87a03c407f76e8ad3d3096846a
Opcode Fuzzy Hash: ec53f2ae3c28bea9cd28bad2d19a40c54220da0ae65aeffdb00d686f5cf7bcab
Instruction Fuzzy Hash: 36A27071E0061ACBDF24DF58C8507AEB7B2FF54314F2581AAE815AB295DB709E81CF90

Function 0015997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00159BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00159BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00159A4E
GetSysColor.USER32(0000000F), ref: 00159B23
SetBkColor.GDI32(?,00000000), ref: 00159B36

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 13c695ce5b28d92faade3b908edac03832463c2b4c9c0757ca769d781ddfe7d2
Instruction ID: c5fa91400d9d11c65f5f0aa0fea77c718e83bcb629c90a60bfa2ede97f53faa2
Opcode Fuzzy Hash: 13c695ce5b28d92faade3b908edac03832463c2b4c9c0757ca769d781ddfe7d2
Instruction Fuzzy Hash: C9A108B0218544EEEB2DAA3C9C4CDBB365DDF52342B16420AF922CF6D5CB259D05C273

Function 001C1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 001C304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 001C307A
Part of subcall function 001C304E: _wcslen.LIBCMT ref: 001C309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 001C185D
WSAGetLastError.WSOCK32 ref: 001C1884
bind.WSOCK32(00000000,?,00000010), ref: 001C18DB
WSAGetLastError.WSOCK32 ref: 001C18E6
closesocket.WSOCK32(00000000), ref: 001C1915

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 7872cff18f1321441e9869aeb681bde09acd3048cb7e3e298cc4a687929dcfe9
Instruction ID: 11b77ddfcf9cb760a82d5a948cff3556da003358e995e3a9a504b4f459c63e8f
Opcode Fuzzy Hash: 7872cff18f1321441e9869aeb681bde09acd3048cb7e3e298cc4a687929dcfe9
Instruction Fuzzy Hash: 5D519F71A40210AFDB10AF64C886F2AB7A5AB59718F18849CF9169F3D3C771ED41CBE1

Function 001D1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 001D1CC0
IsWindowEnabled.USER32 ref: 001D1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 001D1CDB
IsIconic.USER32 ref: 001D1CE9
IsZoomed.USER32 ref: 001D1CF7

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: dd710f31d59359b6e75e819714a43e31678d9b79c1a80fe3eacadfa094dd381e
Instruction ID: 6e39fb0c558197d015062c6ba3d7c60425abdc8ea1c5da5a93eb06bffaba5df4
Opcode Fuzzy Hash: dd710f31d59359b6e75e819714a43e31678d9b79c1a80fe3eacadfa094dd381e
Instruction Fuzzy Hash: 7A2102317522017FD7208F2AC884B2A7BE5EF94320F19806AE84ACB351CB71EC42CBD0

Function 001A8298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 001A82AA

Strings

(, xrefs: 001A82F0
|, xrefs: 001A82DA
tb , xrefs: 001A84F4

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tb $|
API String ID: 1659193697-4033350771
Opcode ID: eb95557d441740b8155ee080ab4300baa24d19cf3439b30f91211ba0edf3dffc
Instruction ID: d66500697d6623988cc6ac2edcbfc6b6f99b2d976c5ab7bff38acc80e188a862
Opcode Fuzzy Hash: eb95557d441740b8155ee080ab4300baa24d19cf3439b30f91211ba0edf3dffc
Instruction Fuzzy Hash: EB322579A007059FCB28CF59C481A6AB7F0FF48710B15C56EE99ADB3A1EB70E941CB40

Function 001CA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 001CA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 001CA6BA

Part of subcall function 00149CB3: _wcslen.LIBCMT ref: 00149CBD

Process32NextW.KERNEL32(00000000,?), ref: 001CA79C
CloseHandle.KERNEL32(00000000), ref: 001CA7AB

Part of subcall function 0015CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00183303,?), ref: 0015CE8A

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 5c6256dc8587e49131e8e207077dc147b7bcb50a30b4ad93f3ea57f06a4bdb5c
Instruction ID: 25e0c252b1dcafe970dd62e6c323252e5e04b3bf969d02e2cf2665536df96747
Opcode Fuzzy Hash: 5c6256dc8587e49131e8e207077dc147b7bcb50a30b4ad93f3ea57f06a4bdb5c
Instruction Fuzzy Hash: 7C516C71508311AFD310EF24D886E6BBBE8FFA9754F40491DF99997262EB30D904CB92

Function 001AAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 001AAAAC
SetKeyboardState.USER32(00000080), ref: 001AAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 001AAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 001AAB88

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: c884f0988db7a0d46db7c8cda0e38fb0eb7297fae232f2cf16fee31800fc3675
Instruction ID: 945d7f761514dd0eccd1ec8801f8f46e7fa3e95960c1d1325b974ab6d668b50e
Opcode Fuzzy Hash: c884f0988db7a0d46db7c8cda0e38fb0eb7297fae232f2cf16fee31800fc3675
Instruction Fuzzy Hash: 16313934A80348AEFF35CB64CC05BFA7BA6AF56320F84421BF581965D1D3759981C7B2

Function 001BCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 001BCE89
GetLastError.KERNEL32(?,00000000), ref: 001BCEEA
SetEvent.KERNEL32(?,?,00000000), ref: 001BCEFE

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 7e30a12f91864be048dfcdec4f053da5a95948fee8d0af8d390e169f24ca2c29
Instruction ID: 613448248fd67da98a0fa9c2b8ddae2ff9a7363e3a92511bc51978b7ac994e05
Opcode Fuzzy Hash: 7e30a12f91864be048dfcdec4f053da5a95948fee8d0af8d390e169f24ca2c29
Instruction Fuzzy Hash: B9219D71601306EBDB20DFA5C948BA77BF8EB50354F10481EE546D2151E770EE44CBE0

Function 001B5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 001B5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 001B5D17
FindClose.KERNEL32(?), ref: 001B5D5F

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 8d6e6aee2dad291f388747f97f7e8c05394558a8410b815f12a00628bfe5ab9c
Instruction ID: 5786744156e26b5b467a7284aed5e34e014a6a658f501432e3a1e00f24f5fd80
Opcode Fuzzy Hash: 8d6e6aee2dad291f388747f97f7e8c05394558a8410b815f12a00628bfe5ab9c
Instruction Fuzzy Hash: 5B519974604A019FC714CF68C894A9AB7E5FF49314F148A5EE99A8B3A2CB30FD45CF91

Function 00172622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0017271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00172724
UnhandledExceptionFilter.KERNEL32(?), ref: 00172731

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: c28f90e5547ad01b9c5c45a6c6d2290355540a9941381c3e590f898ed917b119
Instruction ID: 65f14d8c88032bfa191fe82adb4c55660c5b10cfa77ef393bddbb5befb921bfc
Opcode Fuzzy Hash: c28f90e5547ad01b9c5c45a6c6d2290355540a9941381c3e590f898ed917b119
Instruction Fuzzy Hash: 5431B774911218ABCB21DF64DD8979DB7B8BF18310F5082DAE81CA7261E7309F818F45

Function 001B51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001B51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 001B5238
SetErrorMode.KERNEL32(00000000), ref: 001B52A1

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: fe6bcac8bb77a6fd12a7168ea9fda1c052f73df93a7b47eaf5bc82d445c73430
Instruction ID: 8b9761ed8d2a404a2e9df131e8770008c49f2c292c0d3081ca397eb39efe9393
Opcode Fuzzy Hash: fe6bcac8bb77a6fd12a7168ea9fda1c052f73df93a7b47eaf5bc82d445c73430
Instruction Fuzzy Hash: DB314C75A01519DFDB00DF54D884FAEBBB5FF49314F048499E805AB3A2DB31E856CB90

Function 001A16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0015FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00160668
Part of subcall function 0015FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00160685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 001A170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 001A173A
GetLastError.KERNEL32 ref: 001A174A

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: e95b36711225473604fb7e7ab85d77754e2fc20a785effc42dd95a968667ca2c
Instruction ID: 0c7efa09d2386b4e6044002b97e336ee09943d6589d4f849a804450a971dd34c
Opcode Fuzzy Hash: e95b36711225473604fb7e7ab85d77754e2fc20a785effc42dd95a968667ca2c
Instruction Fuzzy Hash: DA11C1B2400305BFD7189F94DC86D6BB7B9EB04714B20852EF45697641EB70BC41CA60

Function 001AD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 001AD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 001AD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 001AD650

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: aeb102ba6de4ef79fe641ec145d98cfacfa37c4674b577186dd8730ce9323df9
Instruction ID: ffefc15db580afc6e3d5c1be1b9d8d7ad316ed9ac9462a3dc20681e822a381aa
Opcode Fuzzy Hash: aeb102ba6de4ef79fe641ec145d98cfacfa37c4674b577186dd8730ce9323df9
Instruction Fuzzy Hash: EA113C75E06228BBDB148F99AC45FAFBBBCEB45B50F108516F908E7290D6704A058BA1

Function 001A1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 001A168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 001A16A1
FreeSid.ADVAPI32(?), ref: 001A16B1

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 65d880585bdf11a094556d211ec86fb8d43b94949b6c43823b8a6bae734b9254
Instruction ID: 74ecceacf4b9803e4b65106b4e7acee4883419c181fc15b77b789cdcd05e3f69
Opcode Fuzzy Hash: 65d880585bdf11a094556d211ec86fb8d43b94949b6c43823b8a6bae734b9254
Instruction Fuzzy Hash: 47F0F475952309FBDF00DFE49C89AAEBBBCFB08604F504965E501E2181E774AA44CA90

Function 00164CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(001728E9,?,00164CBE,001728E9,002088B8,0000000C,00164E15,001728E9,00000002,00000000,?,001728E9), ref: 00164D09
TerminateProcess.KERNEL32(00000000,?,00164CBE,001728E9,002088B8,0000000C,00164E15,001728E9,00000002,00000000,?,001728E9), ref: 00164D10
ExitProcess.KERNEL32 ref: 00164D22

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: c659413c85bebc965496659b0888e639e42f12162296d28bfb0d9f5f03e9bf31
Instruction ID: 8eb4d42b98b506fd8f863f45cb945d3d62c296a58e97778ee5cb531dfa3a4aae
Opcode Fuzzy Hash: c659413c85bebc965496659b0888e639e42f12162296d28bfb0d9f5f03e9bf31
Instruction Fuzzy Hash: D0E0B631402149BBCF11AF94DD09A583B69FB61782F108415FC198B522CB35DE92DA80

Function 0017C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0017C36C

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: fb8fb6cc299fb2f25afe35fb47c143a57b13983a342a5ec9a030bfc2de553a91
Instruction ID: ed3a48c8eeedf0dcaffc16e425551259084871958a9f441dbdd5b8ee32d0a667
Opcode Fuzzy Hash: fb8fb6cc299fb2f25afe35fb47c143a57b13983a342a5ec9a030bfc2de553a91
Instruction Fuzzy Hash: 3B412876500619ABCB249FB9DC49EAB77B8FB84314F10866DF909D7181E7709D81CB90

Function 0019D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0019D28C

Strings

X64, xrefs: 0019D2A8

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 4679aca7d1abc07294e902dfdbdb84ec943f95fad2a82139104b8a946f8bdaf1
Instruction ID: bc0570dbce24718aea1d5b7ed4dda982ccd64425deb66a5418ab0114c171608b
Opcode Fuzzy Hash: 4679aca7d1abc07294e902dfdbdb84ec943f95fad2a82139104b8a946f8bdaf1
Instruction Fuzzy Hash: 72D0C9B480211DEACF94CB90EC88DDAB37CBB04305F100552F506A2080DB3095488F10

Function 0016CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: d74d4d19bb408f285b5ee52a8c8f45d19c558f8887941f339f9b4dca24924b09
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 53022C72E002199BDF14CFA9C8906ADFBF1EF88314F25816AD859E7380D731AA51CBD4

Function 0014CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00190C40
p#!, xrefs: 0014CF7F

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#!
API String ID: 0-498771827
Opcode ID: 855b78c63ea9cf3e2fb5e6ab02ba79eb6a0c4ab6a510924fd542233c1d8c3c13
Instruction ID: e8dfe3b64cb414df2e8e8dae16c5a54b5d9f002467c8934f60e3e23f2fc4d33b
Opcode Fuzzy Hash: 855b78c63ea9cf3e2fb5e6ab02ba79eb6a0c4ab6a510924fd542233c1d8c3c13
Instruction Fuzzy Hash: D632B174901218DFCF54DF94C885BEDB7B5FF19304F148069E806AB2A2DB35AE49CBA0

Function 001B68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 001B6918
FindClose.KERNEL32(00000000), ref: 001B6961

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 1d16ffce118e1468067dba131ccd6f7a345086399086b375b3089eeac4ec4858
Instruction ID: d1f0710eee54dd9bc7ccf6dc3a11a898b4b9315c57577081668337eb1a06d037
Opcode Fuzzy Hash: 1d16ffce118e1468067dba131ccd6f7a345086399086b375b3089eeac4ec4858
Instruction Fuzzy Hash: 2D11D0316042119FC710CF29D484A16BBE1FF94328F04C699F8698F6A2C734EC45CBD0

Function 001B37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,001C4891,?,?,00000035,?), ref: 001B37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,001C4891,?,?,00000035,?), ref: 001B37F4

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 8d1656e7ae3264112a5bd703c9c8d95f035cfc3b508291e2938204a14851475d
Instruction ID: 181431fb81d216e60e80ac6ff1e5fc00aaae73c626c95027e9948a3d0aa10a67
Opcode Fuzzy Hash: 8d1656e7ae3264112a5bd703c9c8d95f035cfc3b508291e2938204a14851475d
Instruction Fuzzy Hash: 31F0E5B16062297AE72027669C4DFEB3BAEEFC4761F000265F509D2291DB609944C7F0

Function 001AB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 001AB25D
keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 001AB270

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 3b7ce98068a06247dd9f966b8d21bc0a6e6b92df52350b43a21520c3ca3325cb
Instruction ID: 4b022e199f0c81c92a41e5a4c8c94218f43922c9c7b0bb9c2e2b28fbd7e14877
Opcode Fuzzy Hash: 3b7ce98068a06247dd9f966b8d21bc0a6e6b92df52350b43a21520c3ca3325cb
Instruction Fuzzy Hash: F9F0177590428EABDB059FA0C806BAE7BB4FF09309F00844AF965A61A2C3799651DF94

Function 001A10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,001A11FC), ref: 001A10D4
CloseHandle.KERNEL32(?,?,001A11FC), ref: 001A10E9

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: d55d6d17e41dcb1b29658784f77c2a2703b6657b2577c97c87ff70e713a54c8c
Instruction ID: abb4fa19f4c0f144d4f4190745f4a868e90c245555971a36b96474166b5bef9c
Opcode Fuzzy Hash: d55d6d17e41dcb1b29658784f77c2a2703b6657b2577c97c87ff70e713a54c8c
Instruction Fuzzy Hash: 17E04F72005601FEE7252B51FC06F7377A9EB04311F10882EF8A5844B1DB626CD0DB50

Function 0017676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00176766,?,?,00000008,?,?,0017FEFE,00000000), ref: 00176998

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 4c7ec43f57d194eb5991212e79e9231efe18bf36c56838513a315c1f787ebb02
Instruction ID: 6f000df0bcc62ea39bd610a19982691989ef2d069ab1d9db378187b5dbbd8306
Opcode Fuzzy Hash: 4c7ec43f57d194eb5991212e79e9231efe18bf36c56838513a315c1f787ebb02
Instruction Fuzzy Hash: 52B12931610A099FD719CF28C48AB657BB0FF45368F25C698E99DCF2A2C335E995CB40

Function 0015B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0019851F

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: c2c50ac9a83e1c4662e9f979807399735548f3383686bcb77786b98e00a1fb5c
Instruction ID: e91e4945e1bf1a2c3ba3518efafd517b3755ba2ce7726efc5cacc1ad85d88a15
Opcode Fuzzy Hash: c2c50ac9a83e1c4662e9f979807399735548f3383686bcb77786b98e00a1fb5c
Instruction Fuzzy Hash: 17126D71904229DFCF24CF58C880AEEB7F5FF48710F15819AE859EB255EB309A85CB90

Function 001BEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 001BEABD

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 743806e2cdeea054bb6eb6514c2eed248bdf92f90e5426142f7b363d25ddf5d9
Instruction ID: 0f2744a009a2816a044936346b9b7f75e2a311ab3303a78a654966337c58ec35
Opcode Fuzzy Hash: 743806e2cdeea054bb6eb6514c2eed248bdf92f90e5426142f7b363d25ddf5d9
Instruction Fuzzy Hash: 91E04F312012049FC710EF69D844EDAF7EDAFA8760F008816FC49CB3A1DB70E8408B90

Function 001609D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,001603EE), ref: 001609DA

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 8496916e2031d0d86dee912fa1534a16462d435cdd112a5848de3db6c116e6a2
Instruction ID: 53ee51feeaf869dc32dce88c387522920ce8648cae3afb2c0f42e35868e70501
Opcode Fuzzy Hash: 8496916e2031d0d86dee912fa1534a16462d435cdd112a5848de3db6c116e6a2
Instruction Fuzzy Hash:

Function 0016781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0016798B

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 418aae584077b7f435f1242f9378701294227c45e8482d7e16ebf2a245c28f45
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 4D51777160C7059BDB3889788C5EBBE63DD9B2235CF180A09E882D72C2CB15EE71D356

Function 001B2046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&!, xrefs: 001B2053

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID:
String ID: 0&!
API String ID: 0-1419620344
Opcode ID: 43469d8c244f55b32967cbe7189211f24f8883fcc5b04a1932687fa1acc781e6
Instruction ID: f83aad06b7056ae799c8af964916890489c292ccbf61485bfdff114e1f6493c7
Opcode Fuzzy Hash: 43469d8c244f55b32967cbe7189211f24f8883fcc5b04a1932687fa1acc781e6
Instruction Fuzzy Hash: 7321A8326205158BD728CE79C8166BA73E5A764310F15862EF4A7C37D0DF35A908C740

Function 00176DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a18eb8aefda32e9f2cd9994f7d70d92970e4a52fbce395a90b4c2ae266b0437b
Instruction ID: 6300bcb1ee5865f4feafc62022c314af71245c680f04150fb822a920c4795eeb
Opcode Fuzzy Hash: a18eb8aefda32e9f2cd9994f7d70d92970e4a52fbce395a90b4c2ae266b0437b
Instruction Fuzzy Hash: 8932F022D29F414DD7239634CC72339A69DAFB73C5F15D727E81AB9DAAEB2984C34100

Function 0015CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c35bbaf75acc9f5407b43b23d9eac2dbb820a9f8bb7e1af56421969bd5092b1
Instruction ID: 2c93529c94911d5230de55de92e1e3da821f6e75faa36e66dfa8b187cc9ed387
Opcode Fuzzy Hash: 9c35bbaf75acc9f5407b43b23d9eac2dbb820a9f8bb7e1af56421969bd5092b1
Instruction Fuzzy Hash: 55324831A00255CFDF28CF68C4946BD7BA1EB45355F29816AD8EACB292E330DD85DBC1

Function 00147920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50385b671028bd1186fa7d4b7bd21aafeab4824e3caab2ec862c74926361a4a8
Instruction ID: d8aece26733260cc8be88075c7a8c31e179b13d78f54f192c37b848b133ee278
Opcode Fuzzy Hash: 50385b671028bd1186fa7d4b7bd21aafeab4824e3caab2ec862c74926361a4a8
Instruction Fuzzy Hash: E522A270A04609DFDF14DF64D881AAEB7F6FF54300F244529E816E72A1EB369E15CB50

Function 001491C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88b78a03a019bcddf2477f191c56e4d30a403278a8558af02a0a3bf73106926c
Instruction ID: 7a8b27500df56ac18505e8cb6a5a82c5d8080611502b77bee8000e3541fa717a
Opcode Fuzzy Hash: 88b78a03a019bcddf2477f191c56e4d30a403278a8558af02a0a3bf73106926c
Instruction Fuzzy Hash: 4C0295B1E00205EFDB04EF64D881AAEB7F5FF54300F118169E816DB291EB71AA65CF91

Function 00179EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a06193a45fc3a445823970be9b5bc48320636462de6d2e8ecc5d918797a5559
Instruction ID: 9d148eb47625e5df611ba6c0c0f1ec9d1590e817b8e2e86d9a2c68ab6515afa9
Opcode Fuzzy Hash: 5a06193a45fc3a445823970be9b5bc48320636462de6d2e8ecc5d918797a5559
Instruction Fuzzy Hash: 26B10220D2AF804DD2239639887533AB65CBFBB6C5F91D31BFC2679D62EB2285C34140

Function 00161C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 3a8242b9efaad35de9a68d84996e3860d07ca1c7b62fb58679aedd75e6ff5a62
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 1C9144735080E35ADB2E467A897407DFFE15A523A231E079ED8F2CA1C5EF24D974E620

Function 00161F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 5ddb749f9cb448bd3edb394405dbf9f18cf0345718d4e49174716bc93e461f3c
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 3D91447320D4A349DB6D46398D7443EFEE15A923A131E079DE8F2CA1C5EF348578E620

Function 001619B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 6bbbf60e94c3df67cdbc3714a9ff1c3ce6f27c1f8b007afa81bf017022a85110
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: EE913F722090E35ADB6D467A897403EFEF15A923A631E479ED4F2CB1C1FF248574E620

Function 00167A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b3f9e476ef45f889762b840d682d2d264a9b8c80951358764e0511bd22aac0a
Instruction ID: 579f48a34205f4943f764b5e11bcb6a5cf0a7ac56d41965876cecde91d000803
Opcode Fuzzy Hash: 8b3f9e476ef45f889762b840d682d2d264a9b8c80951358764e0511bd22aac0a
Instruction Fuzzy Hash: 90616B7120870996DE38AA6C8DA5BBE6394DF5170CF280A1AEC43DB2C1DB51DE72C355

Function 00167CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61a299346b93be792ab894417f6b6ab3247a807926a604443819ce23323bae6b
Instruction ID: 6b1ecc3f5881b5b7d08e7104dc6a4f92939a77eda4f80554cbf9e1eda6b36339
Opcode Fuzzy Hash: 61a299346b93be792ab894417f6b6ab3247a807926a604443819ce23323bae6b
Instruction Fuzzy Hash: CD61993120870966DF399EA89C91BBF2384EF5274CF200D5AE943CB2C1EB129D76C311

Function 00161706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: fb07e7584644e0f371780fb448f8157c4635b63a77c4e1de14408719270aac4b
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 7D8161736090E35ADB6D863A893447EFFE15A923A531E079ED4F2CB1C1EF248574E620

Function 001C2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 001C2B30
DeleteObject.GDI32(00000000), ref: 001C2B43
DestroyWindow.USER32 ref: 001C2B52
GetDesktopWindow.USER32 ref: 001C2B6D
GetWindowRect.USER32(00000000), ref: 001C2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 001C2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 001C2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001C2CF8
GetClientRect.USER32(00000000,?), ref: 001C2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 001C2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001C2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001C2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001C2D80
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001C2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001C2D98
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001C2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001C2DA8
GlobalFree.KERNEL32(00000000), ref: 001C2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001C2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,001DFC38,00000000), ref: 001C2DDB
GlobalFree.KERNEL32(00000000), ref: 001C2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 001C2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 001C2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001C2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001C303F

Strings

AutoIt v3, xrefs: 001C2CF2
, xrefs: 001C2FC5
static, xrefs: 001C2D3A, 001C2E91
DISPLAY, xrefs: 001C2EA2

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 8146bf7c11a5c19e0220cf7c8a80cb2381445aac4a34373ab09afd608f0a5e0d
Instruction ID: 6b11f97b9be6f70c9187a0a5c41605fae505077e6a5bd8de4dea5317da30caa0
Opcode Fuzzy Hash: 8146bf7c11a5c19e0220cf7c8a80cb2381445aac4a34373ab09afd608f0a5e0d
Instruction Fuzzy Hash: 87027C71901219EFDB14DF64DC89FAEBBB9EB58310F008559F915AB2A1CB70ED41CBA0

Function 001D70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 001D712F
GetSysColorBrush.USER32(0000000F), ref: 001D7160
GetSysColor.USER32(0000000F), ref: 001D716C
SetBkColor.GDI32(?,000000FF), ref: 001D7186
SelectObject.GDI32(?,?), ref: 001D7195
InflateRect.USER32(?,000000FF,000000FF), ref: 001D71C0
GetSysColor.USER32(00000010), ref: 001D71C8
CreateSolidBrush.GDI32(00000000), ref: 001D71CF
FrameRect.USER32(?,?,00000000), ref: 001D71DE
DeleteObject.GDI32(00000000), ref: 001D71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 001D7230
FillRect.USER32(?,?,?), ref: 001D7262
GetWindowLongW.USER32(?,000000F0), ref: 001D7284

Part of subcall function 001D73E8: GetSysColor.USER32(00000012), ref: 001D7421
Part of subcall function 001D73E8: SetTextColor.GDI32(?,?), ref: 001D7425
Part of subcall function 001D73E8: GetSysColorBrush.USER32(0000000F), ref: 001D743B
Part of subcall function 001D73E8: GetSysColor.USER32(0000000F), ref: 001D7446
Part of subcall function 001D73E8: GetSysColor.USER32(00000011), ref: 001D7463
Part of subcall function 001D73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 001D7471
Part of subcall function 001D73E8: SelectObject.GDI32(?,00000000), ref: 001D7482
Part of subcall function 001D73E8: SetBkColor.GDI32(?,00000000), ref: 001D748B
Part of subcall function 001D73E8: SelectObject.GDI32(?,?), ref: 001D7498
Part of subcall function 001D73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 001D74B7
Part of subcall function 001D73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 001D74CE
Part of subcall function 001D73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 001D74DB

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 785987ad463ba0fc751ead989708af58992164d644481142867d12ad2409c41a
Instruction ID: 6ef2aa0c0fe5f2ee0fdb3bdc05e4841a27ddfd5486aaa62378ea042723fbc2c2
Opcode Fuzzy Hash: 785987ad463ba0fc751ead989708af58992164d644481142867d12ad2409c41a
Instruction Fuzzy Hash: 2BA1947210A312FFDB009F60DC48A5BB7A9FB49321F100F1AF962961E1D771E944CB91

Function 00158D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00158E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00196AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00196AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00196F43

Part of subcall function 00158F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00158BE8,?,00000000,?,?,?,?,00158BBA,00000000,?), ref: 00158FC5

SendMessageW.USER32(?,00001053), ref: 00196F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00196F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00196FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00196FB7

Strings

0, xrefs: 00196DCF

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: eccfaca5ccd03fb50cce06ae38c4a12a804c6ad563e5e837155452e5ffc68a04
Instruction ID: b79f2a0aef5ed522a1130d013fcc53c33f4ea8661f13797afc3f73e3e88253e7
Opcode Fuzzy Hash: eccfaca5ccd03fb50cce06ae38c4a12a804c6ad563e5e837155452e5ffc68a04
Instruction Fuzzy Hash: 0A12BD34201201DFDB25CF24D899BAAB7F1FF54301F148469F9A59B661CB31ECA6CBA1

Function 001C2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 001C273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 001C286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 001C28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 001C28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 001C2900
GetClientRect.USER32(00000000,?), ref: 001C290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 001C2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 001C2964
GetStockObject.GDI32(00000011), ref: 001C2974
SelectObject.GDI32(00000000,00000000), ref: 001C2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 001C2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 001C2991
DeleteDC.GDI32(00000000), ref: 001C299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 001C29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 001C29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 001C2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 001C2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 001C2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 001C2A77
GetStockObject.GDI32(00000011), ref: 001C2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 001C2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 001C2A97

Strings

AutoIt v3, xrefs: 001C28F8
msctls_progress32, xrefs: 001C2A13
static, xrefs: 001C294F, 001C2A71
DISPLAY, xrefs: 001C295A

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 41e491f1f23630f45ea3f38a4fce2cce568c25db581805a047b51d25abf2ea41
Instruction ID: 6b40c7f923c8513d05b0b77fdbd53e3d421a92608f4f94f4dc54e451b65dec1c
Opcode Fuzzy Hash: 41e491f1f23630f45ea3f38a4fce2cce568c25db581805a047b51d25abf2ea41
Instruction Fuzzy Hash: 61B16071A01215AFDB14DF68DC89FAEBBA9EF14710F008559FA14EB2A0DB70ED40CB90

Function 001B4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001B4AED
GetDriveTypeW.KERNEL32(?,001DCB68,?,\\.\,001DCC08), ref: 001B4BCA
SetErrorMode.KERNEL32(00000000,001DCB68,?,\\.\,001DCC08), ref: 001B4D36

Strings

SCSI, xrefs: 001B4C8A
SATA, xrefs: 001B4CD0
USB, xrefs: 001B4CB4
Unknown, xrefs: 001B4BED, 001B4C83
\\.\, xrefs: 001B4B3F
FileBackedVirtual, xrefs: 001B4CEC
RAID, xrefs: 001B4CBB
Removable, xrefs: 001B4C10, 001B4C15
SAS, xrefs: 001B4CC9
ATA, xrefs: 001B4C98
1394, xrefs: 001B4C9F
ATAPI, xrefs: 001B4C91
SSD, xrefs: 001B4C4A
Fibre, xrefs: 001B4CAD
iSCSI, xrefs: 001B4CC2
Virtual, xrefs: 001B4CE5
Fixed, xrefs: 001B4C09
CDROM, xrefs: 001B4BFB
RAMDisk, xrefs: 001B4BF4
PhysicalDrive, xrefs: 001B4B76
Network, xrefs: 001B4C02
MMC, xrefs: 001B4CDE
SSA, xrefs: 001B4CA6

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: d390f38066ea06a3a6e6f6270d1c6e591d97de0b7d2c8498009d2241a717d6fc
Instruction ID: 8f36e95d265733f882c9d82598a744b70a7ab5b0c9cf26ebc1a17f1aefc31118
Opcode Fuzzy Hash: d390f38066ea06a3a6e6f6270d1c6e591d97de0b7d2c8498009d2241a717d6fc
Instruction Fuzzy Hash: 7561C330615206DBCB08EF64CA8A9FD7BB0EF15B00B24C416F806AB693DB31ED65DB41

Function 001D73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 001D7421
SetTextColor.GDI32(?,?), ref: 001D7425
GetSysColorBrush.USER32(0000000F), ref: 001D743B
GetSysColor.USER32(0000000F), ref: 001D7446
CreateSolidBrush.GDI32(?), ref: 001D744B
GetSysColor.USER32(00000011), ref: 001D7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 001D7471
SelectObject.GDI32(?,00000000), ref: 001D7482
SetBkColor.GDI32(?,00000000), ref: 001D748B
SelectObject.GDI32(?,?), ref: 001D7498
InflateRect.USER32(?,000000FF,000000FF), ref: 001D74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 001D74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 001D74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 001D752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 001D7554
InflateRect.USER32(?,000000FD,000000FD), ref: 001D7572
DrawFocusRect.USER32(?,?), ref: 001D757D
GetSysColor.USER32(00000011), ref: 001D758E
SetTextColor.GDI32(?,00000000), ref: 001D7596
DrawTextW.USER32(?,001D70F5,000000FF,?,00000000), ref: 001D75A8
SelectObject.GDI32(?,?), ref: 001D75BF
DeleteObject.GDI32(?), ref: 001D75CA
SelectObject.GDI32(?,?), ref: 001D75D0
DeleteObject.GDI32(?), ref: 001D75D5
SetTextColor.GDI32(?,?), ref: 001D75DB
SetBkColor.GDI32(?,?), ref: 001D75E5

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: e7fb4b7c40863a8c3baa2af65451893d6051f568346e4e7013ca3358c31964b9
Instruction ID: 81869771981bf9151ade3fe621ed14d87cfd55d82cc5476544baaa6953ef62eb
Opcode Fuzzy Hash: e7fb4b7c40863a8c3baa2af65451893d6051f568346e4e7013ca3358c31964b9
Instruction Fuzzy Hash: 1A615072902219EFDF019FA4DC49EEEBF79EB08320F114616F915AB2E1D7749980CB90

Function 001D0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 001D1128
GetDesktopWindow.USER32 ref: 001D113D
GetWindowRect.USER32(00000000), ref: 001D1144
GetWindowLongW.USER32(?,000000F0), ref: 001D1199
DestroyWindow.USER32(?), ref: 001D11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 001D11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 001D120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 001D121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 001D1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 001D1245
IsWindowVisible.USER32(00000000), ref: 001D12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 001D12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 001D12D0
GetWindowRect.USER32(00000000,?), ref: 001D12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 001D130E
GetMonitorInfoW.USER32(00000000,?), ref: 001D1328
CopyRect.USER32(?,?), ref: 001D133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 001D13AA

Strings

(, xrefs: 001D131B
0, xrefs: 001D10D3
tooltips_class32, xrefs: 001D11E6

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 1e97c4f3ab642458f38a2368b89293f7a85467963939a08af89323d7f44fd81f
Instruction ID: 68f16e45cac65653b4ca2b8b14b4896b52e81113ce647a93f8ffed85fa620009
Opcode Fuzzy Hash: 1e97c4f3ab642458f38a2368b89293f7a85467963939a08af89323d7f44fd81f
Instruction Fuzzy Hash: B9B16B71608341BFDB14DF64D884B6BBBE5FF98350F00891AF9999B2A1CB71E844CB91

Function 001D0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 001D02E5
_wcslen.LIBCMT ref: 001D031F
_wcslen.LIBCMT ref: 001D0389
_wcslen.LIBCMT ref: 001D03F1
_wcslen.LIBCMT ref: 001D0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 001D04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 001D0504

Part of subcall function 0015F9F2: _wcslen.LIBCMT ref: 0015F9FD

Part of subcall function 001A223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 001A2258
Part of subcall function 001A223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 001A228A

Strings

SELECTCLEAR, xrefs: 001D052D
VIEWCHANGE, xrefs: 001D0675
GETSUBITEMCOUNT, xrefs: 001D0384, 001D039F
SELECT, xrefs: 001D0548
SELECTALL, xrefs: 001D0515
SELECTINVERT, xrefs: 001D057E
GETTEXT, xrefs: 001D03EC, 001D0407
GETSELECTEDCOUNT, xrefs: 001D0470, 001D048B
ISSELECTED, xrefs: 001D04DD
GETITEMCOUNT, xrefs: 001D0316, 001D0337
DESELECT, xrefs: 001D059C
FINDITEM, xrefs: 001D0627
GETSELECTED, xrefs: 001D05E1

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 48860f35190414b9760058f6ea2d0f69d666a876ef397762bb64e166c86c723e
Instruction ID: 1ad9732f1e381611df20db7101d2ce20edf08bfdda120bfabfde680e92f66b8d
Opcode Fuzzy Hash: 48860f35190414b9760058f6ea2d0f69d666a876ef397762bb64e166c86c723e
Instruction Fuzzy Hash: 71E1AF316183019FC715DF28C590A2AB3E6BF9C314F15495EF8969B3A2DB30ED45CB91

Function 00158891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00158968
GetSystemMetrics.USER32(00000007), ref: 00158970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0015899B
GetSystemMetrics.USER32(00000008), ref: 001589A3
GetSystemMetrics.USER32(00000004), ref: 001589C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 001589E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 001589F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00158A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00158A3C
GetClientRect.USER32(00000000,000000FF), ref: 00158A5A
GetStockObject.GDI32(00000011), ref: 00158A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00158A81

Part of subcall function 0015912D: GetCursorPos.USER32(?), ref: 00159141
Part of subcall function 0015912D: ScreenToClient.USER32(00000000,?), ref: 0015915E
Part of subcall function 0015912D: GetAsyncKeyState.USER32(00000001), ref: 00159183
Part of subcall function 0015912D: GetAsyncKeyState.USER32(00000002), ref: 0015919D

SetTimer.USER32(00000000,00000000,00000028,001590FC), ref: 00158AA8

Strings

AutoIt v3 GUI, xrefs: 00158A20

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: ef2253a1b0704a0ead117fc39ef6ce30bf7bb21fb91795294160794c40947cd5
Instruction ID: e49e1a5c7cf48571bb7a6d3c848cfac700362ed900580c1e0190e70899a7dbe7
Opcode Fuzzy Hash: ef2253a1b0704a0ead117fc39ef6ce30bf7bb21fb91795294160794c40947cd5
Instruction Fuzzy Hash: 45B16C31A0120ADFDF14DFA8DC49BEA7BB5FB48315F11461AFA25AB290DB30A851CB51

Function 001A0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001A10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 001A1114
Part of subcall function 001A10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,001A0B9B,?,?,?), ref: 001A1120
Part of subcall function 001A10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,001A0B9B,?,?,?), ref: 001A112F
Part of subcall function 001A10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,001A0B9B,?,?,?), ref: 001A1136
Part of subcall function 001A10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 001A114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 001A0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 001A0E29
GetLengthSid.ADVAPI32(?), ref: 001A0E40
GetAce.ADVAPI32(?,00000000,?), ref: 001A0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 001A0E96
GetLengthSid.ADVAPI32(?), ref: 001A0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 001A0EB5
HeapAlloc.KERNEL32(00000000), ref: 001A0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 001A0EDD
CopySid.ADVAPI32(00000000), ref: 001A0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 001A0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 001A0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 001A0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001A0F6E
HeapFree.KERNEL32(00000000), ref: 001A0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001A0F7E
HeapFree.KERNEL32(00000000), ref: 001A0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001A0F8E
HeapFree.KERNEL32(00000000), ref: 001A0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 001A0FA1
HeapFree.KERNEL32(00000000), ref: 001A0FA8

Part of subcall function 001A1193: GetProcessHeap.KERNEL32(00000008,001A0BB1,?,00000000,?,001A0BB1,?), ref: 001A11A1
Part of subcall function 001A1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,001A0BB1,?), ref: 001A11A8
Part of subcall function 001A1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,001A0BB1,?), ref: 001A11B7

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 4e23ed59ee41935c5299450197e0a53c34ecfb0a5e53925c70f76261c7bef697
Instruction ID: a35b4354d1f988e0f65a25b07db7eefe89f66d8225e7ba28a22c3c5125e1938c
Opcode Fuzzy Hash: 4e23ed59ee41935c5299450197e0a53c34ecfb0a5e53925c70f76261c7bef697
Instruction Fuzzy Hash: F2716D7690121AEFDF219FA4DC44FAEBBB8BF09301F044516F919F6191D731A945CBA0

Function 001CC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001CC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,001DCC08,00000000,?,00000000,?,?), ref: 001CC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 001CC5A4
_wcslen.LIBCMT ref: 001CC5F4
_wcslen.LIBCMT ref: 001CC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 001CC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 001CC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 001CC84D
RegCloseKey.ADVAPI32(?), ref: 001CC881
RegCloseKey.ADVAPI32(00000000), ref: 001CC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 001CC960

Strings

REG_BINARY, xrefs: 001CC913
REG_SZ, xrefs: 001CC644
REG_EXPAND_SZ, xrefs: 001CC5CD
REG_DWORD, xrefs: 001CC804
REG_QWORD, xrefs: 001CC8C3
REG_MULTI_SZ, xrefs: 001CC6F5

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 11f6092ec51d45f71089fdfe6e81a049527e84b75ac993ac0c10608fd146fa80
Instruction ID: 84717f4f3d07245db59c44a7dd2da2215eff397ce42af090db74f39d8aa9de88
Opcode Fuzzy Hash: 11f6092ec51d45f71089fdfe6e81a049527e84b75ac993ac0c10608fd146fa80
Instruction Fuzzy Hash: AD1255756042119FDB14DF28C891F2AB7E5EF98714F05889DF88A9B3A2DB31ED41CB81

Function 001D091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 001D09C6
_wcslen.LIBCMT ref: 001D0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 001D0A54
_wcslen.LIBCMT ref: 001D0A8A
_wcslen.LIBCMT ref: 001D0B06
_wcslen.LIBCMT ref: 001D0B81

Part of subcall function 0015F9F2: _wcslen.LIBCMT ref: 0015F9FD

Part of subcall function 001A2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001A2BFA

Strings

GETTOTALCOUNT, xrefs: 001D09F2, 001D0A17
EXPAND, xrefs: 001D0BF8
UNCHECK, xrefs: 001D0D3E
CHECK, xrefs: 001D0A85, 001D0AA0
SELECT, xrefs: 001D0D11
GETITEMCOUNT, xrefs: 001D0C1E
GETSELECTED, xrefs: 001D0C4E
ISCHECKED, xrefs: 001D0CE1
EXISTS, xrefs: 001D0B7C, 001D0B97
GETTEXT, xrefs: 001D0C97
COLLAPSE, xrefs: 001D0B01, 001D0B1C

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: b652f3fe417f09f484b25c9906d7951f962cba3f0b76a3061466460dd2eec9b4
Instruction ID: f613344b22f84bbe827fb7213f0ab866ce8cd8c9cb5b817583b41635d6ab27ee
Opcode Fuzzy Hash: b652f3fe417f09f484b25c9906d7951f962cba3f0b76a3061466460dd2eec9b4
Instruction Fuzzy Hash: 91E1D1356087118FC715DF24C450A2AB7E2FFA8318F15895EF89A9B3A2D731ED45CB81

Function 001CC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,001CB6AE,?,?), ref: 001CC9B5
_wcslen.LIBCMT ref: 001CC9F1
_wcslen.LIBCMT ref: 001CCA68
_wcslen.LIBCMT ref: 001CCA9E
_wcslen.LIBCMT ref: 001CCAF9
_wcslen.LIBCMT ref: 001CCB2F
_wcslen.LIBCMT ref: 001CCB7F

Strings

HKEY_CURRENT_USER, xrefs: 001CCBBD
HKU, xrefs: 001CCBF0
HKEY_CLASSES_ROOT, xrefs: 001CCAF3, 001CCAF8
HKLM, xrefs: 001CCA98, 001CCA9D
HKCR, xrefs: 001CCB29, 001CCB2E
HKEY_USERS, xrefs: 001CCBDF
HKEY_CURRENT_CONFIG, xrefs: 001CCB79, 001CCB7E
HKEY_LOCAL_MACHINE, xrefs: 001CCA62, 001CCA67
HKCC, xrefs: 001CCBAC
HKCU, xrefs: 001CCBCE

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: ea6126b42ff92a778d90d226aba8ce6b7e9d849aaeb82f0ac723f0f18fe44f6f
Instruction ID: cef471f96e38b848c485dfc7e59b594388e815fb111ae15e7194639a8cf588b9
Opcode Fuzzy Hash: ea6126b42ff92a778d90d226aba8ce6b7e9d849aaeb82f0ac723f0f18fe44f6f
Instruction Fuzzy Hash: 5B71D232A1052A8BCB20DEBC8941BBA3391ABB4794B15052CF86A9B295F731DD55C3E0

Function 001D833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001D835A
_wcslen.LIBCMT ref: 001D836E
_wcslen.LIBCMT ref: 001D8391
_wcslen.LIBCMT ref: 001D83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 001D83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,001D5BF2), ref: 001D844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 001D8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 001D84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 001D8501
FreeLibrary.KERNEL32(?), ref: 001D850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 001D851D
DestroyIcon.USER32(?,?,?,?,?,001D5BF2), ref: 001D852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 001D8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 001D8555

Strings

.icl, xrefs: 001D8368
.dll, xrefs: 001D83AB
.exe, xrefs: 001D8388

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: f08f93fc3e1db0d7b9d6928fe5a64c83686e5c2997f0a47af324e95661c58a30
Instruction ID: a858ec16edd9dd68c5a42c43e5d8864fd08d786f7d3768068ded747882375cf6
Opcode Fuzzy Hash: f08f93fc3e1db0d7b9d6928fe5a64c83686e5c2997f0a47af324e95661c58a30
Instruction Fuzzy Hash: 9761D071940216BBEB14DF64DC81BBF77A8FB18B11F10460AF915DA2D1DB74A990CBA0

Function 00147778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#OnAutoItStartRegister, xrefs: 00147817
#include, xrefs: 00147847
#comments-end, xrefs: 001478D9
', xrefs: 00185169
#ce, xrefs: 001478ED
Unterminated group of comments, xrefs: 0018528C
", xrefs: 00185153
#include-once, xrefs: 0014782F
#requireadmin, xrefs: 001477FF
#notrayicon, xrefs: 001477E7
Bad directive syntax error, xrefs: 0018519A
Cannot parse #include, xrefs: 00185279
#comments-start, xrefs: 0014785F, 001478B1
#pragma compile, xrefs: 001477D3
#cs, xrefs: 00147873, 001478C5

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 5646314da7964e88be7ec03d7c05414e37a09b217a57b6195f8cfa952a255c5b
Instruction ID: 30d857d930ef8672c757438995aa2fa9c6d368e7f858e7ac3a2e5b4cc2ba5421
Opcode Fuzzy Hash: 5646314da7964e88be7ec03d7c05414e37a09b217a57b6195f8cfa952a255c5b
Instruction Fuzzy Hash: F2812B71A44205BBDB20BF60DC46FAF37A9EF25300F054025F905AB1E6EB71DA26CB91

Function 001B3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 001B3EF8
_wcslen.LIBCMT ref: 001B3F03
_wcslen.LIBCMT ref: 001B3F5A
_wcslen.LIBCMT ref: 001B3F98
GetDriveTypeW.KERNEL32(?), ref: 001B3FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001B401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001B4059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001B4087

Strings

closed, xrefs: 001B3F08, 001B3F2D, 001B3F46, 001B3F7E, 001B3F97
close cd wait, xrefs: 001B4072
open , xrefs: 001B3FE5
wait, xrefs: 001B4044
open, xrefs: 001B3F54, 001B3F59
close, xrefs: 001B3EFE, 001B3F18
type cdaudio alias cd wait, xrefs: 001B4001
set cd door , xrefs: 001B4028

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 90d1c6c681d9032623d3abe7d92dd85bea863ab12597c8f60274a7d1931652e0
Instruction ID: 91596cae37f32b22914a91bfa9f5df098afa8ffbeef829a119b990dad25aa74d
Opcode Fuzzy Hash: 90d1c6c681d9032623d3abe7d92dd85bea863ab12597c8f60274a7d1931652e0
Instruction Fuzzy Hash: 0E71D3326043129FC310EF24C8818ABB7F4EFA5758F00492DF9A5972A2EB31DD55CB92

Function 001A5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 001A5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 001A5A40
SetWindowTextW.USER32(?,?), ref: 001A5A57
GetDlgItem.USER32(?,000003EA), ref: 001A5A6C
SetWindowTextW.USER32(00000000,?), ref: 001A5A72
GetDlgItem.USER32(?,000003E9), ref: 001A5A82
SetWindowTextW.USER32(00000000,?), ref: 001A5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 001A5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 001A5AC3
GetWindowRect.USER32(?,?), ref: 001A5ACC
_wcslen.LIBCMT ref: 001A5B33
SetWindowTextW.USER32(?,?), ref: 001A5B6F
GetDesktopWindow.USER32 ref: 001A5B75
GetWindowRect.USER32(00000000), ref: 001A5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 001A5BD3
GetClientRect.USER32(?,?), ref: 001A5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 001A5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 001A5C2F

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: f0df1450584d64e2a4f9e92005d250b6d09bcb090f8adf691e588628ebb489c5
Instruction ID: de46000023134d12b05844a6bb561e597328f17b6d0850c58d8b645edd1f34c7
Opcode Fuzzy Hash: f0df1450584d64e2a4f9e92005d250b6d09bcb090f8adf691e588628ebb489c5
Instruction Fuzzy Hash: 0C718135905B05EFDB20DFA8CD85AAEBBF6FF48705F104919E142A35A0D774E944CB60

Function 001BFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 001BFE27
LoadCursorW.USER32(00000000,00007F8A), ref: 001BFE32
LoadCursorW.USER32(00000000,00007F00), ref: 001BFE3D
LoadCursorW.USER32(00000000,00007F03), ref: 001BFE48
LoadCursorW.USER32(00000000,00007F8B), ref: 001BFE53
LoadCursorW.USER32(00000000,00007F01), ref: 001BFE5E
LoadCursorW.USER32(00000000,00007F81), ref: 001BFE69
LoadCursorW.USER32(00000000,00007F88), ref: 001BFE74
LoadCursorW.USER32(00000000,00007F80), ref: 001BFE7F
LoadCursorW.USER32(00000000,00007F86), ref: 001BFE8A
LoadCursorW.USER32(00000000,00007F83), ref: 001BFE95
LoadCursorW.USER32(00000000,00007F85), ref: 001BFEA0
LoadCursorW.USER32(00000000,00007F82), ref: 001BFEAB
LoadCursorW.USER32(00000000,00007F84), ref: 001BFEB6
LoadCursorW.USER32(00000000,00007F04), ref: 001BFEC1
LoadCursorW.USER32(00000000,00007F02), ref: 001BFECC
GetCursorInfo.USER32(?), ref: 001BFEDC
GetLastError.KERNEL32 ref: 001BFF1E

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: ee2b412c106ca648899067199d82d42bab766cd269155aaf666074c0d68aa8a8
Instruction ID: 2553bdc6a06401d578071a88673d68122f5a9482ce18bb0ed9abd34b350e53df
Opcode Fuzzy Hash: ee2b412c106ca648899067199d82d42bab766cd269155aaf666074c0d68aa8a8
Instruction Fuzzy Hash: DD4152B0D053196ADB109FBA8C8986EBFE8FF04754B50452AF11DE7291DB78E901CE91

Function 001A30F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001A318D
_wcslen.LIBCMT ref: 001A31F8

Strings

NAME, xrefs: 001A3335, 001A3346
CLASSNN, xrefs: 001A31F3, 001A3204
[ , xrefs: 001A339A
TEXT, xrefs: 001A347C
INSTANCE, xrefs: 001A3453
CLASS, xrefs: 001A3188, 001A31A5
REGEXPCLASS, xrefs: 001A3255, 001A3266

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[
API String ID: 176396367-3679483830
Opcode ID: 32d383bcbd9958ed5d078f9e9fd22b6eb3d2e86b252542d7f13d5dde0dbf07e7
Instruction ID: 327637a4215d92fa7b6c8b1ea2cbd0bbeff46afa2e9dd221637401f4966c227e
Opcode Fuzzy Hash: 32d383bcbd9958ed5d078f9e9fd22b6eb3d2e86b252542d7f13d5dde0dbf07e7
Instruction Fuzzy Hash: 5DE1F736A006269BCB18DF78C8517EEFBB0BF16714F55811AF466E7240DB30AE85C790

Function 001600C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 001600C6

Part of subcall function 001600ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0021070C,00000FA0,E7ACFCCE,?,?,?,?,001823B3,000000FF), ref: 0016011C
Part of subcall function 001600ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,001823B3,000000FF), ref: 00160127
Part of subcall function 001600ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,001823B3,000000FF), ref: 00160138
Part of subcall function 001600ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0016014E
Part of subcall function 001600ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0016015C
Part of subcall function 001600ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0016016A
Part of subcall function 001600ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00160195
Part of subcall function 001600ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 001601A0

___scrt_fastfail.LIBCMT ref: 001600E7

Part of subcall function 001600A3: __onexit.LIBCMT ref: 001600A9

Strings

SleepConditionVariableCS, xrefs: 00160154
WakeAllConditionVariable, xrefs: 00160162
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00160122
kernel32.dll, xrefs: 00160133
InitializeConditionVariable, xrefs: 00160148

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 2a9b3643a1705994e77e1d7de1fe7cdd23eb6782a8d0cc54157550bf91359f43
Instruction ID: cbcb60a25bef8deb9bb7b75d2abe73185336758b33e3f9efdad3e4200d7c6d19
Opcode Fuzzy Hash: 2a9b3643a1705994e77e1d7de1fe7cdd23eb6782a8d0cc54157550bf91359f43
Instruction Fuzzy Hash: 15212932642711ABD7126BA4AC4AB6B73D5EB1EB51F10052BFC02D67D1DFB09C81CA90

Function 001B44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,001DCC08), ref: 001B4527
_wcslen.LIBCMT ref: 001B453B
_wcslen.LIBCMT ref: 001B4599
_wcslen.LIBCMT ref: 001B45F4
_wcslen.LIBCMT ref: 001B463F
_wcslen.LIBCMT ref: 001B46A7

Part of subcall function 0015F9F2: _wcslen.LIBCMT ref: 0015F9FD

GetDriveTypeW.KERNEL32(?,00206BF0,00000061), ref: 001B4743

Strings

removable, xrefs: 001B45EA, 001B45EF
network, xrefs: 001B469D, 001B46A2
unknown, xrefs: 001B4708
cdrom, xrefs: 001B458F, 001B4594
ramdisk, xrefs: 001B46F1
all, xrefs: 001B4531, 001B4536
fixed, xrefs: 001B4635, 001B463A

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: a022e23234ca4ff083ba09968232bfa90f6ff14ea4cf86a9ddb3ac9cba118539
Instruction ID: 1a9f9f85fb66672a8ad508265bd9432e0dbee7c5e48823c4ec52127ff3121878
Opcode Fuzzy Hash: a022e23234ca4ff083ba09968232bfa90f6ff14ea4cf86a9ddb3ac9cba118539
Instruction Fuzzy Hash: 5DB1F5716083129FC724DF28C890ABEB7E5BFA9764F50891DF496C7292DB30D845CB92

Function 001D911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00159BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00159BB2

DragQueryPoint.SHELL32(?,?), ref: 001D9147

Part of subcall function 001D7674: ClientToScreen.USER32(?,?), ref: 001D769A
Part of subcall function 001D7674: GetWindowRect.USER32(?,?), ref: 001D7710
Part of subcall function 001D7674: PtInRect.USER32(?,?,001D8B89), ref: 001D7720

SendMessageW.USER32(?,000000B0,?,?), ref: 001D91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 001D91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 001D91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 001D9225
SendMessageW.USER32(?,000000B0,?,?), ref: 001D923E
SendMessageW.USER32(?,000000B1,?,?), ref: 001D9255
SendMessageW.USER32(?,000000B1,?,?), ref: 001D9277
DragFinish.SHELL32(?), ref: 001D927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 001D9371

Strings

@GUI_DRAGID, xrefs: 001D92E9
@GUI_DROPID, xrefs: 001D929E
@GUI_DRAGFILE, xrefs: 001D9320
p#!, xrefs: 001D92BB

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#!
API String ID: 221274066-1008745475
Opcode ID: 8ff33cdf07a1e447a448d74c4cb7b41311329d3a0241fd71ee8944323dd9a850
Instruction ID: 6da27d9835edb9261ba6dda3ab6c1bc74119e8cfba8fadb0c683ca8f09b78ebc
Opcode Fuzzy Hash: 8ff33cdf07a1e447a448d74c4cb7b41311329d3a0241fd71ee8944323dd9a850
Instruction Fuzzy Hash: 88618B71109301AFD701DF64DC89DAFBBE8EF99350F000A1EF595932A1DB309A49CB92

Function 0014326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00211990), ref: 00182F8D
GetMenuItemCount.USER32(00211990), ref: 0018303D
GetCursorPos.USER32(?), ref: 00183081
SetForegroundWindow.USER32(00000000), ref: 0018308A
TrackPopupMenuEx.USER32(00211990,00000000,?,00000000,00000000,00000000), ref: 0018309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 001830A9

Strings

0, xrefs: 0014327D

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 19fe32cbb218a5e7cd7739efecbaf07e79d973c1a65ef0e4978842710784cb66
Instruction ID: 9cc4581a028c204addc0e70f13d90bf1e6006de79551446c802528c9d4f46c2f
Opcode Fuzzy Hash: 19fe32cbb218a5e7cd7739efecbaf07e79d973c1a65ef0e4978842710784cb66
Instruction Fuzzy Hash: AB715D30645206BFEB259F64DC89F9ABF64FF05324F204206F624661E0C7B1AE50DF90

Function 001D6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 001D6DEB

Part of subcall function 00146B57: _wcslen.LIBCMT ref: 00146B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 001D6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 001D6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 001D6E94
DestroyWindow.USER32(?), ref: 001D6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00140000,00000000), ref: 001D6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 001D6EFD
GetDesktopWindow.USER32 ref: 001D6F16
GetWindowRect.USER32(00000000), ref: 001D6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 001D6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 001D6F4D

Part of subcall function 00159944: GetWindowLongW.USER32(?,000000EB), ref: 00159952

Strings

tooltips_class32, xrefs: 001D6E58, 001D6EDD
0, xrefs: 001D6D98

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 7cf86ff6afdcad93a310a1d14f5f9b4f64709c5c688d0721b6a211624fd3b317
Instruction ID: c4056e2e89083219cd6e0184e321d4d41d12258bba41c7a706dab22b85c6f4b1
Opcode Fuzzy Hash: 7cf86ff6afdcad93a310a1d14f5f9b4f64709c5c688d0721b6a211624fd3b317
Instruction Fuzzy Hash: 68716674104245AFDB21CF18DC58EAABBF9FB99304F04491EF99987361CB70E946CB52

Function 001BC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 001BC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 001BC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 001BC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 001BC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 001BC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 001BC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 001BC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 001BC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 001BC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 001BC5F0
InternetCloseHandle.WININET(00000000), ref: 001BC5FB

Strings

, xrefs: 001BC575

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: d351975b83d6fdc127ac14acda7ac9da6f8a4ec101694e6de40420fbf48e2cfe
Instruction ID: 0b19835dacb7654b6126d76cfa7bb287fb2686729b2a35ab70817f83faaf63fa
Opcode Fuzzy Hash: d351975b83d6fdc127ac14acda7ac9da6f8a4ec101694e6de40420fbf48e2cfe
Instruction Fuzzy Hash: 33513BB1601609BFDB219FA5C988AEB7BBCFF08754F00441AF945D6650DB34EA44DBE0

Function 001D856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 001D8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001D85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001D85AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001D85BA
GlobalLock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001D85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001D85D7
GlobalUnlock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001D85E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001D85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 001D85F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,001DFC38,?), ref: 001D8611
GlobalFree.KERNEL32(00000000), ref: 001D8621
GetObjectW.GDI32(?,00000018,?), ref: 001D8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 001D8671
DeleteObject.GDI32(?), ref: 001D8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 001D86AF

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 080598317d0fcfb8a3202022fa3a954ea1405efb9724e3d3e4b25533c00f6317
Instruction ID: f09034faf4d2a7d03eeca9e609346f2c0cdb198d0126c658757514b192e55805
Opcode Fuzzy Hash: 080598317d0fcfb8a3202022fa3a954ea1405efb9724e3d3e4b25533c00f6317
Instruction Fuzzy Hash: 5B412875602209AFDB119FA5DC48EAE7BBCFF89B11F10855AF909E7260DB309941CB60

Function 001B14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 001B1502
VariantCopy.OLEAUT32(?,?), ref: 001B150B
VariantClear.OLEAUT32(?), ref: 001B1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 001B15FB
VarR8FromDec.OLEAUT32(?,?), ref: 001B1657
VariantInit.OLEAUT32(?), ref: 001B1708
SysFreeString.OLEAUT32(?), ref: 001B178C
VariantClear.OLEAUT32(?), ref: 001B17D8
VariantClear.OLEAUT32(?), ref: 001B17E7
VariantInit.OLEAUT32(00000000), ref: 001B1823

Strings

Default, xrefs: 001B16AF
%4d%02d%02d%02d%02d%02d, xrefs: 001B1625

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: fc4d9f8e37c4aa86383b313577c9624fc42e7a281f31bed53bfe8a40365bce85
Instruction ID: 68bca7cc80ced9700bdff747a8c219ee6b2508515bf7d0b4f679b34992a00d6c
Opcode Fuzzy Hash: fc4d9f8e37c4aa86383b313577c9624fc42e7a281f31bed53bfe8a40365bce85
Instruction Fuzzy Hash: 62D13432A00115FBCB249F64E8A4BBDB7B5BF46700F92855AF807AB190DB30DC45DBA1

Function 001CB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00149CB3: _wcslen.LIBCMT ref: 00149CBD

Part of subcall function 001CC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001CB6AE,?,?), ref: 001CC9B5
Part of subcall function 001CC998: _wcslen.LIBCMT ref: 001CC9F1
Part of subcall function 001CC998: _wcslen.LIBCMT ref: 001CCA68
Part of subcall function 001CC998: _wcslen.LIBCMT ref: 001CCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001CB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001CB772
RegDeleteValueW.ADVAPI32(?,?), ref: 001CB80A
RegCloseKey.ADVAPI32(?), ref: 001CB87E
RegCloseKey.ADVAPI32(?), ref: 001CB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 001CB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 001CB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 001CB922
FreeLibrary.KERNEL32(00000000), ref: 001CB983
RegCloseKey.ADVAPI32(00000000), ref: 001CB994

Strings

RegDeleteKeyExW, xrefs: 001CB8FE
advapi32.dll, xrefs: 001CB8ED

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: f00e429b0b2e8e6ce33bb7ac74b764677605d8d4837d5c16527c1764cce74471
Instruction ID: 8fe7c3fbcfe01bb175dfa5f10e61d8d01453aec19142123bc0919ef08619ef2d
Opcode Fuzzy Hash: f00e429b0b2e8e6ce33bb7ac74b764677605d8d4837d5c16527c1764cce74471
Instruction Fuzzy Hash: 4AC18B74209242AFD714DF24C4D6F2ABBE5BF94308F14855CF49A8B6A2CB35EC45CB92

Function 001C255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 001C25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 001C25E8
CreateCompatibleDC.GDI32(?), ref: 001C25F4
SelectObject.GDI32(00000000,?), ref: 001C2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 001C266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 001C26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 001C26D0
SelectObject.GDI32(?,?), ref: 001C26D8
DeleteObject.GDI32(?), ref: 001C26E1
DeleteDC.GDI32(?), ref: 001C26E8
ReleaseDC.USER32(00000000,?), ref: 001C26F3

Strings

(, xrefs: 001C268D

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 48ad0a441f18a2f9c2a729882f50174f315ca5c1e8c708a9536fa2798232981d
Instruction ID: f13369aef1000663faad6eb001887ca5169d2309c974f12f2472f2ca0242da36
Opcode Fuzzy Hash: 48ad0a441f18a2f9c2a729882f50174f315ca5c1e8c708a9536fa2798232981d
Instruction Fuzzy Hash: AE61F5B5D0121AEFCF04CFA4D885EAEBBB6FF58310F20851AE955A7250D770A941CFA0

Function 0017DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0017DAA1

Part of subcall function 0017D63C: _free.LIBCMT ref: 0017D659
Part of subcall function 0017D63C: _free.LIBCMT ref: 0017D66B
Part of subcall function 0017D63C: _free.LIBCMT ref: 0017D67D
Part of subcall function 0017D63C: _free.LIBCMT ref: 0017D68F
Part of subcall function 0017D63C: _free.LIBCMT ref: 0017D6A1
Part of subcall function 0017D63C: _free.LIBCMT ref: 0017D6B3
Part of subcall function 0017D63C: _free.LIBCMT ref: 0017D6C5
Part of subcall function 0017D63C: _free.LIBCMT ref: 0017D6D7
Part of subcall function 0017D63C: _free.LIBCMT ref: 0017D6E9
Part of subcall function 0017D63C: _free.LIBCMT ref: 0017D6FB
Part of subcall function 0017D63C: _free.LIBCMT ref: 0017D70D
Part of subcall function 0017D63C: _free.LIBCMT ref: 0017D71F
Part of subcall function 0017D63C: _free.LIBCMT ref: 0017D731

_free.LIBCMT ref: 0017DA96

Part of subcall function 001729C8: HeapFree.KERNEL32(00000000,00000000,?,0017D7D1,00000000,00000000,00000000,00000000,?,0017D7F8,00000000,00000007,00000000,?,0017DBF5,00000000), ref: 001729DE
Part of subcall function 001729C8: GetLastError.KERNEL32(00000000,?,0017D7D1,00000000,00000000,00000000,00000000,?,0017D7F8,00000000,00000007,00000000,?,0017DBF5,00000000,00000000), ref: 001729F0

_free.LIBCMT ref: 0017DAB8
_free.LIBCMT ref: 0017DACD
_free.LIBCMT ref: 0017DAD8
_free.LIBCMT ref: 0017DAFA
_free.LIBCMT ref: 0017DB0D
_free.LIBCMT ref: 0017DB1B
_free.LIBCMT ref: 0017DB26
_free.LIBCMT ref: 0017DB5E
_free.LIBCMT ref: 0017DB65
_free.LIBCMT ref: 0017DB82
_free.LIBCMT ref: 0017DB9A

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 98f2aa1a43219c7336b0de4df0921821873494bf3b3b19de7ca5c6d449403593
Instruction ID: 7b9efbe9b04109fc280035a91de74810e8c9aba553ea0c598b984e48c38ca2a8
Opcode Fuzzy Hash: 98f2aa1a43219c7336b0de4df0921821873494bf3b3b19de7ca5c6d449403593
Instruction Fuzzy Hash: 9B3149316443099FEB22AA39E845B5AB7F9FF21314F19C829E54DD7192DF31AC818B20

Function 001A365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 001A369C
_wcslen.LIBCMT ref: 001A36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 001A3797
GetClassNameW.USER32(?,?,00000400), ref: 001A380C
GetDlgCtrlID.USER32(?), ref: 001A385D
GetWindowRect.USER32(?,?), ref: 001A3882
GetParent.USER32(?), ref: 001A38A0
ScreenToClient.USER32(00000000), ref: 001A38A7
GetClassNameW.USER32(?,?,00000100), ref: 001A3921
GetWindowTextW.USER32(?,?,00000400), ref: 001A395D

Strings

%s%u, xrefs: 001A3734

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 6fc90643cc5b1c3de4783812deb9b86b0c4966a9a3a70b57ad5137f6140622be
Instruction ID: e9b5639df3517ff68d589fe50cddbaa4ecdd23c3471967bf91d4ab22bd805e97
Opcode Fuzzy Hash: 6fc90643cc5b1c3de4783812deb9b86b0c4966a9a3a70b57ad5137f6140622be
Instruction Fuzzy Hash: 1091E175204606AFDB08DF24C885BEBF7A8FF45354F008629F9A9C2190DB34EA56CBD1

Function 001A4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 001A4994
GetWindowTextW.USER32(?,?,00000400), ref: 001A49DA
_wcslen.LIBCMT ref: 001A49EB
CharUpperBuffW.USER32(?,00000000), ref: 001A49F7
_wcsstr.LIBVCRUNTIME ref: 001A4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 001A4A64
GetWindowTextW.USER32(?,?,00000400), ref: 001A4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 001A4AE6
GetClassNameW.USER32(?,?,00000400), ref: 001A4B20
GetWindowRect.USER32(?,?), ref: 001A4B8B

Strings

ThumbnailClass, xrefs: 001A4A6F, 001A4AF1

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 43dec076622db6628a2a7c78ac62284ae24e2e8b119c4ad69e9af11b939757fa
Instruction ID: 58322c7d11103d0711d77a880469cfcd63b3d6cfec0694e83462098b75d76033
Opcode Fuzzy Hash: 43dec076622db6628a2a7c78ac62284ae24e2e8b119c4ad69e9af11b939757fa
Instruction Fuzzy Hash: DF91DF750052069FDB04CF14C981BABB7E8FFD6314F04846AFD8A9A196DBB0ED45CBA1

Function 001D8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00159BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00159BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 001D8D5A
GetFocus.USER32 ref: 001D8D6A
GetDlgCtrlID.USER32(00000000), ref: 001D8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 001D8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 001D8ECF
GetMenuItemCount.USER32(?), ref: 001D8EEC
GetMenuItemID.USER32(?,00000000), ref: 001D8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 001D8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 001D8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 001D8FA1

Strings

0, xrefs: 001D8E9F

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: ba9396aa1d72c6613c2fc8f4f57a60131137873de8004ac5e065b4922fefe558
Instruction ID: 23463da81f8931dc156315b0871799ccfa40e1521e78107108bcea3af31f9c0a
Opcode Fuzzy Hash: ba9396aa1d72c6613c2fc8f4f57a60131137873de8004ac5e065b4922fefe558
Instruction Fuzzy Hash: E381BF715093019FDB10CF28D884AABBBE9FB98714F040A1EF99497391DB30D941CFA1

Function 001ABF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00211990,000000FF,00000000,00000030), ref: 001ABFAC
SetMenuItemInfoW.USER32(00211990,00000004,00000000,00000030), ref: 001ABFE1
Sleep.KERNEL32(000001F4), ref: 001ABFF3
GetMenuItemCount.USER32(?), ref: 001AC039
GetMenuItemID.USER32(?,00000000), ref: 001AC056
GetMenuItemID.USER32(?,-00000001), ref: 001AC082
GetMenuItemID.USER32(?,?), ref: 001AC0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 001AC10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001AC124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001AC145

Strings

0, xrefs: 001ABF3D

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 523018ecc91b4f8150e5a71f9ac4ed9c65af04233b0923312a617b835ed150e6
Instruction ID: e821b98c999365f647035f1bd805e346939a4f87095d7aebaab7988e4efd3c5b
Opcode Fuzzy Hash: 523018ecc91b4f8150e5a71f9ac4ed9c65af04233b0923312a617b835ed150e6
Instruction Fuzzy Hash: 1961B4B8A0024AEFDF15CF68DD88AEE7BB8EB06344F044555F811A3292C731AD45CBE0

Function 001ADC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 001ADC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 001ADC46
_wcslen.LIBCMT ref: 001ADC50
_wcsstr.LIBVCRUNTIME ref: 001ADCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 001ADCBC

Strings

%u.%u.%u.%u, xrefs: 001ADD9A
\VarFileInfo\Translation, xrefs: 001ADCB4
StringFileInfo\, xrefs: 001ADC8F
DefaultLangCodepage, xrefs: 001ADD1F
04090000, xrefs: 001ADCF2

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: d30f7c637abdaaceef3f76bd39fe269416bb49ce2080a1f4e04f44cea667362b
Instruction ID: 715c0f0eaf5469a0c5d93daa8c392f970b41fee11b2aca620f927bae4fc82766
Opcode Fuzzy Hash: d30f7c637abdaaceef3f76bd39fe269416bb49ce2080a1f4e04f44cea667362b
Instruction Fuzzy Hash: E4413672A40701BBDB04A7B0AC07EFF376CEF66750F10046AF901EA1C2EB349921C6A4

Function 001CCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 001CCC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 001CCC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 001CCD48

Part of subcall function 001CCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 001CCCAA
Part of subcall function 001CCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 001CCCBD
Part of subcall function 001CCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 001CCCCF
Part of subcall function 001CCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 001CCD05
Part of subcall function 001CCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 001CCD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 001CCCF3

Strings

RegDeleteKeyExW, xrefs: 001CCCC9
advapi32.dll, xrefs: 001CCCB8

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: b5434ceec3ffda0fda00843b06c15c43b9c7fcce23f2e1348d1a3b013f976004
Instruction ID: f54b1251e240d253922d8936e4a9663c01c57f7f7837a23feadc0fb6efce0591
Opcode Fuzzy Hash: b5434ceec3ffda0fda00843b06c15c43b9c7fcce23f2e1348d1a3b013f976004
Instruction Fuzzy Hash: 3E31617590212ABBDB208B94DC88EFFBB7CEF65750F004569F90AE2141DB349E45DAE0

Function 001B3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 001B3D40
_wcslen.LIBCMT ref: 001B3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 001B3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 001B3DBE
RemoveDirectoryW.KERNEL32(?), ref: 001B3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 001B3E55
CloseHandle.KERNEL32(00000000), ref: 001B3E60
CloseHandle.KERNEL32(00000000), ref: 001B3E6B

Strings

\??\%s, xrefs: 001B3D5B
:, xrefs: 001B3D82
\, xrefs: 001B3D77

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 078ab2578a45c6343341f68818bcf660264b69e07f8d047ade6d6d25d8c09e26
Instruction ID: 333c96ba2a49c211d63fb208b7de5fea9c79ffa71054090bf8c6057cb0694ff2
Opcode Fuzzy Hash: 078ab2578a45c6343341f68818bcf660264b69e07f8d047ade6d6d25d8c09e26
Instruction Fuzzy Hash: B131B27694021AABDB209BA0DC49FEF37BDEF89700F5041B6F615D6060EB709794CB64

Function 001AE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 001AE6B4

Part of subcall function 0015E551: timeGetTime.WINMM(?,?,001AE6D4), ref: 0015E555

Sleep.KERNEL32(0000000A), ref: 001AE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 001AE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 001AE727
SetActiveWindow.USER32 ref: 001AE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 001AE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 001AE773
Sleep.KERNEL32(000000FA), ref: 001AE77E
IsWindow.USER32 ref: 001AE78A
EndDialog.USER32(00000000), ref: 001AE79B

Strings

BUTTON, xrefs: 001AE719

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: b1a64ba9812b3706cd0d254baf8531534466f5632b3eb4c095ad2ee516e94760
Instruction ID: 4f33a7f7e355f7da48044469011f4a819e4941f64c094b077b30ea0de6a3ca1e
Opcode Fuzzy Hash: b1a64ba9812b3706cd0d254baf8531534466f5632b3eb4c095ad2ee516e94760
Instruction Fuzzy Hash: FE21A478301255EFEB005FA0FC8DB653BADF7A6348F004826F915825E1DF71AC64CAA4

Function 001AE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00149CB3: _wcslen.LIBCMT ref: 00149CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 001AEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 001AEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001AEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 001AEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 001AEAA7

Strings

close PlayMe, xrefs: 001AEA6E, 001AEA9B
open , xrefs: 001AEA0C
play PlayMe, xrefs: 001AEAA2
play PlayMe wait, xrefs: 001AEA91
status PlayMe mode, xrefs: 001AEA58
alias PlayMe, xrefs: 001AEA36

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 3cfc1402a9ca6d8a5fd2265dc955409625b8254b4779764164e84345c106f2be
Instruction ID: 8df496c8acaaddacd70d1ccb8936bb54f4af020428ca478795741307a43038ec
Opcode Fuzzy Hash: 3cfc1402a9ca6d8a5fd2265dc955409625b8254b4779764164e84345c106f2be
Instruction Fuzzy Hash: 22112135AA025D79E720A7A5DC4EEFF7ABCEBD2B00F440429B411A34E2EB705965C5B0

Function 001A5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 001A5CE2
GetWindowRect.USER32(00000000,?), ref: 001A5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 001A5D59
GetDlgItem.USER32(?,00000002), ref: 001A5D69
GetWindowRect.USER32(00000000,?), ref: 001A5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 001A5DCF
GetDlgItem.USER32(?,000003E9), ref: 001A5DDD
GetWindowRect.USER32(00000000,?), ref: 001A5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 001A5E31
GetDlgItem.USER32(?,000003EA), ref: 001A5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 001A5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 001A5E67

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 603965d3c30a1d57539143f64ed1b269a3c70754491f8d95b9f3fa41ba283aed
Instruction ID: a6c551676e9944193a38bb168534c13d1556080757bedaab4a88960a4461ac1a
Opcode Fuzzy Hash: 603965d3c30a1d57539143f64ed1b269a3c70754491f8d95b9f3fa41ba283aed
Instruction Fuzzy Hash: E5513074B01616AFDF18CFA8CD89AAEBBB6FB49310F108129F515E7690D7709E40CB60

Function 00158BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00158F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00158BE8,?,00000000,?,?,?,?,00158BBA,00000000,?), ref: 00158FC5

DestroyWindow.USER32(?), ref: 00158C81
KillTimer.USER32(00000000,?,?,?,?,00158BBA,00000000,?), ref: 00158D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00196973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00158BBA,00000000,?), ref: 001969A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00158BBA,00000000,?), ref: 001969B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00158BBA,00000000), ref: 001969D4
DeleteObject.GDI32(00000000), ref: 001969E6

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: caf89d8f828f09cb4edccfe23153a4b52adc84bcf7b75ccc494dcd1a843e0653
Instruction ID: 9fc043a26e53c1f9d9860fa48f2a7d0a201ee63438a0de849424868d4363e315
Opcode Fuzzy Hash: caf89d8f828f09cb4edccfe23153a4b52adc84bcf7b75ccc494dcd1a843e0653
Instruction Fuzzy Hash: A2619D30502701DFDF259F14D948BAAB7F1FB50316F148919E562AB960CB71AC94DFA0

Function 00159838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00159944: GetWindowLongW.USER32(?,000000EB), ref: 00159952

GetSysColor.USER32(0000000F), ref: 00159862

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 9b270f76f2299aa5234ed61c8736848aacd94a2575cf019b7cf0f37853e44fa9
Instruction ID: 3145128e06a9d2ac0a68cf7ed8a975e4afd45bd846a93fe9bf63b702860608cf
Opcode Fuzzy Hash: 9b270f76f2299aa5234ed61c8736848aacd94a2575cf019b7cf0f37853e44fa9
Instruction Fuzzy Hash: 1441AF31105654EFDF205F38DC88BB93BA5AB06332F154A06F9B28F2E1D7319885DB52

Function 001A96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0018F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 001A9717
LoadStringW.USER32(00000000,?,0018F7F8,00000001), ref: 001A9720

Part of subcall function 00149CB3: _wcslen.LIBCMT ref: 00149CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0018F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 001A9742
LoadStringW.USER32(00000000,?,0018F7F8,00000001), ref: 001A9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 001A9866

Strings

^ ERROR, xrefs: 001A97FB
%s (%d) : ==> %s: %s %s, xrefs: 001A984A
Error: , xrefs: 001A981D
Line %d (File "%s"):, xrefs: 001A978F
Line %d:, xrefs: 001A97A0

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 6bccd24ff1ae2eeefaa5d5e4a2b7ae54ab2a7008b0ac0bf8622840b7bf34f6dd
Instruction ID: 3d48dfcb84665d631612fb0bc955c086909cef1d513bc9762e6d00c3146e313a
Opcode Fuzzy Hash: 6bccd24ff1ae2eeefaa5d5e4a2b7ae54ab2a7008b0ac0bf8622840b7bf34f6dd
Instruction Fuzzy Hash: 51414E72800219AADF14EFE0DD86DEFB778AF26340F500065F605760A2EB356F59CBA1

Function 001A06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00146B57: _wcslen.LIBCMT ref: 00146B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 001A07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 001A07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 001A07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 001A0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 001A082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 001A0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 001A083C

Strings

\CLSID, xrefs: 001A0724
\IPC$, xrefs: 001A0784
SOFTWARE\Classes\, xrefs: 001A070E

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 86b084335eae5a86336d036e83b64053bb216fc7d336ebbe22043574795feff6
Instruction ID: 94e81a818098d30d9f7b850def59ecafadd2f0542a6f2f93212383c133d5452d
Opcode Fuzzy Hash: 86b084335eae5a86336d036e83b64053bb216fc7d336ebbe22043574795feff6
Instruction Fuzzy Hash: 4D410476C11229ABDF11EFA4DC958EEB778FF18350F45412AE901A31A1EB309E44CBA0

Function 001C3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 001C3C5C
CoInitialize.OLE32(00000000), ref: 001C3C8A
CoUninitialize.OLE32 ref: 001C3C94
_wcslen.LIBCMT ref: 001C3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 001C3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 001C3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 001C3F0E
CoGetObject.OLE32(?,00000000,001DFB98,?), ref: 001C3F2D
SetErrorMode.KERNEL32(00000000), ref: 001C3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001C3FC4
VariantClear.OLEAUT32(?), ref: 001C3FD8

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 822a74c1bf9687463c51ba65725d3c43db9e5bd15990d36fe2790ff507fc7abf
Instruction ID: c28af968247d8adcfca4660e5af5d25d67f6f23e77fe11ea636227664e464bdd
Opcode Fuzzy Hash: 822a74c1bf9687463c51ba65725d3c43db9e5bd15990d36fe2790ff507fc7abf
Instruction Fuzzy Hash: 9CC123716082059FD700DF68C884E6BB7E9FF99744F00891DF99A9B260D730EE46CB92

Function 001B7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 001B7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 001B7B8F
SHGetDesktopFolder.SHELL32(?), ref: 001B7BA3
CoCreateInstance.OLE32(001DFD08,00000000,00000001,00206E6C,?), ref: 001B7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 001B7C74
CoTaskMemFree.OLE32(?,?), ref: 001B7CCC
SHBrowseForFolderW.SHELL32(?), ref: 001B7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 001B7D7A
CoTaskMemFree.OLE32(00000000), ref: 001B7D81
CoTaskMemFree.OLE32(00000000), ref: 001B7DD6
CoUninitialize.OLE32 ref: 001B7DDC

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 953dee8d0e9a457d3876ddbe38077dad0aaa942b286915bad66d70960a4aee53
Instruction ID: ffa5d0c71054c43b0bcd439decef4ef3c61823e6c73f53175a6699994c51014e
Opcode Fuzzy Hash: 953dee8d0e9a457d3876ddbe38077dad0aaa942b286915bad66d70960a4aee53
Instruction Fuzzy Hash: BCC11A75A05109AFCB14DFA4C894DAEBBF9FF48304B148499E81ADB7A1D730EE45CB90

Function 001D541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 001D5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001D5515
CharNextW.USER32(00000158), ref: 001D5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 001D5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 001D559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001D55AC

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: f1f8ac76efc12b8795485de61f21b56b0fa2cda16348cb2f328909bcf6602aee
Instruction ID: 94507905809a10cad940bf8c064fcb1596de7a94156ce33a1476f7ef96d7130a
Opcode Fuzzy Hash: f1f8ac76efc12b8795485de61f21b56b0fa2cda16348cb2f328909bcf6602aee
Instruction Fuzzy Hash: 9F618D30901609EBDF149F54DC84EFE7BBAEB09764F10854BF925A6390D7748A80DBA1

Function 0019FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0019FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0019FB08
VariantInit.OLEAUT32(?), ref: 0019FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0019FB3A
VariantCopy.OLEAUT32(?,?), ref: 0019FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0019FBA1
VariantClear.OLEAUT32(?), ref: 0019FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0019FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0019FBCC
VariantClear.OLEAUT32(?), ref: 0019FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0019FBE9

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: ee83b951bf524f527d8543e1b5cce79d06e195eb55486dbc244082d109acd932
Instruction ID: 8a313359bdcd5e08dccf277eb87d808d14acfc80eba65176cfdb6a9e15ce03b8
Opcode Fuzzy Hash: ee83b951bf524f527d8543e1b5cce79d06e195eb55486dbc244082d109acd932
Instruction Fuzzy Hash: 55415F35A0121AEFCF04DF68C8549EEBBB9EF18344F008469E916E7661CB34A946CBD0

Function 001A9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 001A9CA1
GetAsyncKeyState.USER32(000000A0), ref: 001A9D22
GetKeyState.USER32(000000A0), ref: 001A9D3D
GetAsyncKeyState.USER32(000000A1), ref: 001A9D57
GetKeyState.USER32(000000A1), ref: 001A9D6C
GetAsyncKeyState.USER32(00000011), ref: 001A9D84
GetKeyState.USER32(00000011), ref: 001A9D96
GetAsyncKeyState.USER32(00000012), ref: 001A9DAE
GetKeyState.USER32(00000012), ref: 001A9DC0
GetAsyncKeyState.USER32(0000005B), ref: 001A9DD8
GetKeyState.USER32(0000005B), ref: 001A9DEA

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 58d64cba86da089d7c814e81b0e1e23ab09a279863e4ee7939ae8284cd023d58
Instruction ID: 158d5039ac290520da849835b12e787d9719269bfaa03b7914a97d208b1ff951
Opcode Fuzzy Hash: 58d64cba86da089d7c814e81b0e1e23ab09a279863e4ee7939ae8284cd023d58
Instruction Fuzzy Hash: F541DA38605BCA6DFF3197B0C8443B5BEE06F13354F04805ADAC65A5C2EBA599C8C792

Function 001C055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 001C05BC
inet_addr.WSOCK32(?), ref: 001C061C
gethostbyname.WSOCK32(?), ref: 001C0628
IcmpCreateFile.IPHLPAPI ref: 001C0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 001C06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 001C06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 001C07B9
WSACleanup.WSOCK32 ref: 001C07BF

Strings

Ping, xrefs: 001C0676

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: fe111c3d87736f812495a311a8ebbdbbebd80563226e7b5598274490878761e6
Instruction ID: 3c68d58e774a66d93033247f8b87c5f5ce2f59de32947aae696fc1f3f9dceff3
Opcode Fuzzy Hash: fe111c3d87736f812495a311a8ebbdbbebd80563226e7b5598274490878761e6
Instruction Fuzzy Hash: 3E918C35609301DFD725CF15C889F1ABBE0AF58318F1589ADE4A98BAA2C730ED45CF81

Function 001C8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 001C8CF3

Part of subcall function 001A8E54: _wcslen.LIBCMT ref: 001A8E77

_wcslen.LIBCMT ref: 001C8D4E
_wcslen.LIBCMT ref: 001C8D9C
_wcslen.LIBCMT ref: 001C8DDC
_wcslen.LIBCMT ref: 001C8E6E

Strings

none, xrefs: 001C8E65, 001C8E6A
winapi, xrefs: 001C8D96, 001C8D9B
stdcall, xrefs: 001C8DD6, 001C8DDB
cdecl, xrefs: 001C8D48, 001C8D4D

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 39faa4d8c63ad9583ae6ca829e5ac1ed4f722eaa9d0a835c83d84dbd2710f8b3
Instruction ID: eaf1fbe081c803483e1e15260c6dc36add7bd0b98133a2308fe51aabc882376f
Opcode Fuzzy Hash: 39faa4d8c63ad9583ae6ca829e5ac1ed4f722eaa9d0a835c83d84dbd2710f8b3
Instruction Fuzzy Hash: 8F518F31A001169BCB14DFACC991ABEB7A6BF75724B21422DE826E72C5DB31DD40C790

Function 001C372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 001C3774
CoUninitialize.OLE32 ref: 001C377F
CoCreateInstance.OLE32(?,00000000,00000017,001DFB78,?), ref: 001C37D9
IIDFromString.OLE32(?,?), ref: 001C384C
VariantInit.OLEAUT32(?), ref: 001C38E4
VariantClear.OLEAUT32(?), ref: 001C3936

Strings

Invalid parameter, xrefs: 001C3865
Failed to create object, xrefs: 001C37E4, 001C389A
NULL Pointer assignment, xrefs: 001C381E

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: f238b3e8141679fa245b60b524e937d55e507fe66922323588e7f069655165e5
Instruction ID: bf15afba8726334addbc7097291549a00c1b66dbe7a856ffedaed916f494ffbc
Opcode Fuzzy Hash: f238b3e8141679fa245b60b524e937d55e507fe66922323588e7f069655165e5
Instruction Fuzzy Hash: 5661C370608301AFD711DF54C889F6ABBE4EF69714F00891DF9959B2A1D770EE48CB92

Function 001D8B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00159BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00159BB2

Part of subcall function 0015912D: GetCursorPos.USER32(?), ref: 00159141
Part of subcall function 0015912D: ScreenToClient.USER32(00000000,?), ref: 0015915E
Part of subcall function 0015912D: GetAsyncKeyState.USER32(00000001), ref: 00159183
Part of subcall function 0015912D: GetAsyncKeyState.USER32(00000002), ref: 0015919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 001D8B6B
ImageList_EndDrag.COMCTL32 ref: 001D8B71
ReleaseCapture.USER32 ref: 001D8B77
SetWindowTextW.USER32(?,00000000), ref: 001D8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 001D8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 001D8CFF

Strings

@GUI_DROPID, xrefs: 001D8C51
@GUI_DRAGFILE, xrefs: 001D8C9A
p#!, xrefs: 001D8C71

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#!
API String ID: 1924731296-820919411
Opcode ID: 4ea29117daea6fe07a734a0cf6c4c245b1eb920f8683efe589aac97f341ea18c
Instruction ID: 2fd38cefc762e5a6e1cde0adf8f8417b016110b6096cd2bafb43471713bbafc5
Opcode Fuzzy Hash: 4ea29117daea6fe07a734a0cf6c4c245b1eb920f8683efe589aac97f341ea18c
Instruction Fuzzy Hash: FF51AC70205300AFD704DF14DC9AFAA77E4FB98710F000A2EF966972E1DB70A954CBA2

Function 001B3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 001B33CF

Part of subcall function 00149CB3: _wcslen.LIBCMT ref: 00149CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 001B33F0

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 001B3504
"%s" (%d) : ==> %s:, xrefs: 001B3522
Error: , xrefs: 001B34D1
^ ERROR , xrefs: 001B349E
Line %d (File "%s"):, xrefs: 001B3443, 001B345C
Incorrect parameters to object property !, xrefs: 001B34AB

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: e064c65f3789b90317684721cd09f3a50fa56a7750b8149f0c6161a311efc937
Instruction ID: 62c575dc89f6ba4c62de2394e30dc384a4edf870030e7e2fc64da3955ac13335
Opcode Fuzzy Hash: e064c65f3789b90317684721cd09f3a50fa56a7750b8149f0c6161a311efc937
Instruction Fuzzy Hash: 6F51907290020AAADF15EBE0DD46EEEB778AF25340F104165F515720A2EB316FA8DB61

Function 001AB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 001AB5FC
_wcslen.LIBCMT ref: 001AB608
_wcslen.LIBCMT ref: 001AB64D
_wcslen.LIBCMT ref: 001AB68C
_wcslen.LIBCMT ref: 001AB6C7

Strings

KEYS, xrefs: 001AB647, 001AB64C
REMOVE, xrefs: 001AB602, 001AB607
APPEND, xrefs: 001AB6C1, 001AB6C6
EXISTS, xrefs: 001AB686, 001AB68B

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: cae36faeb0112128c1b4e21a17ebeaaf5375141cf3a953a7c10d5723a8f2b109
Instruction ID: df4484db94f4cfb13c562dd48f70e79270ca9179c6cf0d0ee7c11439b9a26e74
Opcode Fuzzy Hash: cae36faeb0112128c1b4e21a17ebeaaf5375141cf3a953a7c10d5723a8f2b109
Instruction Fuzzy Hash: 88413936A081678BCB105F7DCCD05BEB7A1EF72754B254129E429DB282E731CC81C390

Function 001B5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001B53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 001B5416
GetLastError.KERNEL32 ref: 001B5420
SetErrorMode.KERNEL32(00000000,READY), ref: 001B54A7

Strings

READY, xrefs: 001B5460, 001B5468
INVALID, xrefs: 001B5459
UNKNOWN, xrefs: 001B5444
NOTREADY, xrefs: 001B544B
READONLY, xrefs: 001B5452

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 56f7f78bc32b1745e098f2668714aec8049089bae6413de437770e550fcc63e1
Instruction ID: 644d5c97d02463f932258ad0b71a709764fb002837ae146bdc53d1a6e7eda986
Opcode Fuzzy Hash: 56f7f78bc32b1745e098f2668714aec8049089bae6413de437770e550fcc63e1
Instruction Fuzzy Hash: 9B31A135A00605DFD714DF68C488BEABBB5EF55305F148065E405CF2A2EB71ED86CBA0

Function 001D3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 001D3C79
SetMenu.USER32(?,00000000), ref: 001D3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001D3D10
IsMenu.USER32(?), ref: 001D3D24
CreatePopupMenu.USER32 ref: 001D3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 001D3D5B
DrawMenuBar.USER32 ref: 001D3D63

Strings

F, xrefs: 001D3D4E
0, xrefs: 001D3C54

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 4aa73e0173ea4efcc5bfec58dda3a7cbf0c682134870f011745b8095f9d42431
Instruction ID: de40995df5db21721d3ef82138ab9519ad11fa9f2e757dc2a2bd5634c2699962
Opcode Fuzzy Hash: 4aa73e0173ea4efcc5bfec58dda3a7cbf0c682134870f011745b8095f9d42431
Instruction Fuzzy Hash: 43417E75A0260AEFDF14CFA4E844ADA77B6FF49350F14052AF95697360D730AA10CF91

Function 001A1EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00149CB3: _wcslen.LIBCMT ref: 00149CBD

Part of subcall function 001A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 001A3CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 001A1F64
GetDlgCtrlID.USER32 ref: 001A1F6F
GetParent.USER32 ref: 001A1F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 001A1F8E
GetDlgCtrlID.USER32(?), ref: 001A1F97
GetParent.USER32(?), ref: 001A1FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 001A1FAE

Strings

ListBox, xrefs: 001A1F21
ComboBox, xrefs: 001A1EEC

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 15a6069cc1507ed4d22cb88e23ee25c177996fafc9fb79473ed2b1b7dc28c759
Instruction ID: 5810c2f6bd241b7807c697618e172e4b70051f64da2e4311631f9599018084ba
Opcode Fuzzy Hash: 15a6069cc1507ed4d22cb88e23ee25c177996fafc9fb79473ed2b1b7dc28c759
Instruction Fuzzy Hash: 0421C278901214BFCF04AFA0DC85EEEBBB8EF16310F000516F961672E1CB349958DBA0

Function 001D3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 001D3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 001D3AA0
GetWindowLongW.USER32(?,000000F0), ref: 001D3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 001D3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 001D3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 001D3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 001D3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 001D3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 001D3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 001D3C13

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 5cb6f9cd3e54ac3624e50a11c91c4524dac2eeb85051e6e5a2aa85706ed33f4f
Instruction ID: 6ae1a3f6e54c0d606741af4f1d593ea292b855acd1c33621dcf672e7e5663d41
Opcode Fuzzy Hash: 5cb6f9cd3e54ac3624e50a11c91c4524dac2eeb85051e6e5a2aa85706ed33f4f
Instruction Fuzzy Hash: B0616A75A00208AFDB10DFA8CC85EEE77B8EB19700F10419AFA25A73A1D770AE55DB50

Function 001AB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 001AB151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,001AA1E1,?,00000001), ref: 001AB165
GetWindowThreadProcessId.USER32(00000000), ref: 001AB16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,001AA1E1,?,00000001), ref: 001AB17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 001AB18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,001AA1E1,?,00000001), ref: 001AB1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,001AA1E1,?,00000001), ref: 001AB1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,001AA1E1,?,00000001), ref: 001AB1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,001AA1E1,?,00000001), ref: 001AB212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,001AA1E1,?,00000001), ref: 001AB21D

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 58e3a39b7b190f30e329a5eb36b4149c095a5d905695ce1131886384092b4eb6
Instruction ID: a96c6b48c28b80182fd067bc2ee49e04ee36b120e1647979c332d4a140264c4f
Opcode Fuzzy Hash: 58e3a39b7b190f30e329a5eb36b4149c095a5d905695ce1131886384092b4eb6
Instruction Fuzzy Hash: 1A31BF79505344BFDB10DF24FC88BAD7BAABB66351F118407FA00D6291DBB4AA40CF60

Function 00172C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00172C94

Part of subcall function 001729C8: HeapFree.KERNEL32(00000000,00000000,?,0017D7D1,00000000,00000000,00000000,00000000,?,0017D7F8,00000000,00000007,00000000,?,0017DBF5,00000000), ref: 001729DE
Part of subcall function 001729C8: GetLastError.KERNEL32(00000000,?,0017D7D1,00000000,00000000,00000000,00000000,?,0017D7F8,00000000,00000007,00000000,?,0017DBF5,00000000,00000000), ref: 001729F0

_free.LIBCMT ref: 00172CA0
_free.LIBCMT ref: 00172CAB
_free.LIBCMT ref: 00172CB6
_free.LIBCMT ref: 00172CC1
_free.LIBCMT ref: 00172CCC
_free.LIBCMT ref: 00172CD7
_free.LIBCMT ref: 00172CE2
_free.LIBCMT ref: 00172CED
_free.LIBCMT ref: 00172CFB

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2baf68e42677bab7ec403361dcfab9c94e36466ff95845822e41e8aa746aaee6
Instruction ID: 5812c7a037441d541cf340bbb0ccae2e9635aaadb43f0c079ef29f593c2aad59
Opcode Fuzzy Hash: 2baf68e42677bab7ec403361dcfab9c94e36466ff95845822e41e8aa746aaee6
Instruction Fuzzy Hash: 3D11C376100118AFCB02EF64D882CDD7BB5FF19354F4584A4FA4C9B222DB31EA919B90

Function 00141410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00141459
OleUninitialize.OLE32(?,00000000), ref: 001414F8
UnregisterHotKey.USER32(?), ref: 001416DD
DestroyWindow.USER32(?), ref: 001824B9
FreeLibrary.KERNEL32(?), ref: 0018251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0018254B

Strings

close all, xrefs: 00141454

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 2f345d96d422ac78a3cd2c0ded4f540d49dc95e7129d44871827a0e6332baea1
Instruction ID: d1f67b834ec18a870cfdf7fd0dd9c75832527e6cf3f84fbaa3a2060cc3346bd4
Opcode Fuzzy Hash: 2f345d96d422ac78a3cd2c0ded4f540d49dc95e7129d44871827a0e6332baea1
Instruction Fuzzy Hash: 7FD17131702212DFCB1AEF14D499B69F7A4BF15700F2542ADE84A6B262DB30ED56CF90

Function 001B7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 001B7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 001B7FC1
GetFileAttributesW.KERNEL32(?), ref: 001B7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 001B8005
SetCurrentDirectoryW.KERNEL32(?), ref: 001B8017
SetCurrentDirectoryW.KERNEL32(?), ref: 001B8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 001B80B0

Strings

*.*, xrefs: 001B8066

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: e434f38241fca8e8a44e71940518a1e64a45531bf49f569555e99f954dd6c11d
Instruction ID: 63deb88b8c04e97fc869f08748b1236ced7edc80212617a7c9764f8b602a7033
Opcode Fuzzy Hash: e434f38241fca8e8a44e71940518a1e64a45531bf49f569555e99f954dd6c11d
Instruction Fuzzy Hash: 4F818F725082019BCB24EF14C844AAEB3E8BFD9754F144C5EF885DB2A0EB35DD49CB92

Function 00145BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00145C7A

Part of subcall function 00145D0A: GetClientRect.USER32(?,?), ref: 00145D30
Part of subcall function 00145D0A: GetWindowRect.USER32(?,?), ref: 00145D71
Part of subcall function 00145D0A: ScreenToClient.USER32(?,?), ref: 00145D99

GetDC.USER32 ref: 001846F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00184708
SelectObject.GDI32(00000000,00000000), ref: 00184716
SelectObject.GDI32(00000000,00000000), ref: 0018472B
ReleaseDC.USER32(?,00000000), ref: 00184733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 001847C4

Strings

U, xrefs: 00184693

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 79110dd7ab7949b648bf1e5cf4dc2a996157d0763199f4d4c40d0a5d22b46fc1
Instruction ID: d6390585c9df76f052e5e05c9a4c817f62e71aaddd0df34b6386fbfdb95ab669
Opcode Fuzzy Hash: 79110dd7ab7949b648bf1e5cf4dc2a996157d0763199f4d4c40d0a5d22b46fc1
Instruction Fuzzy Hash: 73712430400206DFCF25EF64C984AFA3BB6FF5A360F24422AED515A266CB308E81DF50

Function 001B359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 001B35E4

Part of subcall function 00149CB3: _wcslen.LIBCMT ref: 00149CBD

LoadStringW.USER32(00212390,?,00000FFF,?), ref: 001B360A

Strings

^ ERROR, xrefs: 001B36C9
"%s" (%d) : ==> %s:%s%s, xrefs: 001B3724
"%s" (%d) : ==> %s:, xrefs: 001B3742
Error: , xrefs: 001B36EF
Line %d (File "%s"):, xrefs: 001B366B

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: f8ffd5a1e90dca507237eed312ab1f3dbb900234f07e938c871489dc777b7b52
Instruction ID: b8c0a9de77efae07e9a3c7d6890ad8969312bea64b2fbd8d7f776ceb25ed6541
Opcode Fuzzy Hash: f8ffd5a1e90dca507237eed312ab1f3dbb900234f07e938c871489dc777b7b52
Instruction Fuzzy Hash: 2C51607290020ABADF14EFA0DC46EEEBB78AF25300F144165F515721A2DF311BA9DFA1

Function 001BC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 001BC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 001BC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 001BC2CA
GetLastError.KERNEL32 ref: 001BC322
SetEvent.KERNEL32(?), ref: 001BC336
InternetCloseHandle.WININET(00000000), ref: 001BC341

Strings

, xrefs: 001BC2BB

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: a599e7b3fe8cf7e937dcf8e93af8a2c9d9ebf8f4ea4b44cdf9599be449650e20
Instruction ID: c9e676346adff867f74b3a270fea34c6982442845a6dd7d09aabefb177a5e480
Opcode Fuzzy Hash: a599e7b3fe8cf7e937dcf8e93af8a2c9d9ebf8f4ea4b44cdf9599be449650e20
Instruction Fuzzy Hash: DF319AB1601208AFD7219FA58C88AEB7BFCFB99740B54891EF486D2210DB34DD44CBE0

Function 001A989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00183AAF,?,?,Bad directive syntax error,001DCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 001A98BC
LoadStringW.USER32(00000000,?,00183AAF,?), ref: 001A98C3

Part of subcall function 00149CB3: _wcslen.LIBCMT ref: 00149CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 001A9987

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 001A98F1
Error: , xrefs: 001A9955
., xrefs: 001A996D
Line %d (File "%s"):, xrefs: 001A992D
Line %d:, xrefs: 001A9912

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: b3c9757dfe65d425962f8675952850799e9310db71292126ed529203fa97a7d0
Instruction ID: 1a07a6baaa55814c67c01e21c433dd1fdbb35f4246b88384d2da8f912bc22a31
Opcode Fuzzy Hash: b3c9757dfe65d425962f8675952850799e9310db71292126ed529203fa97a7d0
Instruction Fuzzy Hash: 99218D3280021AFBDF15AF90CC0AEEE7779BF29704F04446AF515660A2EB319668DB50

Function 001A209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 001A20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 001A20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 001A214D

Strings

SHELLDLL_DefView, xrefs: 001A20CC
list, xrefs: 001A212F
largeicons, xrefs: 001A20E1
smallicons, xrefs: 001A2115
details, xrefs: 001A20FB

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: a9a34fb94e284435bc2e179a994ae9e97604f7d4bd95cad77888119ab81cc959
Instruction ID: 4fadaeb7ddad6fe93b3e58544bffd2585131c153934d40d5d1c0a493f870697e
Opcode Fuzzy Hash: a9a34fb94e284435bc2e179a994ae9e97604f7d4bd95cad77888119ab81cc959
Instruction Fuzzy Hash: E01106BE688717BAFB052228DC06DE7379CCF17328F204116FB05A50D6EF75A8625A54

Function 00178D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0daef21090bf360aa3b7183bd71bc9ade8703c637bae1c342090b675022f9d58
Instruction ID: 05cc89f691d2fcb97b238636a798cbd9b94a6df16d0b73f8a5a5783893242972
Opcode Fuzzy Hash: 0daef21090bf360aa3b7183bd71bc9ade8703c637bae1c342090b675022f9d58
Instruction Fuzzy Hash: 6CC1F374904249AFCB11DFA8D889BADBBB4BF1A310F148099F51CA7392CB708946CB61

Function 0017CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0017CEB7
_free.LIBCMT ref: 0017CF22
_free.LIBCMT ref: 0017CF48
_free.LIBCMT ref: 0017CF71
_free.LIBCMT ref: 0017CFA9
_free.LIBCMT ref: 0017CFDA
_free.LIBCMT ref: 0017D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0017D09C
_free.LIBCMT ref: 0017D0B5

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: cc198d2f23e4ac879480720cf3cc37887c2db0d4dc2522010a1730cbcdbf4d15
Instruction ID: a00a7ad7d3ba88a793a7cf96643d917b90a825c9891993c7975e17a0305d5479
Opcode Fuzzy Hash: cc198d2f23e4ac879480720cf3cc37887c2db0d4dc2522010a1730cbcdbf4d15
Instruction Fuzzy Hash: 36614571904314AFDB25AFB4BC85AAE7BB5EF16720F04C16EF94CA7281DB319D418790

Function 001D50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 001D5186
ShowWindow.USER32(?,00000000), ref: 001D51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 001D51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 001D51D1

Part of subcall function 001D6FBA: DeleteObject.GDI32(00000000), ref: 001D6FE6

GetWindowLongW.USER32(?,000000F0), ref: 001D520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 001D521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 001D524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 001D5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 001D5296

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: e1366c15eeb5148a457c29fbab1bd895bf053c457595429a8e50497b492eacf8
Instruction ID: 891788b835e39e2215b7e5cc7ce40f863e150b41c662a13304e40385741cf9ab
Opcode Fuzzy Hash: e1366c15eeb5148a457c29fbab1bd895bf053c457595429a8e50497b492eacf8
Instruction Fuzzy Hash: 3951BE30A41A09FEEF249F24CC4ABD93B73EB15365F148113FA259A3E0C775A998DB41

Function 00158B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00196890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 001968A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 001968B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 001968D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 001968F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00158874,00000000,00000000,00000000,000000FF,00000000), ref: 00196901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0019691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00158874,00000000,00000000,00000000,000000FF,00000000), ref: 0019692D

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 0d10eceb5c8b6a4178d652f233462258c4708926706952b171f5f87478e77773
Instruction ID: fbc9b85f2b77a9ff98548e79db188d6cb32df6ba816921c6cffb70acd8c17047
Opcode Fuzzy Hash: 0d10eceb5c8b6a4178d652f233462258c4708926706952b171f5f87478e77773
Instruction Fuzzy Hash: 86519870600309EFDF24CF24CC55FAA7BB9EB58761F104519F962AB2A0DB70E990DB50

Function 001BC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 001BC182
GetLastError.KERNEL32 ref: 001BC195
SetEvent.KERNEL32(?), ref: 001BC1A9

Part of subcall function 001BC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 001BC272
Part of subcall function 001BC253: GetLastError.KERNEL32 ref: 001BC322
Part of subcall function 001BC253: SetEvent.KERNEL32(?), ref: 001BC336
Part of subcall function 001BC253: InternetCloseHandle.WININET(00000000), ref: 001BC341

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 5c144107d05387b8ce5aeb4f25d9084902bcc3fc2f96541063613e06b15e98e2
Instruction ID: 231c6ae5adc7fd5b507fa48178b057fab04c572b88c1c32aae61e84b3770f417
Opcode Fuzzy Hash: 5c144107d05387b8ce5aeb4f25d9084902bcc3fc2f96541063613e06b15e98e2
Instruction Fuzzy Hash: 6E318D71202606EFDB219FA9DC44AA6BBF9FF58300B04481EF956C6A10D730E854DBE0

Function 001A25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 001A3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 001A3A57
Part of subcall function 001A3A3D: GetCurrentThreadId.KERNEL32 ref: 001A3A5E
Part of subcall function 001A3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001A25B3), ref: 001A3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 001A25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 001A25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 001A25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 001A25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 001A2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 001A2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 001A260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 001A2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 001A2627

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: e48cab23c121a5b004a82c2d001f600ba1b6ff0044f34abc038fb8946938277d
Instruction ID: cc732c2c6aa210728c800c992bb64f3b7bccc98cc21e0a3e839b9c8ff411a810
Opcode Fuzzy Hash: e48cab23c121a5b004a82c2d001f600ba1b6ff0044f34abc038fb8946938277d
Instruction Fuzzy Hash: 8A01B530691320FBFF1067689C8AF993F59DB5AB11F100402F318AF1D1CAF15484CAA9

Function 001A1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,001A1449,?,?,00000000), ref: 001A180C
HeapAlloc.KERNEL32(00000000,?,001A1449,?,?,00000000), ref: 001A1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,001A1449,?,?,00000000), ref: 001A1828
GetCurrentProcess.KERNEL32(?,00000000,?,001A1449,?,?,00000000), ref: 001A1830
DuplicateHandle.KERNEL32(00000000,?,001A1449,?,?,00000000), ref: 001A1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,001A1449,?,?,00000000), ref: 001A1843
GetCurrentProcess.KERNEL32(001A1449,00000000,?,001A1449,?,?,00000000), ref: 001A184B
DuplicateHandle.KERNEL32(00000000,?,001A1449,?,?,00000000), ref: 001A184E
CreateThread.KERNEL32(00000000,00000000,001A1874,00000000,00000000,00000000), ref: 001A1868

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: a102f7843cb034abd52f2c94fc8eaa3a64209a55fd8df94ce8c0a5e90a33c936
Instruction ID: bcb703f7ff77e81b98b3af35d2f63b76765e55c4ae92252ede2cdaefb348e30d
Opcode Fuzzy Hash: a102f7843cb034abd52f2c94fc8eaa3a64209a55fd8df94ce8c0a5e90a33c936
Instruction Fuzzy Hash: 9501BF75241315FFE710AB65DC4DF573B6CEB89B11F004411FA05DB591C6749840CB60

Function 001CA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 001AD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 001AD501
Part of subcall function 001AD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 001AD50F
Part of subcall function 001AD4DC: CloseHandle.KERNEL32(00000000), ref: 001AD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 001CA16D
GetLastError.KERNEL32 ref: 001CA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 001CA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 001CA268
GetLastError.KERNEL32(00000000), ref: 001CA273
CloseHandle.KERNEL32(00000000), ref: 001CA2C4

Strings

SeDebugPrivilege, xrefs: 001CA18F

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: ddbe28237f6c3620381deb1498cf9aa600b11d6666a9970f17d0df8b2c2b127b
Instruction ID: 02c349e57baf5d2d2c1c88db52865dd6255bc554da7b470cb33a4df988465677
Opcode Fuzzy Hash: ddbe28237f6c3620381deb1498cf9aa600b11d6666a9970f17d0df8b2c2b127b
Instruction Fuzzy Hash: DF619E70205252AFD721DF18C494F15BBE1AF6431CF58848CE4668BBA3C776EC49CB92

Function 001D3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 001D3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 001D393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 001D3954
_wcslen.LIBCMT ref: 001D3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 001D39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 001D39F4

Strings

SysListView32, xrefs: 001D38F7

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 7040b339ec858eb8323bb222eefe301788d19d7bdbb9502214f44c36314c0fee
Instruction ID: 5f69437ee4b4e6081dcf38767473fea8f2fff0dbc38fe2173ce54fe80bf5ceaf
Opcode Fuzzy Hash: 7040b339ec858eb8323bb222eefe301788d19d7bdbb9502214f44c36314c0fee
Instruction Fuzzy Hash: D741A271A00219ABEF219F64CC49BEA7BA9EF18354F100527F958E7281D771DA94CB90

Function 001ABC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001ABCFD
IsMenu.USER32(00000000), ref: 001ABD1D
CreatePopupMenu.USER32 ref: 001ABD53
GetMenuItemCount.USER32(010E5638), ref: 001ABDA4
InsertMenuItemW.USER32(010E5638,?,00000001,00000030), ref: 001ABDCC

Strings

2, xrefs: 001ABD37
0, xrefs: 001ABCA8

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: b1e79648c7be70c8b63a1c05f2679bcab68205bbe4a6228c4b39dc02639dcbce
Instruction ID: cb5273f8a2aa4b9a7589011e38b4e4461055c0d0b93e30eb123f70750907a843
Opcode Fuzzy Hash: b1e79648c7be70c8b63a1c05f2679bcab68205bbe4a6228c4b39dc02639dcbce
Instruction Fuzzy Hash: 3851BF78A092859BDF11CFF8D8C4BAEBBF4BF56318F14421AE401DB292D7709940CB51

Function 001AC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 001AC913

Strings

info, xrefs: 001AC8B4
question, xrefs: 001AC8CC
stop, xrefs: 001AC8E4
warning, xrefs: 001AC8FC
blank, xrefs: 001AC895

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 1556e3aeb1a37c9baf2fa72bdff746e6f0ac5f266632de7210a30caace818248
Instruction ID: 6a6380e8b250f3e671a16afee636bbca4e7daa0a911b93c96f67da83e82c6d42
Opcode Fuzzy Hash: 1556e3aeb1a37c9baf2fa72bdff746e6f0ac5f266632de7210a30caace818248
Instruction Fuzzy Hash: 2F11273A689307BAE7059B549C83DAB67DCDF27328B20402EF500A62C2E7A49E1052E5

Function 001ADE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 001ADE42
gethostname.WSOCK32(?,00000100), ref: 001ADE5C
gethostbyname.WSOCK32(?), ref: 001ADE69
inet_ntoa.WSOCK32(?), ref: 001ADEAB
_strcat.LIBCMT ref: 001ADEB9
WSACleanup.WSOCK32 ref: 001ADEDE

Strings

0.0.0.0, xrefs: 001ADE87

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: debe56ea63e686046d8ea38689250765f7a358a6d3083254727f2f3a26dd8cec
Instruction ID: 9f929f552d1dfd704cb1e48806d7eb9460146222c25f415363a7b04dd0140b27
Opcode Fuzzy Hash: debe56ea63e686046d8ea38689250765f7a358a6d3083254727f2f3a26dd8cec
Instruction Fuzzy Hash: D3115C75900115AFDB246B34EC4ADDF77BCDF26310F01056AF40696491EF718A81CA90

Function 001AED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 001AED2A
_wcslen.LIBCMT ref: 001AED3B
_wcslen.LIBCMT ref: 001AED79
_wcslen.LIBCMT ref: 001AEDAF
_wcslen.LIBCMT ref: 001AEDDF
_wcslen.LIBCMT ref: 001AEDEF
_wcslen.LIBCMT ref: 001AEE2B
_wcslen.LIBCMT ref: 001AEE5A

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 1cc5898ede9544b5b9d6159df3582d95f5ca60eb11679c3dde628dd05f4f6cea
Instruction ID: 6c0e3d9ca05449db28eb89b14a1f02047c63e6054ec1e9bceaf91b8261e3ac96
Opcode Fuzzy Hash: 1cc5898ede9544b5b9d6159df3582d95f5ca60eb11679c3dde628dd05f4f6cea
Instruction Fuzzy Hash: 5F41D466D1021876DB11EBF4CC8A9CFB7A8AF56310F508466F518E3121FB34E265C3E5

Function 0015F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0019682C,00000004,00000000,00000000), ref: 0015F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0019682C,00000004,00000000,00000000), ref: 0019F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0019682C,00000004,00000000,00000000), ref: 0019F454

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 2b7960383591c662796030159bb268f97feac57a0bc618304f5deb646b89409f
Instruction ID: 55248c08639c7932a70187f7ca5e8e30bda9427bce591ab47f46afb001f0fa8f
Opcode Fuzzy Hash: 2b7960383591c662796030159bb268f97feac57a0bc618304f5deb646b89409f
Instruction Fuzzy Hash: 2C415231605A40FECB388B3DC88876A7B91BB5631AF15443DF8679B560C771A4CBC751

Function 001D2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 001D2D1B
GetDC.USER32(00000000), ref: 001D2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 001D2D2E
ReleaseDC.USER32(00000000,00000000), ref: 001D2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 001D2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 001D2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,001D5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 001D2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 001D2DE1

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 6ffb399079b4352ae0d7ba4c624829a2701e8db2bb8219eee24450a2a7bd5912
Instruction ID: 8d3825b4b0876f8611d3b2c97a73a09ca374b300fc53517c1e14e3a7d78c48a2
Opcode Fuzzy Hash: 6ffb399079b4352ae0d7ba4c624829a2701e8db2bb8219eee24450a2a7bd5912
Instruction Fuzzy Hash: 95318E76202614BFEB118F54CC8AFEB3FADEF19715F044056FE089A291D6759C90CBA4

Function 001A5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 001A5637
_memcmp.LIBVCRUNTIME ref: 001A5659
_memcmp.LIBVCRUNTIME ref: 001A5671
_memcmp.LIBVCRUNTIME ref: 001A5684
_memcmp.LIBVCRUNTIME ref: 001A569E
_memcmp.LIBVCRUNTIME ref: 001A56B1
_memcmp.LIBVCRUNTIME ref: 001A56C9
_memcmp.LIBVCRUNTIME ref: 001A56E4

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 2fe07dbba7ad236e8eeec37aa864d2012b78e55dd28c9277d265d0652131e568
Instruction ID: 74716c2b8114f227df25b31af76b7b15f0b1c8f80eec01d09a240a0ad510bea9
Opcode Fuzzy Hash: 2fe07dbba7ad236e8eeec37aa864d2012b78e55dd28c9277d265d0652131e568
Instruction Fuzzy Hash: 3421DB69748A0977D71855208E82FFB335FBF323A4F484025FD1A9A781F720EE3181A5

Function 001C4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 001C5007
NULL Pointer assignment, xrefs: 001C502E, 001C5383

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: d1e496a57a2dff942e9bec398d4569a2fe37d121261a53d4363e39c3373e0907
Instruction ID: c53a0d67c86415c69087cc13fdb2aea32fb4a0e0d2f11247d832910934612205
Opcode Fuzzy Hash: d1e496a57a2dff942e9bec398d4569a2fe37d121261a53d4363e39c3373e0907
Instruction Fuzzy Hash: EED1B075A0060A9FDF10CF98C885FAEB7B6BF58344F14856DE915AB281D770ED81CB90

Function 00181522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,001817FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 001815CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,001817FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00181651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,001817FB,?,001817FB,00000000,00000000,?,00000000,?,?,?,?), ref: 001816E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,001817FB,00000000,00000000,?,00000000,?,?,?,?), ref: 001816FB

Part of subcall function 00173820: RtlAllocateHeap.NTDLL(00000000,?,00211444,?,0015FDF5,?,?,0014A976,00000010,00211440,001413FC,?,001413C6,?,00141129), ref: 00173852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,001817FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00181777
__freea.LIBCMT ref: 001817A2
__freea.LIBCMT ref: 001817AE

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: e1a09724ebef1f38a29b79038ad0c3a4d16eb5a8024e77a84e636626c5980124
Instruction ID: 53f8a9fdaf598b1d3773d40e01fce10c1fdd68742a462f63e6299ccc2086b91f
Opcode Fuzzy Hash: e1a09724ebef1f38a29b79038ad0c3a4d16eb5a8024e77a84e636626c5980124
Instruction Fuzzy Hash: 1E91C773E00216BADB24AE74CC81AEE7BBDAF59310F184659E905E7141D735DE42CF60

Function 001C4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 001C4648
VariantInit.OLEAUT32(?), ref: 001C4749
VariantClear.OLEAUT32(?), ref: 001C4753
VariantClear.OLEAUT32(?), ref: 001C47B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 001C472C
Null Object assignment in FOR..IN loop, xrefs: 001C45D8, 001C4706, 001C47BE

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 39d346d6d1927754a73e539f710d46cbc4cc0a05c90d1ff7a667302037a86f8f
Instruction ID: fc5ac22c939f33a2c64e1c99a576e87f13b81c7fbbc6b0a749abc7d149c4dce0
Opcode Fuzzy Hash: 39d346d6d1927754a73e539f710d46cbc4cc0a05c90d1ff7a667302037a86f8f
Instruction Fuzzy Hash: F6919C71A04319ABDF24CFA4C898FAEBBB8EF66710F10855DF505AB281D770D945CBA0

Function 001B1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 001B125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 001B1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 001B12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001B12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001B135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001B13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001B1430

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: c9a3c32dc90742a43fc91d2ea07a33836227de92c53283501badb98483c65d9e
Instruction ID: c4fe7d0331b2a9220d723b435ea2f032bdb413b68016efe09b9ef8bb94099db6
Opcode Fuzzy Hash: c9a3c32dc90742a43fc91d2ea07a33836227de92c53283501badb98483c65d9e
Instruction Fuzzy Hash: E3910572A00219BFDB00DFA8C8A4BFE77B5FF55315F624469E900EB291D774A941CB90

Function 0015948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 9c89f50c51ff55d98e7f4028c034864708874e4d28d1bcd9de34b8b30e640b17
Instruction ID: 6add2962bbd148e63110789368eb56b361dc978ef82fe989c2b13c1c8fca83dd
Opcode Fuzzy Hash: 9c89f50c51ff55d98e7f4028c034864708874e4d28d1bcd9de34b8b30e640b17
Instruction Fuzzy Hash: 20914971D10219EFCB14CFA9CC84AEEBBB8FF48320F144556E915BB251D378AA55CB60

Function 001C3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 001C396B
CharUpperBuffW.USER32(?,?), ref: 001C3A7A
_wcslen.LIBCMT ref: 001C3A8A
VariantClear.OLEAUT32(?), ref: 001C3C1F

Part of subcall function 001B0CDF: VariantInit.OLEAUT32(00000000), ref: 001B0D1F
Part of subcall function 001B0CDF: VariantCopy.OLEAUT32(?,?), ref: 001B0D28
Part of subcall function 001B0CDF: VariantClear.OLEAUT32(?), ref: 001B0D34

Strings

Incorrect Parameter format, xrefs: 001C39A6, 001C3BA1
AUTOIT.ERROR, xrefs: 001C3A80, 001C3A85

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 5825c3bc04c667c44bd6b1e8b37794472500d989ab87e4ac35a70234ce47cecb
Instruction ID: 8bd070a31234bf4d48f83115c957d79c745b00f2615bf8e54267e7783fd68c95
Opcode Fuzzy Hash: 5825c3bc04c667c44bd6b1e8b37794472500d989ab87e4ac35a70234ce47cecb
Instruction Fuzzy Hash: 71918A75A083059FC704DF28C480A6AB7E4FFA9314F14892EF8999B351DB31EE45CB92

Function 001C4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 001A000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0019FF41,80070057,?,?,?,001A035E), ref: 001A002B
Part of subcall function 001A000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0019FF41,80070057,?,?), ref: 001A0046
Part of subcall function 001A000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0019FF41,80070057,?,?), ref: 001A0054
Part of subcall function 001A000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0019FF41,80070057,?), ref: 001A0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 001C4C51
_wcslen.LIBCMT ref: 001C4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 001C4DCF
CoTaskMemFree.OLE32(?), ref: 001C4DDA

Strings

NULL Pointer assignment, xrefs: 001C4E23, 001C4E52

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 8b2de5f7b66792d9da824436f93ef1b41b5d8d44f0c0ba6bc97e3f2c60d7a04f
Instruction ID: 5d217f485b885ebc6c52522a58b3b31c5cf02bcdd3947c5d9f444d4c8a5bd60b
Opcode Fuzzy Hash: 8b2de5f7b66792d9da824436f93ef1b41b5d8d44f0c0ba6bc97e3f2c60d7a04f
Instruction Fuzzy Hash: 8D913771D0121DAFDF14DFA4D890EEEB7B8BF28304F10856AE915AB251DB349A44CFA0

Function 001D20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 001D2183
GetMenuItemCount.USER32(00000000), ref: 001D21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 001D21DD
_wcslen.LIBCMT ref: 001D2213
GetMenuItemID.USER32(?,?), ref: 001D224D
GetSubMenu.USER32(?,?), ref: 001D225B

Part of subcall function 001A3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 001A3A57
Part of subcall function 001A3A3D: GetCurrentThreadId.KERNEL32 ref: 001A3A5E
Part of subcall function 001A3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001A25B3), ref: 001A3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 001D22E3

Part of subcall function 001AE97B: Sleep.KERNELBASE ref: 001AE9F3

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: b6a72b54b71eabe0fff75fef8ffb3af44c37df41db515e5da140671165a7ce0c
Instruction ID: 44d69e71a542ee60c58171a27f6173b919b669da198e6bec3e22411fc33bc7e7
Opcode Fuzzy Hash: b6a72b54b71eabe0fff75fef8ffb3af44c37df41db515e5da140671165a7ce0c
Instruction Fuzzy Hash: 40719E35A00215AFCB14DFA8C845AAEB7F1FF68310F15845AE826EB351D735EE41CB90

Function 001D7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(010E5458), ref: 001D7F37
IsWindowEnabled.USER32(010E5458), ref: 001D7F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 001D801E
SendMessageW.USER32(010E5458,000000B0,?,?), ref: 001D8051
IsDlgButtonChecked.USER32(?,?), ref: 001D8089
GetWindowLongW.USER32(010E5458,000000EC), ref: 001D80AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 001D80C3

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 05b7a90a047a68465c2b2ad78d6e8666ac7c571e5e02f6803583b6684c4b0df3
Instruction ID: 071397a9a1a2778986f71aba1d484c36c4dc847013de9c74214040b05d50e15c
Opcode Fuzzy Hash: 05b7a90a047a68465c2b2ad78d6e8666ac7c571e5e02f6803583b6684c4b0df3
Instruction Fuzzy Hash: 08718B34609204AFEB359F64C884FEABBBAEF19300F14445BF965973A1DB31AC55CB60

Function 001AAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 001AAEF9
GetKeyboardState.USER32(?), ref: 001AAF0E
SetKeyboardState.USER32(?), ref: 001AAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 001AAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 001AAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 001AAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 001AB020

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 28ceb9a80e26647073a1757fc882646b810f48ebc67ce9139008e9381224d5e3
Instruction ID: 38d35a469efc56924760da17f96b60b43507851256acfe20058a3ec2933f0048
Opcode Fuzzy Hash: 28ceb9a80e26647073a1757fc882646b810f48ebc67ce9139008e9381224d5e3
Instruction Fuzzy Hash: 1E5181A46087D53DFB3A42348C85BBABEA95F07304F08858AF1D9958C3D7A9ACC4D751

Function 001AACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 001AAD19
GetKeyboardState.USER32(?), ref: 001AAD2E
SetKeyboardState.USER32(?), ref: 001AAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 001AADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 001AADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 001AAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 001AAE38

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: f7311172bb16626a8982aea4d6a19cdae92fef72a87e71b2d99bb23fa6f5002b
Instruction ID: d81f80a58caecf3445e4906ebac908720fc185a647c680b63336ae9f10a2a2a7
Opcode Fuzzy Hash: f7311172bb16626a8982aea4d6a19cdae92fef72a87e71b2d99bb23fa6f5002b
Instruction Fuzzy Hash: CE51E3A55487D53DFB3783748C95BBABEA85F47300F488489E1D5468C3D3A4EC88E762

Function 0017542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00183CD6,?,?,?,?,?,?,?,?,00175BA3,?,?,00183CD6,?,?), ref: 00175470
__fassign.LIBCMT ref: 001754EB
__fassign.LIBCMT ref: 00175506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00183CD6,00000005,00000000,00000000), ref: 0017552C
WriteFile.KERNEL32(?,00183CD6,00000000,00175BA3,00000000,?,?,?,?,?,?,?,?,?,00175BA3,?), ref: 0017554B
WriteFile.KERNEL32(?,?,00000001,00175BA3,00000000,?,?,?,?,?,?,?,?,?,00175BA3,?), ref: 00175584

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 6b5c45993f5f2621c874f47a1e718bd0bf23be3e24716d3633a227feeb910bd0
Instruction ID: a42ca37186b2e90a0e20513ada7ef88d654c8a2a57b1f2af5489fca14110fe20
Opcode Fuzzy Hash: 6b5c45993f5f2621c874f47a1e718bd0bf23be3e24716d3633a227feeb910bd0
Instruction Fuzzy Hash: 0851C6719006499FDB10CFA8D885AEEBBFAEF09300F14851AF559E7291E7709A41CB60

Function 00162D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00162D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00162D53
_ValidateLocalCookies.LIBCMT ref: 00162DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00162E0C
_ValidateLocalCookies.LIBCMT ref: 00162E61

Strings

csm, xrefs: 00162DF6

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 2b75e032e8f88fbec625ac0e66f634d498efd7cc6bfd8cc2b62d7007522a88fa
Instruction ID: ae4ef51556ff0a1a82be82e8a2d1c88de12c69344df9d5b8f310616fe4f4a0e4
Opcode Fuzzy Hash: 2b75e032e8f88fbec625ac0e66f634d498efd7cc6bfd8cc2b62d7007522a88fa
Instruction Fuzzy Hash: 4E41D234E00609ABCF10DFA8CC85ADEBBB5BF45324F148165E814AB392D771AA61CBD0

Function 001C10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 001C304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 001C307A
Part of subcall function 001C304E: _wcslen.LIBCMT ref: 001C309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 001C1112
WSAGetLastError.WSOCK32 ref: 001C1121
WSAGetLastError.WSOCK32 ref: 001C11C9
closesocket.WSOCK32(00000000), ref: 001C11F9

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 42825b03b3e9bf434311ed2c6ed0d0cae9097ca40383313ad9aa897f3af0e55f
Instruction ID: 0d7787d9cd48ae536eed5d370c86f43810aa1d45ee6715c4d49ca4dbb3880f2a
Opcode Fuzzy Hash: 42825b03b3e9bf434311ed2c6ed0d0cae9097ca40383313ad9aa897f3af0e55f
Instruction Fuzzy Hash: 3141E531601205AFDB109F24C884FA9B7E9FF56324F188159FD159B292C778ED81CBE1

Function 001ACF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 001ADDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,001ACF22,?), ref: 001ADDFD

Part of subcall function 001ADDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,001ACF22,?), ref: 001ADE16

lstrcmpiW.KERNEL32(?,?), ref: 001ACF45
MoveFileW.KERNEL32(?,?), ref: 001ACF7F
_wcslen.LIBCMT ref: 001AD005
_wcslen.LIBCMT ref: 001AD01B
SHFileOperationW.SHELL32(?), ref: 001AD061

Strings

\*.*, xrefs: 001ACFF3

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 81d7abb1ca4bd225eac5c7c73078ee08afd2fa394dc8cf5e6924338b7b079ddc
Instruction ID: 22b7972cda2c5b6bb388edaf8f3b1e5f5f87b643644350c1fbae7d8076779d0d
Opcode Fuzzy Hash: 81d7abb1ca4bd225eac5c7c73078ee08afd2fa394dc8cf5e6924338b7b079ddc
Instruction Fuzzy Hash: 5A4167759452199FDF12EFA4DD81ADEB7F9AF19340F1000E6E505EB142EB34AB88CB50

Function 001D2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 001D2E1C
GetWindowLongW.USER32(?,000000F0), ref: 001D2E4F
GetWindowLongW.USER32(?,000000F0), ref: 001D2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 001D2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 001D2EE0
GetWindowLongW.USER32(?,000000F0), ref: 001D2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 001D2F0B

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 7cd90f536d84bcd3963fd8dc0456b310fd7c3470d3d7e1df17ba171260ee276b
Instruction ID: 599472b55af0d19d54944a8898b2efecb5f8a8be3b66676a45c31f149ea7f1e9
Opcode Fuzzy Hash: 7cd90f536d84bcd3963fd8dc0456b310fd7c3470d3d7e1df17ba171260ee276b
Instruction Fuzzy Hash: DA3105306461519FDB21CF58EC88FA537E1EBAA711F1545A6FA208B3B1CB71E890DB41

Function 001A7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001A7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001A778F
SysAllocString.OLEAUT32(00000000), ref: 001A7792
SysAllocString.OLEAUT32(?), ref: 001A77B0
SysFreeString.OLEAUT32(?), ref: 001A77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 001A77DE
SysAllocString.OLEAUT32(?), ref: 001A77EC

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: acdf82e77a1e92dae6bc99789dc2e4ff3e037570e737147630ed3eb8f0218473
Instruction ID: 88de10e42c907a80d393e6fed6835e77b85bad0b2f95360766c8257a8be7d223
Opcode Fuzzy Hash: acdf82e77a1e92dae6bc99789dc2e4ff3e037570e737147630ed3eb8f0218473
Instruction Fuzzy Hash: D221B27A605219AFDB10DFE8CC88CBB73ACEB0A3647008526F914DB191D770DD81C7A0

Function 001A77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001A7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 001A7868
SysAllocString.OLEAUT32(00000000), ref: 001A786B
SysAllocString.OLEAUT32 ref: 001A788C
SysFreeString.OLEAUT32 ref: 001A7895
StringFromGUID2.OLE32(?,?,00000028), ref: 001A78AF
SysAllocString.OLEAUT32(?), ref: 001A78BD

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 6086e656181c7254a8e414464d1610914b0ce53610746a3bda7dbf7565e1ee2f
Instruction ID: a8e81cfb9b40cd4e9fdfa3f12ac0d8572f335f68ebe95da47c56de110a16e64e
Opcode Fuzzy Hash: 6086e656181c7254a8e414464d1610914b0ce53610746a3bda7dbf7565e1ee2f
Instruction Fuzzy Hash: DE21A135609205AFDB109FA8DC88DBA77ECEF0A3607108525F915CB2A5D778DD81CBA4

Function 001B04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 001B04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 001B052E

Strings

nul, xrefs: 001B0567

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: ee516f81dc173b006510a193077479a240b68e65e5d8811c6a61c144d5061278
Instruction ID: 90de4555b2270155c55be678620d056b8cee4fea00072e14af72265ad60e11fc
Opcode Fuzzy Hash: ee516f81dc173b006510a193077479a240b68e65e5d8811c6a61c144d5061278
Instruction Fuzzy Hash: A9218DB1500306AFDB319F69DC44ADB77E4BF49724F204A19F8A1D66E0D7709980CF60

Function 001B05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 001B05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 001B0601

Strings

nul, xrefs: 001B0639

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 643c95bdcf0ac325b924eabc8fa3f985079c205a3f52952327a18a68902f4248
Instruction ID: 6096aaaf024e404108179e5c2b3a55de0286240fb15d65456655ba67c4956048
Opcode Fuzzy Hash: 643c95bdcf0ac325b924eabc8fa3f985079c205a3f52952327a18a68902f4248
Instruction Fuzzy Hash: B2214F755013169FDB219F69DC04ADB77E4BF99720F200B19F8A1E72E0E77099A0CB50

Function 001D40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0014600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0014604C
Part of subcall function 0014600E: GetStockObject.GDI32(00000011), ref: 00146060
Part of subcall function 0014600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0014606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 001D4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 001D411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 001D412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 001D4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 001D4145

Strings

Msctls_Progress32, xrefs: 001D40E3

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 5a3680587d2b02b42eb68cb4aa0871562a94250c1586f0006afc0f3d1ee77b28
Instruction ID: b90a277f43429b9b3a6bcea6516d566bbd3e181a8b342f77ba2e1a06a78c2ae2
Opcode Fuzzy Hash: 5a3680587d2b02b42eb68cb4aa0871562a94250c1586f0006afc0f3d1ee77b28
Instruction Fuzzy Hash: 321190B2150219BFEF118E64CC86EE77F6DEF19798F014111BB18A2190CB72AC61DBA4

Function 0017D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0017D7A3: _free.LIBCMT ref: 0017D7CC

_free.LIBCMT ref: 0017D82D

Part of subcall function 001729C8: HeapFree.KERNEL32(00000000,00000000,?,0017D7D1,00000000,00000000,00000000,00000000,?,0017D7F8,00000000,00000007,00000000,?,0017DBF5,00000000), ref: 001729DE
Part of subcall function 001729C8: GetLastError.KERNEL32(00000000,?,0017D7D1,00000000,00000000,00000000,00000000,?,0017D7F8,00000000,00000007,00000000,?,0017DBF5,00000000,00000000), ref: 001729F0

_free.LIBCMT ref: 0017D838
_free.LIBCMT ref: 0017D843
_free.LIBCMT ref: 0017D897
_free.LIBCMT ref: 0017D8A2
_free.LIBCMT ref: 0017D8AD
_free.LIBCMT ref: 0017D8B8

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: ae259239f3e1c0009e2af7f360a4a2288260ad55ff94029eca6c7b50c8104110
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 8A118171540B18AAD621BFF0DC07FCBBBFC6F60704F448825F29DA6092DB34B6464651

Function 001ADA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 001ADA74
LoadStringW.USER32(00000000), ref: 001ADA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 001ADA91
LoadStringW.USER32(00000000), ref: 001ADA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 001ADADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 001ADAB9

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: cab72ff9c0cb3ef49c13b3ec1d49de5c2dae3b5c2ccf42da388e22ddd377ec29
Instruction ID: 505afd17c910c338be188217bf10d8742dde712292ee7fb24846dc6b79b94105
Opcode Fuzzy Hash: cab72ff9c0cb3ef49c13b3ec1d49de5c2dae3b5c2ccf42da388e22ddd377ec29
Instruction Fuzzy Hash: 8A0186F6501219BFE7109BA0DD89EFB336CE709301F400992B706E2441EA749EC48FB4

Function 001B096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(010DEAE8,010DEAE8), ref: 001B097B
EnterCriticalSection.KERNEL32(010DEAC8,00000000), ref: 001B098D
TerminateThread.KERNEL32(?,000001F6), ref: 001B099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 001B09A9
CloseHandle.KERNEL32(?), ref: 001B09B8
InterlockedExchange.KERNEL32(010DEAE8,000001F6), ref: 001B09C8
LeaveCriticalSection.KERNEL32(010DEAC8), ref: 001B09CF

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 972ca35f5cf0dbbf21f57e283f0c5576fa51793031d804701e479ac399d78982
Instruction ID: 1aa66b7094737d2a72707e7ddb6db4fc1b9989ad2949538c9f103dc07a735176
Opcode Fuzzy Hash: 972ca35f5cf0dbbf21f57e283f0c5576fa51793031d804701e479ac399d78982
Instruction Fuzzy Hash: 8BF0C932483A13BBDB525BA4EE89BD6BB29BF05706F402526F20290CA1C77594A5CFD0

Function 001C1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 001C1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 001C1DE1
WSAGetLastError.WSOCK32 ref: 001C1DF2
htons.WSOCK32(?,?,?,?,?), ref: 001C1EDB
inet_ntoa.WSOCK32(?), ref: 001C1E8C

Part of subcall function 001A39E8: _strlen.LIBCMT ref: 001A39F2

Part of subcall function 001C3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,001BEC0C), ref: 001C3240

_strlen.LIBCMT ref: 001C1F35

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: aa33a68f051214b802b5dddff2ca568d7589e90471439b4197b76071c47d223e
Instruction ID: 2fc6b36ae03b3846a35380dd8835f816a57aa8db31a6737b932f1cfb7acfdfbb
Opcode Fuzzy Hash: aa33a68f051214b802b5dddff2ca568d7589e90471439b4197b76071c47d223e
Instruction Fuzzy Hash: 2FB1C031244340AFC324DF64C895F2A77A5AFA6318F54894CF46A5F2A3CB31ED46CB92

Function 00145D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00145D30
GetWindowRect.USER32(?,?), ref: 00145D71
ScreenToClient.USER32(?,?), ref: 00145D99
GetClientRect.USER32(?,?), ref: 00145ED7
GetWindowRect.USER32(?,?), ref: 00145EF8

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 74e07a93c35605fd6c0daea83a9662f7a99135cb37b7be01362427c55728a92d
Instruction ID: 6ee8a133b0d981366a37c680d800d1e9b827b01a7edffa673a24a5f47c0b7f8a
Opcode Fuzzy Hash: 74e07a93c35605fd6c0daea83a9662f7a99135cb37b7be01362427c55728a92d
Instruction Fuzzy Hash: 89B17B35A0074ADBDB14DFA9C4807EEB7F2FF58310F14841AE8A9D7260DB34AA51DB54

Function 001701B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 001700BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001700D6
__allrem.LIBCMT ref: 001700ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0017010B
__allrem.LIBCMT ref: 00170122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00170140

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: b66069b34239fb593b31ecedcfb2b6004b575121753df8204644e4c2b4274f5f
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 50812972A00706EBE725AF68DC81B6B73F8AF55364F24813EF515D7281EB70DA418B50

Function 001761FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,001682D9,001682D9,?,?,?,0017644F,00000001,00000001,8BE85006), ref: 00176258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0017644F,00000001,00000001,8BE85006,?,?,?), ref: 001762DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 001763D8
__freea.LIBCMT ref: 001763E5

Part of subcall function 00173820: RtlAllocateHeap.NTDLL(00000000,?,00211444,?,0015FDF5,?,?,0014A976,00000010,00211440,001413FC,?,001413C6,?,00141129), ref: 00173852

__freea.LIBCMT ref: 001763EE
__freea.LIBCMT ref: 00176413

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 64689ff0d3cee6541079243c9420c965cd5b6c9e9161f84ca9c956d899a361f7
Instruction ID: 316cde3967b888118ab99be07172af250fed35ca6b4497814ab1978f0315ec12
Opcode Fuzzy Hash: 64689ff0d3cee6541079243c9420c965cd5b6c9e9161f84ca9c956d899a361f7
Instruction Fuzzy Hash: 2B51E072A00A16ABEB298F64CC81EAF77B9EB58710F158629FC0DD6141EB34DC40D7A0

Function 001CBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00149CB3: _wcslen.LIBCMT ref: 00149CBD

Part of subcall function 001CC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001CB6AE,?,?), ref: 001CC9B5
Part of subcall function 001CC998: _wcslen.LIBCMT ref: 001CC9F1
Part of subcall function 001CC998: _wcslen.LIBCMT ref: 001CCA68
Part of subcall function 001CC998: _wcslen.LIBCMT ref: 001CCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001CBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001CBD25
RegCloseKey.ADVAPI32(00000000), ref: 001CBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 001CBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 001CBDF3
RegCloseKey.ADVAPI32(?), ref: 001CBDFF

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 375f0065249d995923ac58b5692584dfc929e72fc37f4518ee579716418a2451
Instruction ID: a14a3b0b91426a912ee9e23068e8f323c201c63893b6292622aa09a8227caf66
Opcode Fuzzy Hash: 375f0065249d995923ac58b5692584dfc929e72fc37f4518ee579716418a2451
Instruction Fuzzy Hash: 5A817A70208241AFD714DF64C8C6E2ABBE5FF94308F14895DF45A8B2A2DB31ED45CB92

Function 0019F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0019F7B9
SysAllocString.OLEAUT32(00000001), ref: 0019F860
VariantCopy.OLEAUT32(0019FA64,00000000), ref: 0019F889
VariantClear.OLEAUT32(0019FA64), ref: 0019F8AD
VariantCopy.OLEAUT32(0019FA64,00000000), ref: 0019F8B1
VariantClear.OLEAUT32(?), ref: 0019F8BB

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 726fa2b71dc8d606b60f42da0bf0633c8b07bac748b61a0c53a25ff3d4058e33
Instruction ID: fc2bc2319b07ae42df77af298a8b56f799503245bc1e1e084147d170d9d3f302
Opcode Fuzzy Hash: 726fa2b71dc8d606b60f42da0bf0633c8b07bac748b61a0c53a25ff3d4058e33
Instruction Fuzzy Hash: 7F51C131600310FACF24AF65D895B69B3A8EF55324B24846FF806DF292DB70CC46CB96

Function 001B910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00147620: _wcslen.LIBCMT ref: 00147625

Part of subcall function 00146B57: _wcslen.LIBCMT ref: 00146B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 001B94E5
_wcslen.LIBCMT ref: 001B9506
_wcslen.LIBCMT ref: 001B952D
GetSaveFileNameW.COMDLG32(00000058), ref: 001B9585

Strings

X, xrefs: 001B9412

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: fcaa0683d6416419b8e43796c17b1bf0649db8fbb3eb9b4ea2e8d3f40da91122
Instruction ID: 1c728d131f191dae5faaf4d4a6b96bd8241c7f3d097ef284cb9c6d713fe3ffd5
Opcode Fuzzy Hash: fcaa0683d6416419b8e43796c17b1bf0649db8fbb3eb9b4ea2e8d3f40da91122
Instruction Fuzzy Hash: 0CE1AF31908341CFD724DF24C885AAEB7E0BF95314F14896DF9999B2A2DB31DD06CB92

Function 0015920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00159BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00159BB2

BeginPaint.USER32(?,?,?), ref: 00159241
GetWindowRect.USER32(?,?), ref: 001592A5
ScreenToClient.USER32(?,?), ref: 001592C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 001592D3
EndPaint.USER32(?,?,?,?,?), ref: 00159321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 001971EA

Part of subcall function 00159339: BeginPath.GDI32(00000000), ref: 00159357

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 56f2443b5a2b27e95e3c2da249fb227a5a79e7e23c7562529c89cd88912b83ec
Instruction ID: 20186f4a64eb0482e4bc77d3d05a0de85db34e288e6a233ab7d8021b93973278
Opcode Fuzzy Hash: 56f2443b5a2b27e95e3c2da249fb227a5a79e7e23c7562529c89cd88912b83ec
Instruction Fuzzy Hash: 9E419F70105201EFDB11DF24DC88FBA7BB8EF65321F144669FA648B2E1C7319849DBA2

Function 001B07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 001B080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 001B0847
EnterCriticalSection.KERNEL32(?), ref: 001B0863
LeaveCriticalSection.KERNEL32(?), ref: 001B08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 001B08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 001B0921

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 38a613707ae12f84dd02eade1f599fbd50eed01eafa502ea4a09f5236e6cbee8
Instruction ID: 0dafaaaf3d78f8e631364f494d3261d669c39281e351c62efe325d4a91f05a46
Opcode Fuzzy Hash: 38a613707ae12f84dd02eade1f599fbd50eed01eafa502ea4a09f5236e6cbee8
Instruction Fuzzy Hash: 16416771900205EFDF15AF54DC85AAAB7B8FF08300F1480A9ED04AE297DB30DE65DBA0

Function 001D81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0019F3AB,00000000,?,?,00000000,?,0019682C,00000004,00000000,00000000), ref: 001D824C
EnableWindow.USER32(?,00000000), ref: 001D8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 001D82D1
ShowWindow.USER32(?,00000004), ref: 001D82E5
EnableWindow.USER32(?,00000001), ref: 001D830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 001D832F

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: b5d5814477cc91836cf6bd555fb2ea17b3e43efa04b5fd323e89504cc0577032
Instruction ID: 70b361ca79fb63bbb01dab63a1110f1b3388b43ece1a51c622d64a72028923c3
Opcode Fuzzy Hash: b5d5814477cc91836cf6bd555fb2ea17b3e43efa04b5fd323e89504cc0577032
Instruction Fuzzy Hash: 54418034602644AFDF25CF25DC99BE47BF1FB1A715F1842AAE6184B3A2CB31A851CB50

Function 001A4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 001A4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 001A4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 001A4CEA
_wcslen.LIBCMT ref: 001A4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 001A4D10
_wcsstr.LIBVCRUNTIME ref: 001A4D1A

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 046e24b1e57f2148528619588fad2eaa8960cbc3fba3cbb90aef0041a83f5099
Instruction ID: 63bff3771583b6d758212c144afb416b464ce92d7a9fcd5a9c407969bb28dd19
Opcode Fuzzy Hash: 046e24b1e57f2148528619588fad2eaa8960cbc3fba3cbb90aef0041a83f5099
Instruction Fuzzy Hash: EB213B35605201BBEB155B79DC0AEBB7B9CDF96760F10403EF809CA192DFA1DC41C2A0

Function 001B581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00143AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00143A97,?,?,00142E7F,?,?,?,00000000), ref: 00143AC2

_wcslen.LIBCMT ref: 001B587B
CoInitialize.OLE32(00000000), ref: 001B5995
CoCreateInstance.OLE32(001DFCF8,00000000,00000001,001DFB68,?), ref: 001B59AE
CoUninitialize.OLE32 ref: 001B59CC

Strings

.lnk, xrefs: 001B5876, 001B58C1, 001B5985

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: d92b0d2b1fc2d4c34a1f594ddceedabe74a243db25a2a09acfd0db51eb603408
Instruction ID: 465dcef2bec761cc446729eb2e2aaa5828e7ffa1e4fcec2ecfde571fef14fffb
Opcode Fuzzy Hash: d92b0d2b1fc2d4c34a1f594ddceedabe74a243db25a2a09acfd0db51eb603408
Instruction Fuzzy Hash: 4DD15371A087019FC714DF25C480A6ABBE2FF99714F14885DF88A9B3A1DB31ED45CB92

Function 001A175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001A0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 001A0FCA
Part of subcall function 001A0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 001A0FD6
Part of subcall function 001A0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 001A0FE5
Part of subcall function 001A0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 001A0FEC
Part of subcall function 001A0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 001A1002

GetLengthSid.ADVAPI32(?,00000000,001A1335), ref: 001A17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 001A17BA
HeapAlloc.KERNEL32(00000000), ref: 001A17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 001A17DA
GetProcessHeap.KERNEL32(00000000,00000000,001A1335), ref: 001A17EE
HeapFree.KERNEL32(00000000), ref: 001A17F5

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 9fc60a273891cbe8f08ba23600f910ed88e668aa4fb8ec21fff32d14ee57d3bf
Instruction ID: 9233824b97e43039dd6206560ed50c20bf298fa234a953557d8246b5bb7bb808
Opcode Fuzzy Hash: 9fc60a273891cbe8f08ba23600f910ed88e668aa4fb8ec21fff32d14ee57d3bf
Instruction Fuzzy Hash: 0911BB7A602216FFDF109FE4CC49FAE7BA9EB46355F104419F481A7290C736A980CBA0

Function 001A14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 001A14FF
OpenProcessToken.ADVAPI32(00000000), ref: 001A1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 001A1515
CloseHandle.KERNEL32(00000004), ref: 001A1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 001A154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 001A1563

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: d8770f432cfb10d96dd1f8736415a29e02b905b25c58b5ba2b393aeba456dff3
Instruction ID: 751cece25b181282f6cc7389158ff1a0d4f230db5077c05fa69436e24f8fad9a
Opcode Fuzzy Hash: d8770f432cfb10d96dd1f8736415a29e02b905b25c58b5ba2b393aeba456dff3
Instruction Fuzzy Hash: A311297650620ABBDF118FA8DD49BDE7BA9EF4A744F044515FA05A20A0C375CEA0DBA0

Function 00163382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00163379,00162FE5), ref: 00163390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0016339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 001633B7
SetLastError.KERNEL32(00000000,?,00163379,00162FE5), ref: 00163409

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 6984e8cf1d2bde10922ab7d8eb48f21de38a58379446be885c928998db81d6d1
Instruction ID: 14213ea198344c4c2d10f5439ea8380d50ec1da46598180dd96340ed6a840bcf
Opcode Fuzzy Hash: 6984e8cf1d2bde10922ab7d8eb48f21de38a58379446be885c928998db81d6d1
Instruction Fuzzy Hash: 0901D432609311BEEA292775BC895776A95FB25379730032AF530812F1EF114E31D594

Function 00172D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00175686,00183CD6,?,00000000,?,00175B6A,?,?,?,?,?,0016E6D1,?,00208A48), ref: 00172D78
_free.LIBCMT ref: 00172DAB
_free.LIBCMT ref: 00172DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0016E6D1,?,00208A48,00000010,00144F4A,?,?,00000000,00183CD6), ref: 00172DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0016E6D1,?,00208A48,00000010,00144F4A,?,?,00000000,00183CD6), ref: 00172DEC
_abort.LIBCMT ref: 00172DF2

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: bb9f149a9a5b3820d6c0cbabfdab3c3d9fa29c76c9b97387269fec732e3031f2
Instruction ID: ca17791e81ac7f7d876e6cb6d0ed3a49a9a2120bda4251c7a95b7cfd6ed5e23b
Opcode Fuzzy Hash: bb9f149a9a5b3820d6c0cbabfdab3c3d9fa29c76c9b97387269fec732e3031f2
Instruction Fuzzy Hash: 99F0283190660137C63223B8FC0AE5A2679BFD67A0F25C519F82C932D2EF3088835160

Function 001D8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00159639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00159693
Part of subcall function 00159639: SelectObject.GDI32(?,00000000), ref: 001596A2
Part of subcall function 00159639: BeginPath.GDI32(?), ref: 001596B9
Part of subcall function 00159639: SelectObject.GDI32(?,00000000), ref: 001596E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 001D8A4E
LineTo.GDI32(?,00000003,00000000), ref: 001D8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 001D8A70
LineTo.GDI32(?,00000000,00000003), ref: 001D8A80
EndPath.GDI32(?), ref: 001D8A90
StrokePath.GDI32(?), ref: 001D8AA0

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 787e76599ef28169db259e38e70c7aa8e66302af84bb37a0f8376e7d78949290
Instruction ID: f2454bce6cc8d2b1fc4e116792ca53115b62eb05fd2c690babb87fb12f3a3368
Opcode Fuzzy Hash: 787e76599ef28169db259e38e70c7aa8e66302af84bb37a0f8376e7d78949290
Instruction Fuzzy Hash: 8911177600114DFFEF129F90EC88EEA7F6CEB08350F008422BA199A1A1C7719D95DFA0

Function 001A51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 001A5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 001A5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 001A5230
ReleaseDC.USER32(00000000,00000000), ref: 001A5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 001A524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 001A5261

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 23f0b48c61f35c91e09b09e30ed5611a233648a20efd3fd474a263bffc3adbc1
Instruction ID: f5fa2e34d23a33b80722e441425945392f7a5c14b67d42afff1e193793b6f10d
Opcode Fuzzy Hash: 23f0b48c61f35c91e09b09e30ed5611a233648a20efd3fd474a263bffc3adbc1
Instruction Fuzzy Hash: CF018F75A02719BBEB109BA59C49B4EBFB8EF48751F044466FA04A7680D6709800CBA0

Function 00141BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00141BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00141BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00141C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00141C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00141C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00141C22

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 3df470a4c8971bf68d764f61c102369d32f54d12e3a180597862afff246dffa6
Instruction ID: 04f18855b94cbeee8cff9c74a0303c482cb0212186a562249e4aa1444964351e
Opcode Fuzzy Hash: 3df470a4c8971bf68d764f61c102369d32f54d12e3a180597862afff246dffa6
Instruction Fuzzy Hash: FB016CB090275A7DE3008F5A8C85B52FFA8FF19354F00411B915C47A41C7F5A864CBE5

Function 001AEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 001AEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 001AEB46
GetWindowThreadProcessId.USER32(?,?), ref: 001AEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001AEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001AEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001AEB75

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: f6b43f29fd0ae545836bc3a053df73e543ec774e162d77a405ad738edfb1ba58
Instruction ID: 6d32b737476b859dd11ee4233c81d35ddbcd0b2afa69746fdacc5591ff5178e1
Opcode Fuzzy Hash: f6b43f29fd0ae545836bc3a053df73e543ec774e162d77a405ad738edfb1ba58
Instruction Fuzzy Hash: 79F09072143129BBEB205B529C0DEEF3B7CEFCAB11F00055AF601D1590D7A05A41C6F4

Function 00197439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00197452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00197469
GetWindowDC.USER32(?), ref: 00197475
GetPixel.GDI32(00000000,?,?), ref: 00197484
ReleaseDC.USER32(?,00000000), ref: 00197496
GetSysColor.USER32(00000005), ref: 001974B0

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: b632e64756e5327da3dd0ddcf82d0c42b09e81f69481a02c63331aa79159ce27
Instruction ID: 664456e0925b76c9df05c33d9e5f479b79725a5198737c4d5b93008ecd66bf3c
Opcode Fuzzy Hash: b632e64756e5327da3dd0ddcf82d0c42b09e81f69481a02c63331aa79159ce27
Instruction Fuzzy Hash: C2018B31506216EFDB105FA4EC08BEEBBB6FF04311F110561F925A35A1CB311E91EB91

Function 001A1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 001A187F
UnloadUserProfile.USERENV(?,?), ref: 001A188B
CloseHandle.KERNEL32(?), ref: 001A1894
CloseHandle.KERNEL32(?), ref: 001A189C
GetProcessHeap.KERNEL32(00000000,?), ref: 001A18A5
HeapFree.KERNEL32(00000000), ref: 001A18AC

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: a203ea22ef358bf600f5cf768a4c904509b866a0bc5525d59ecfe0985be25ade
Instruction ID: eac9086b978282eb27bd35878d80d1d2663d3aa78684909bb9b9442383c5fed9
Opcode Fuzzy Hash: a203ea22ef358bf600f5cf768a4c904509b866a0bc5525d59ecfe0985be25ade
Instruction Fuzzy Hash: AAE0ED36046112FBDB016FA1ED0C905BF39FF497227108A22F225818B0CB3254A0DF90

Function 0014BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0014BEB3

Strings

D%!, xrefs: 0014BE9A
D%!, xrefs: 0014BDED, 0014BD91, 0014BD1B
D%!D%!, xrefs: 0014BCA5
D%!, xrefs: 0014BCA2

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%!$D%!$D%!$D%!D%!
API String ID: 1385522511-4080940547
Opcode ID: 00fc5db57fa7c214ee4fd5667caf830a807294ff9bae606d2a33032af49ff0e7
Instruction ID: 0be75612581abf159567d1f67f6ddcf56f2f15a2cc3c0d32f5593f7d56d7d80c
Opcode Fuzzy Hash: 00fc5db57fa7c214ee4fd5667caf830a807294ff9bae606d2a33032af49ff0e7
Instruction Fuzzy Hash: 8C914D75A08206DFCB18CF98C0D06A9B7F2FF68314F658169E945AB360E731ED91CB90

Function 001AC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00147620: _wcslen.LIBCMT ref: 00147625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001AC6EE
_wcslen.LIBCMT ref: 001AC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001AC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 001AC7CA

Strings

0, xrefs: 001AC6AF

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: ccc3d15b4a598ddd781ce04dc9aebfbf4ad91412588ed511d89d70e68a1e6fd1
Instruction ID: 76e270ea9cfa44f7fa059bc12ae472da7ccec0b29de54ffff4100a72940873a1
Opcode Fuzzy Hash: ccc3d15b4a598ddd781ce04dc9aebfbf4ad91412588ed511d89d70e68a1e6fd1
Instruction Fuzzy Hash: 895101796043019BD715DF68C885BAB77E8AF5A310F040A2DF9A5D32A0DB70D844CFD2

Function 001CAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 001CAEA3

Part of subcall function 00147620: _wcslen.LIBCMT ref: 00147625

GetProcessId.KERNEL32(00000000), ref: 001CAF38
CloseHandle.KERNEL32(00000000), ref: 001CAF67

Strings

@, xrefs: 001CAE72
<, xrefs: 001CAE6B

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: ab61dcc925eb2112527b821c82e03f88b8fcf5bce6100c268c11380cd4cbf601
Instruction ID: e315f40b1c2bf45d4567b83897d07657b9ee98fbbfb829b9705240656f771995
Opcode Fuzzy Hash: ab61dcc925eb2112527b821c82e03f88b8fcf5bce6100c268c11380cd4cbf601
Instruction Fuzzy Hash: 87714570A00619DFCB15DFA4D485A9EBBB0FF18318F44889DE816AB3A2C774ED45CB91

Function 001A719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 001A7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 001A723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 001A724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 001A72CF

Strings

DllGetClassObject, xrefs: 001A7242

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: b2ea579c56065e2fde32426f4c42fcc7eb3a74434b02ab9b7f8caede35e8b531
Instruction ID: aa7e0097a290af099ba0943e1f4afdafb24857302925213d5e954f4b5481cd2a
Opcode Fuzzy Hash: b2ea579c56065e2fde32426f4c42fcc7eb3a74434b02ab9b7f8caede35e8b531
Instruction Fuzzy Hash: 85417F75605204EFDB15CF54CC84BAA7BA9EF46310F1580AEBD059F28AD7B0DA45CBA0

Function 001D3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001D3E35
IsMenu.USER32(?), ref: 001D3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 001D3E92
DrawMenuBar.USER32 ref: 001D3EA5

Strings

0, xrefs: 001D3D89

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: e59685dd375d17eae963757fec2835134e094001f074b10c5afb5fce42a48624
Instruction ID: 5ee3e772512eaa98aaaeba8477511f6f6594596bab68693579781c608be9f67f
Opcode Fuzzy Hash: e59685dd375d17eae963757fec2835134e094001f074b10c5afb5fce42a48624
Instruction Fuzzy Hash: AC414A75A01209AFDB10DF50E884AEABBB9FF49350F04412AE92597390D730AE55CF91

Function 001A1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00149CB3: _wcslen.LIBCMT ref: 00149CBD

Part of subcall function 001A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 001A3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 001A1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 001A1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 001A1EA9

Part of subcall function 00146B57: _wcslen.LIBCMT ref: 00146B6A

Strings

ListBox, xrefs: 001A1E25
ComboBox, xrefs: 001A1DF0

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 4e4dc77c4851656a8c739f207099802b5f0d6721075b0ac7b2bd671b3bcc71e0
Instruction ID: d64ac6ce0536f9d7e957f82441ce7b1668f5916cd058e3d33909988d866c5148
Opcode Fuzzy Hash: 4e4dc77c4851656a8c739f207099802b5f0d6721075b0ac7b2bd671b3bcc71e0
Instruction Fuzzy Hash: CE216675A00104BEDB19ABA4DC46CFFB7B8EF53364F10451AF821A72E1DB344D0ADA60

Function 001D2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 001D2F8D
LoadLibraryW.KERNEL32(?), ref: 001D2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 001D2FA9
DestroyWindow.USER32(?), ref: 001D2FB1

Strings

SysAnimate32, xrefs: 001D2F68

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 5b5c83e184013b0539e013550e1770318140807c8ed67a2b0488001b79f29278
Instruction ID: f4a21e3fae250efe555454abfa372c7e4b1ef116dab39c9baa9334b414df2060
Opcode Fuzzy Hash: 5b5c83e184013b0539e013550e1770318140807c8ed67a2b0488001b79f29278
Instruction Fuzzy Hash: 4B219D71204205AFEB104F64DC84EBB77BDEF69368F104A1AFA64D72A0D771DC91A760

Function 00164D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00164D1E,001728E9,?,00164CBE,001728E9,002088B8,0000000C,00164E15,001728E9,00000002), ref: 00164D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00164DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00164D1E,001728E9,?,00164CBE,001728E9,002088B8,0000000C,00164E15,001728E9,00000002,00000000), ref: 00164DC3

Strings

CorExitProcess, xrefs: 00164D98
mscoree.dll, xrefs: 00164D86

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: e637611abeb4145332be7343c73b41216a98dd9a7a7beafe9327de555506aa3b
Instruction ID: 86544713685fa0ff5a29202d56e132bbbd5f18b6d60a5fb7b2e94b324188014b
Opcode Fuzzy Hash: e637611abeb4145332be7343c73b41216a98dd9a7a7beafe9327de555506aa3b
Instruction Fuzzy Hash: 89F0AF30A02219FBDB119F90DC09BEEBBB9EF58751F0001A9F805A2660CF705A90CAD0

Function 00144E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00144EDD,?,00211418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00144E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00144EAE
FreeLibrary.KERNEL32(00000000,?,?,00144EDD,?,00211418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00144EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00144EA8
kernel32.dll, xrefs: 00144E94

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: f445f8c4b39db2a83dc8b67c142f883d2a9b35872534c83c37c34ee1e40313ec
Instruction ID: e4603957b4ea70a44fbef1215d1484e31a3027cd14164c4b9b5fd79182ab8d70
Opcode Fuzzy Hash: f445f8c4b39db2a83dc8b67c142f883d2a9b35872534c83c37c34ee1e40313ec
Instruction Fuzzy Hash: CDE08635A03633DBD22117256C1CB9B6658AF81B627050516FC00E2261DF64CD41C4E4

Function 00144E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00183CDE,?,00211418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00144E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00144E74
FreeLibrary.KERNEL32(00000000,?,?,00183CDE,?,00211418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00144E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00144E6E
kernel32.dll, xrefs: 00144E5B

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: b3db7d5537931450275d3128aa5a242d7ee3cb2ae430db0c5980829f91da0558
Instruction ID: 416c1ee14c3a97bcd3e34482b7aa9318eb2d1228ee8edb31ab6c44eb28be443c
Opcode Fuzzy Hash: b3db7d5537931450275d3128aa5a242d7ee3cb2ae430db0c5980829f91da0558
Instruction Fuzzy Hash: 08D0123550363397AA221B256C18ECB6B1CAF85B513050A17B905F3165CF64CD41C5D0

Function 001B2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 001B2C05
DeleteFileW.KERNEL32(?), ref: 001B2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 001B2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 001B2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 001B2CC0

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 5034b9d0679f508778c75876c7eb00f63ed232aa3a2aa29f6fbc02b04365ebc9
Instruction ID: 916c5975aa783047aba904ff3f1ee10ae325f57b6b9c7ea7b80a36d4d4c7640b
Opcode Fuzzy Hash: 5034b9d0679f508778c75876c7eb00f63ed232aa3a2aa29f6fbc02b04365ebc9
Instruction Fuzzy Hash: 72B16E72D00119ABDF25DBA4CC85EDEBBBDEF59340F1040A6F509E7151EB309A488FA1

Function 001CA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 001CA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 001CA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 001CA468
CloseHandle.KERNEL32(?), ref: 001CA63D

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: cfa8482ddde0989381df944357ff9ce45107206ffa0e3b78ad22f3ce0a9c5b06
Instruction ID: 459b8f0e9ba944c1eed03ae40668bf748c302d47a2b2335143f54de1c30e3a31
Opcode Fuzzy Hash: cfa8482ddde0989381df944357ff9ce45107206ffa0e3b78ad22f3ce0a9c5b06
Instruction Fuzzy Hash: 2FA1B1716043019FD721DF28C886F2AB7E1AF98718F54881DF96A9B392D771EC45CB82

Function 0017BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,001E3700), ref: 0017BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0021121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0017BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00211270,000000FF,?,0000003F,00000000,?), ref: 0017BC36
_free.LIBCMT ref: 0017BB7F

Part of subcall function 001729C8: HeapFree.KERNEL32(00000000,00000000,?,0017D7D1,00000000,00000000,00000000,00000000,?,0017D7F8,00000000,00000007,00000000,?,0017DBF5,00000000), ref: 001729DE
Part of subcall function 001729C8: GetLastError.KERNEL32(00000000,?,0017D7D1,00000000,00000000,00000000,00000000,?,0017D7F8,00000000,00000007,00000000,?,0017DBF5,00000000,00000000), ref: 001729F0

_free.LIBCMT ref: 0017BD4B

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: c98f79dc140429f3cfc5f78b6f84dc84c0220dc631eabd81b90122caea9db230
Instruction ID: 848cd77af235fae4ef79780425fedc6c0f43b3940f3ddfcb327472920e0b4d28
Opcode Fuzzy Hash: c98f79dc140429f3cfc5f78b6f84dc84c0220dc631eabd81b90122caea9db230
Instruction Fuzzy Hash: 53510971908219AFCB10EF65DCC5AAEB7BCEF54310F10C26AE918D7191EB305E81CB50

Function 001AE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 001ADDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,001ACF22,?), ref: 001ADDFD

Part of subcall function 001ADDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,001ACF22,?), ref: 001ADE16

Part of subcall function 001AE199: GetFileAttributesW.KERNEL32(?,001ACF95), ref: 001AE19A

lstrcmpiW.KERNEL32(?,?), ref: 001AE473
MoveFileW.KERNEL32(?,?), ref: 001AE4AC
_wcslen.LIBCMT ref: 001AE5EB
_wcslen.LIBCMT ref: 001AE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 001AE650

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 2fe466882ab8938c04caf03284eefd6d8cb8f3c10a7316b4bcdc56fbc4d3958b
Instruction ID: c46419c78065040ceb723dfcee605ee0fc51b6527289aa40f54b454da4aef3f2
Opcode Fuzzy Hash: 2fe466882ab8938c04caf03284eefd6d8cb8f3c10a7316b4bcdc56fbc4d3958b
Instruction Fuzzy Hash: 1A5177B64083459BC724EBA4DC819DFB3ECAF95340F00491EF589D3191EF74A688C766

Function 001CB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00149CB3: _wcslen.LIBCMT ref: 00149CBD

Part of subcall function 001CC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001CB6AE,?,?), ref: 001CC9B5
Part of subcall function 001CC998: _wcslen.LIBCMT ref: 001CC9F1
Part of subcall function 001CC998: _wcslen.LIBCMT ref: 001CCA68
Part of subcall function 001CC998: _wcslen.LIBCMT ref: 001CCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001CBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001CBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 001CBB63
RegCloseKey.ADVAPI32(?,?), ref: 001CBBA6
RegCloseKey.ADVAPI32(00000000), ref: 001CBBB3

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: d552b8af5698e4a5a00f29116718e6429a796deed8ee71f6da898d4f7d971c52
Instruction ID: 72d95ab3595897a5baead23a26cd3705e1a86980a4293510d4bbc0da26168f13
Opcode Fuzzy Hash: d552b8af5698e4a5a00f29116718e6429a796deed8ee71f6da898d4f7d971c52
Instruction Fuzzy Hash: 85614831209241AFD714DF24C4D1F2ABBE5BF94308F54895DF49A8B2A2DB31ED45CB92

Function 001A8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 001A8BCD
VariantClear.OLEAUT32 ref: 001A8C3E
VariantClear.OLEAUT32 ref: 001A8C9D
VariantClear.OLEAUT32(?), ref: 001A8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 001A8D3B

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 7ebed7fc21fc50eb0b2cc193355692db47bd7876b280dbb972aa460ee9b4a7df
Instruction ID: 048c8e28eb2deb29c1415dd87a6122ce19330172609013ebe90f6b3d131b5f67
Opcode Fuzzy Hash: 7ebed7fc21fc50eb0b2cc193355692db47bd7876b280dbb972aa460ee9b4a7df
Instruction Fuzzy Hash: EE516AB5A0121AEFCB14CF68C894AAAB7F8FF89310B158559F905DB354E730E911CF90

Function 001B8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 001B8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 001B8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 001B8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 001B8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 001B8C5F

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 15f400ec8cf9a7ecc52f4653551944859af7e79517a878ee3d5d227c769eb82b
Instruction ID: 738a4f78af8089a40e3b549cb8c7be5e98ad8a94728736a62a3a9e58922b4337
Opcode Fuzzy Hash: 15f400ec8cf9a7ecc52f4653551944859af7e79517a878ee3d5d227c769eb82b
Instruction Fuzzy Hash: C1512875A002159FCB05DF65C881AAABBF5FF48314F088459E849AB3B2DB35ED51CB90

Function 001C8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 001C8F40
GetProcAddress.KERNEL32(00000000,?), ref: 001C8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 001C8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 001C9032
FreeLibrary.KERNEL32(00000000), ref: 001C9052

Part of subcall function 0015F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,001B1043,?,7529E610), ref: 0015F6E6
Part of subcall function 0015F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0019FA64,00000000,00000000,?,?,001B1043,?,7529E610,?,0019FA64), ref: 0015F70D

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: ce8d13a4050b1d7f0f5d254d45da252827499b6547bff89c8d586ae3e7067022
Instruction ID: 14fa0a7a4b2b2640e162c758637414073ca3406c4294e3050a6cd54f33537709
Opcode Fuzzy Hash: ce8d13a4050b1d7f0f5d254d45da252827499b6547bff89c8d586ae3e7067022
Instruction Fuzzy Hash: D2513534A05215DFCB05DF58C484DADBBB1FF69314B0980A9E80A9B762DB31ED86CB90

Function 001D6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 001D6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 001D6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 001D6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,001BAB79,00000000,00000000), ref: 001D6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 001D6CC7

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: fe51cd4b2c5088998e01b1a8b84e335c581797af07b7dfdbfba988c6a800d840
Instruction ID: d8c08e374064cc273af92447653a93efeabeffe638020d2ded08664b64c00f6e
Opcode Fuzzy Hash: fe51cd4b2c5088998e01b1a8b84e335c581797af07b7dfdbfba988c6a800d840
Instruction Fuzzy Hash: 0E41E635614114AFDB24CF28CC98FEA7BA5EB09350F15026AF999A73E0C771ED41DA80

Function 00172051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001720C3
_free.LIBCMT ref: 001720E3

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: ab8ae8fc89a6dfd9b0ce37625ec2355d6c357b6f443d29ba13e3b0529de5367d
Instruction ID: 511fc9405644cc3c8be0d579a4c476cf79d1799ccfefca453c055531b734c222
Opcode Fuzzy Hash: ab8ae8fc89a6dfd9b0ce37625ec2355d6c357b6f443d29ba13e3b0529de5367d
Instruction Fuzzy Hash: D041C472A002009FCB24DF78C881A5DB7F5FF99314F658569EA19EB352D731AD02CB91

Function 0015912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00159141
ScreenToClient.USER32(00000000,?), ref: 0015915E
GetAsyncKeyState.USER32(00000001), ref: 00159183
GetAsyncKeyState.USER32(00000002), ref: 0015919D

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 0c78fd69e341537e95090f969521461aee359297f8da3e9c0f3de2285a32b5f6
Instruction ID: cf3c5d04cdf6d6649ee2d0940100e0808dd794b2e223732ec346386997748ebf
Opcode Fuzzy Hash: 0c78fd69e341537e95090f969521461aee359297f8da3e9c0f3de2285a32b5f6
Instruction Fuzzy Hash: C6413D71A0861AEBDF199F64C884BEEB774FF15321F208226E835A62D0C7306954CB91

Function 001B3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 001B38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 001B3922
TranslateMessage.USER32(?), ref: 001B394B
DispatchMessageW.USER32(?), ref: 001B3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001B3966

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: ffc6c4c8c4aca65f6e6c2dc88fb38cecc2bc6f1aadd4c6e081a5b555d55c9a92
Instruction ID: 6169710d6442e2d840355b458237d5f9afc364e468d29a0b7d910f21c35d30de
Opcode Fuzzy Hash: ffc6c4c8c4aca65f6e6c2dc88fb38cecc2bc6f1aadd4c6e081a5b555d55c9a92
Instruction Fuzzy Hash: E131C970905342EEEB39CB34EC4CBF637A8AB15308F44456DE572C21A0EBB5A6A5CB51

Function 001BCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 001BCF38
InternetReadFile.WININET(?,00000000,?,?), ref: 001BCF6F
GetLastError.KERNEL32(?,00000000,?,?,?,001BC21E,00000000), ref: 001BCFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,001BC21E,00000000), ref: 001BCFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,001BC21E,00000000), ref: 001BCFF2

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 38c6bfc007ec98c3b6beb4cee44adb6bc6f3754f3a3e5da8ef52ad574108a582
Instruction ID: 409c3da3017ef487ff03cd6fdf6860466e65024d0afdf95f022c9b8384eeebdb
Opcode Fuzzy Hash: 38c6bfc007ec98c3b6beb4cee44adb6bc6f3754f3a3e5da8ef52ad574108a582
Instruction Fuzzy Hash: 2A314A71A01206EFDB24DFA9C884ABBBBF9EB14351B1044AEF516D2140DB30EE41DBE0

Function 001A1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 001A1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 001A19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 001A19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 001A19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 001A19E2

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 7eb3d221852dd1504be6157637e4e55cb36e725b6bb549375773801769f97274
Instruction ID: 7129e8bb277980fcbdf2716e68697975dffc3b8dae75db30350af627a778f020
Opcode Fuzzy Hash: 7eb3d221852dd1504be6157637e4e55cb36e725b6bb549375773801769f97274
Instruction Fuzzy Hash: 0C31BF76A0121AFFCB04CFA8CD99ADF3BB5EB05319F104629F921AB2D1C7709944CB90

Function 001D5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 001D5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 001D579D
_wcslen.LIBCMT ref: 001D57AF
_wcslen.LIBCMT ref: 001D57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 001D5816

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: b0c9cfdd61e5247263a3837554f9975e1e4e07b141d6b7c9246726ab53f41fb5
Instruction ID: 7f5c2fcafc1bd3fdbd5c267cfe95be05df1cf6572acf9133cb035c9fc1756304
Opcode Fuzzy Hash: b0c9cfdd61e5247263a3837554f9975e1e4e07b141d6b7c9246726ab53f41fb5
Instruction Fuzzy Hash: AE218071905618DADB209FA4CC85AEE7BB9FF14724F10821BE929EA2C0E7709985CF51

Function 001C0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 001C0951
GetForegroundWindow.USER32 ref: 001C0968
GetDC.USER32(00000000), ref: 001C09A4
GetPixel.GDI32(00000000,?,00000003), ref: 001C09B0
ReleaseDC.USER32(00000000,00000003), ref: 001C09E8

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: dd68991fc65110b58f974b20f5167959b8c23c92481e12df93244074ea06b892
Instruction ID: 06abff5f4db7880bf46fd86864ab1dd2b96cab482a5d338267405614c1a7e305
Opcode Fuzzy Hash: dd68991fc65110b58f974b20f5167959b8c23c92481e12df93244074ea06b892
Instruction Fuzzy Hash: 5F216D35601214AFD704EF69D894AAEBBF9EF58700F04846DE84AD7762CB30EC44CB90

Function 0017CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0017CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0017CDE9

Part of subcall function 00173820: RtlAllocateHeap.NTDLL(00000000,?,00211444,?,0015FDF5,?,?,0014A976,00000010,00211440,001413FC,?,001413C6,?,00141129), ref: 00173852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0017CE0F
_free.LIBCMT ref: 0017CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0017CE31

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: a6d71c3c789eb4840dc6fa0122ea8ae842e790c6e3a578a66333b14603260342
Instruction ID: 2896922f7597f20aead732477500c8189541378f21f8869c9c66a1f78ee66317
Opcode Fuzzy Hash: a6d71c3c789eb4840dc6fa0122ea8ae842e790c6e3a578a66333b14603260342
Instruction Fuzzy Hash: EF0184726076267F272116BA6C88D7B6E7DEFC6BA1315812EF909C7201EF618D0291F0

Function 00159639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00159693
SelectObject.GDI32(?,00000000), ref: 001596A2
BeginPath.GDI32(?), ref: 001596B9
SelectObject.GDI32(?,00000000), ref: 001596E2

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: b5017d9f9ce28acf6cf9b66b53fdaf7e7d58804ba2aeab299a8a7e63d4b62fdf
Instruction ID: 4c4216d9843a8d482bf6d12be46c74766313349f713eb1e277dcaa4787e630cd
Opcode Fuzzy Hash: b5017d9f9ce28acf6cf9b66b53fdaf7e7d58804ba2aeab299a8a7e63d4b62fdf
Instruction Fuzzy Hash: 07219270802346EFDB119F24EC197E97BA9BF20316F108616F930AA1B0D77458A9CFD1

Function 001A5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 001A5726
_memcmp.LIBVCRUNTIME ref: 001A5744
_memcmp.LIBVCRUNTIME ref: 001A5757
_memcmp.LIBVCRUNTIME ref: 001A576F
_memcmp.LIBVCRUNTIME ref: 001A5787

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 2daf661379563ecf5d41d4441b0b11d30eb02da1052cb25b747733112563a002
Instruction ID: 1eaab63fb4e31776fdbd0f8182779a1821fed5a5ac948935331f3bd3e3c22a90
Opcode Fuzzy Hash: 2daf661379563ecf5d41d4441b0b11d30eb02da1052cb25b747733112563a002
Instruction Fuzzy Hash: 8B01F969245A05FBD31851509D42FBB735FAB323B4F844025FD16BA341F720EE2182A0

Function 00172DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0016F2DE,00173863,00211444,?,0015FDF5,?,?,0014A976,00000010,00211440,001413FC,?,001413C6), ref: 00172DFD
_free.LIBCMT ref: 00172E32
_free.LIBCMT ref: 00172E59
SetLastError.KERNEL32(00000000,00141129), ref: 00172E66
SetLastError.KERNEL32(00000000,00141129), ref: 00172E6F

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 11bef305e79861f097167cdfa5eeb988d30b745a7be8f4db9664268ac17dbafe
Instruction ID: 365a92885f1505d1bea3dc619ccf034290e41947a028d632bdb814cb034c71b6
Opcode Fuzzy Hash: 11bef305e79861f097167cdfa5eeb988d30b745a7be8f4db9664268ac17dbafe
Instruction Fuzzy Hash: F901283220660077CA2367347C49D2B267DABE53B5B35C529F82DA32D3EF708C835060

Function 001A000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0019FF41,80070057,?,?,?,001A035E), ref: 001A002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0019FF41,80070057,?,?), ref: 001A0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0019FF41,80070057,?,?), ref: 001A0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0019FF41,80070057,?), ref: 001A0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0019FF41,80070057,?,?), ref: 001A0070

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 3e1443d3ae695b44ecbc2305535419a29d1f26805d93b5360452a5e2387e7954
Instruction ID: d49d50932769904c480542d777875eff261b5772db05a32a7e48dfe1e1202699
Opcode Fuzzy Hash: 3e1443d3ae695b44ecbc2305535419a29d1f26805d93b5360452a5e2387e7954
Instruction Fuzzy Hash: D101F27A602205BFDB124F68DD04FAABBEEEF48391F104529F901D2210D770CD80DBA0

Function 001A10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 001A1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,001A0B9B,?,?,?), ref: 001A1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,001A0B9B,?,?,?), ref: 001A112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,001A0B9B,?,?,?), ref: 001A1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 001A114D

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: cde9b4f19e60568cc8a9ed165c8b14532787b8bf578c5716537d771718e99ead
Instruction ID: ef5ae7a19fccac4a53a8549c562b17593cd2aff11d7541275e48e24880e3444c
Opcode Fuzzy Hash: cde9b4f19e60568cc8a9ed165c8b14532787b8bf578c5716537d771718e99ead
Instruction Fuzzy Hash: 46011D79102216FFDB114F75DC49A6A3B6EEF86364B144815FA45D7350DB31DC40DAA0

Function 001A0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 001A0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 001A0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 001A0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 001A0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 001A1002

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 7dbab17680c4c3a629cbe0d5a65dc6fa1cd06d32e488a280efcaecc1d674e19e
Instruction ID: 36eecdb303f24a5080bf07d7fee4d4d44e64a6f04fb4b02385b1ca37fae30a35
Opcode Fuzzy Hash: 7dbab17680c4c3a629cbe0d5a65dc6fa1cd06d32e488a280efcaecc1d674e19e
Instruction Fuzzy Hash: 42F04F39142312FBDB214FA49D49F563B6DEF8A761F114815F945C6291CA70DC80CAA0

Function 001A1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 001A102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 001A1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001A1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 001A104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001A1062

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: fabe85b325c16d688c742479f256530f24b35262516c1a1a91faf79f8ad9d7bb
Instruction ID: 729f6a2802812dce4a6cae013d444cf7baf37c0e6f94bfc4944f4a241ab00c36
Opcode Fuzzy Hash: fabe85b325c16d688c742479f256530f24b35262516c1a1a91faf79f8ad9d7bb
Instruction Fuzzy Hash: A2F06239142312FBDB215FA4ED49F563B6DFF8A761F210815F945C7290CB70D880CAA0

Function 001B030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,001B017D,?,001B32FC,?,00000001,00182592,?), ref: 001B0324
CloseHandle.KERNEL32(?,?,?,?,001B017D,?,001B32FC,?,00000001,00182592,?), ref: 001B0331
CloseHandle.KERNEL32(?,?,?,?,001B017D,?,001B32FC,?,00000001,00182592,?), ref: 001B033E
CloseHandle.KERNEL32(?,?,?,?,001B017D,?,001B32FC,?,00000001,00182592,?), ref: 001B034B
CloseHandle.KERNEL32(?,?,?,?,001B017D,?,001B32FC,?,00000001,00182592,?), ref: 001B0358
CloseHandle.KERNEL32(?,?,?,?,001B017D,?,001B32FC,?,00000001,00182592,?), ref: 001B0365

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 4139a9aaaeba43733d9d6db862cf46174b5ecc8183b672567fa7364dc07c1c32
Instruction ID: 453291862663ee58c0ed70cd700c3788c9a45f121f702e46ace81d0ab0337ce6
Opcode Fuzzy Hash: 4139a9aaaeba43733d9d6db862cf46174b5ecc8183b672567fa7364dc07c1c32
Instruction Fuzzy Hash: 6901EA72801B059FCB32AF66D880843FBF9BF603053058A3FD19252930C3B1A988CF80

Function 0017D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0017D752

Part of subcall function 001729C8: HeapFree.KERNEL32(00000000,00000000,?,0017D7D1,00000000,00000000,00000000,00000000,?,0017D7F8,00000000,00000007,00000000,?,0017DBF5,00000000), ref: 001729DE
Part of subcall function 001729C8: GetLastError.KERNEL32(00000000,?,0017D7D1,00000000,00000000,00000000,00000000,?,0017D7F8,00000000,00000007,00000000,?,0017DBF5,00000000,00000000), ref: 001729F0

_free.LIBCMT ref: 0017D764
_free.LIBCMT ref: 0017D776
_free.LIBCMT ref: 0017D788
_free.LIBCMT ref: 0017D79A

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: dbc1e45fc0c0881bf4e9ccf3235187f37d02c9ebddf08927e560bceabeae277d
Instruction ID: 91e9830c22ce2dfae0f5f954200b9d5d88e3e6221c7eddfcf762b7f6a86b3b2d
Opcode Fuzzy Hash: dbc1e45fc0c0881bf4e9ccf3235187f37d02c9ebddf08927e560bceabeae277d
Instruction Fuzzy Hash: 20F04F72540318ABC625EB78F9C6C16B7FDBF44318BA88805F14CE7502C730FC818664

Function 001A5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 001A5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 001A5C6F
MessageBeep.USER32(00000000), ref: 001A5C87
KillTimer.USER32(?,0000040A), ref: 001A5CA3
EndDialog.USER32(?,00000001), ref: 001A5CBD

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 132f0a60f5e30e66a0988a06fa393d8ddbd5d29b07ffa53ffe3c57820554d8e3
Instruction ID: 014904c14267b7efe5cfc513c88cb3bd64970399f87b96f4ecd4cfe7dbed1a82
Opcode Fuzzy Hash: 132f0a60f5e30e66a0988a06fa393d8ddbd5d29b07ffa53ffe3c57820554d8e3
Instruction Fuzzy Hash: 0601D634501B04ABEB215B10ED4EFA677BDFB01B15F00065AA583A14E4DBF0A984CA90

Function 001722A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 001722BE

Part of subcall function 001729C8: HeapFree.KERNEL32(00000000,00000000,?,0017D7D1,00000000,00000000,00000000,00000000,?,0017D7F8,00000000,00000007,00000000,?,0017DBF5,00000000), ref: 001729DE
Part of subcall function 001729C8: GetLastError.KERNEL32(00000000,?,0017D7D1,00000000,00000000,00000000,00000000,?,0017D7F8,00000000,00000007,00000000,?,0017DBF5,00000000,00000000), ref: 001729F0

_free.LIBCMT ref: 001722D0
_free.LIBCMT ref: 001722E3
_free.LIBCMT ref: 001722F4
_free.LIBCMT ref: 00172305

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f3f48c3bebc11e85c1243938bc4d2c1065e58b317cb11f5e8427c1262b8373c8
Instruction ID: 9f4cf643265d4b048a2883b88d2e7d46626ad17dcfb32c570f7eeb5e2434eafe
Opcode Fuzzy Hash: f3f48c3bebc11e85c1243938bc4d2c1065e58b317cb11f5e8427c1262b8373c8
Instruction Fuzzy Hash: ABF030B04012308BC712AF64BC4A8887B74B738750B25C606F518D32B2CF7504A39BA4

Function 001595C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 001595D4
StrokeAndFillPath.GDI32(?,?,001971F7,00000000,?,?,?), ref: 001595F0
SelectObject.GDI32(?,00000000), ref: 00159603
DeleteObject.GDI32 ref: 00159616
StrokePath.GDI32(?), ref: 00159631

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: d7340321d79ebb2286abc6f703fc636fc4db473c6bcdedc89a0d3abb955c1fb9
Instruction ID: c75c8f9f451ff6bad523055e8a3fe5321e563a94fd3cd5504cce3c80d8931b84
Opcode Fuzzy Hash: d7340321d79ebb2286abc6f703fc636fc4db473c6bcdedc89a0d3abb955c1fb9
Instruction Fuzzy Hash: 9EF03C34007385EBDB165F69FD1C7A43B61AB10322F04C215FA35594F0CB3089A9DFA1

Function 00170F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 001710F9
__freea.LIBCMT ref: 00171117

Part of subcall function 00171537: _free.LIBCMT ref: 0017154F

Strings

am/pm, xrefs: 0017117A
a/p, xrefs: 001711DE

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: c4c50930bb9c7eb98bb061fd4971f7b9ebab1a2297cad578519205c51eaa33be
Instruction ID: 6c0b2c099d87182f4ff16dc7ebffa8ca8cc38285531f0bc0942887707fb801ee
Opcode Fuzzy Hash: c4c50930bb9c7eb98bb061fd4971f7b9ebab1a2297cad578519205c51eaa33be
Instruction Fuzzy Hash: 60D11231900206EADB289F6CC895BFEB7B5FF05720F29C159E90DAB651D3359D80CBA1

Function 001C61D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00160242: EnterCriticalSection.KERNEL32(0021070C,00211884,?,?,0015198B,00212518,?,?,?,001412F9,00000000), ref: 0016024D
Part of subcall function 00160242: LeaveCriticalSection.KERNEL32(0021070C,?,0015198B,00212518,?,?,?,001412F9,00000000), ref: 0016028A

Part of subcall function 001600A3: __onexit.LIBCMT ref: 001600A9

__Init_thread_footer.LIBCMT ref: 001C6238

Part of subcall function 001601F8: EnterCriticalSection.KERNEL32(0021070C,?,?,00158747,00212514), ref: 00160202
Part of subcall function 001601F8: LeaveCriticalSection.KERNEL32(0021070C,?,00158747,00212514), ref: 00160235

Part of subcall function 001B359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 001B35E4
Part of subcall function 001B359C: LoadStringW.USER32(00212390,?,00000FFF,?), ref: 001B360A

Strings

x#!, xrefs: 001C636F
x#!, xrefs: 001C633A
x#!, xrefs: 001C6353

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#!$x#!$x#!
API String ID: 1072379062-1188481307
Opcode ID: d45b91ef454392ce2543167ce33c8b078a2622d4554bc27c2763a2c692fddb3b
Instruction ID: 6640d66aa173ab0a0f924f4637b7b6b256548efe18c225b5c36e23d2762b4752
Opcode Fuzzy Hash: d45b91ef454392ce2543167ce33c8b078a2622d4554bc27c2763a2c692fddb3b
Instruction Fuzzy Hash: E2C16971A00109ABCB24DF98C891EAEB7B9EF68340F14806DF9159B291DB70ED55CB90

Function 001C7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00160242: EnterCriticalSection.KERNEL32(0021070C,00211884,?,?,0015198B,00212518,?,?,?,001412F9,00000000), ref: 0016024D
Part of subcall function 00160242: LeaveCriticalSection.KERNEL32(0021070C,?,0015198B,00212518,?,?,?,001412F9,00000000), ref: 0016028A

Part of subcall function 00149CB3: _wcslen.LIBCMT ref: 00149CBD

Part of subcall function 001600A3: __onexit.LIBCMT ref: 001600A9

__Init_thread_footer.LIBCMT ref: 001C7BFB

Part of subcall function 001601F8: EnterCriticalSection.KERNEL32(0021070C,?,?,00158747,00212514), ref: 00160202
Part of subcall function 001601F8: LeaveCriticalSection.KERNEL32(0021070C,?,00158747,00212514), ref: 00160235

Strings

G, xrefs: 001C7C7F
Variable must be of type 'Object'., xrefs: 001C7C3A
5, xrefs: 001C7C78

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: f01e47e8600b63ff0b924d24c5ac6af8210b27321d8920376fea993f3352c93e
Instruction ID: 409989bda0903a0f302c15e717b2f7a3a37e254df0e2d2e3e9c74889ca42df0a
Opcode Fuzzy Hash: f01e47e8600b63ff0b924d24c5ac6af8210b27321d8920376fea993f3352c93e
Instruction Fuzzy Hash: 77915A70A04209AFCB14EF94D891EBDB7B2AF69300F54805DF8069B292DBB1EE45DB51

Function 001A2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001AB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001A21D0,?,?,00000034,00000800,?,00000034), ref: 001AB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 001A2760

Part of subcall function 001AB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001A21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 001AB3F8

Part of subcall function 001AB32A: GetWindowThreadProcessId.USER32(?,?), ref: 001AB355
Part of subcall function 001AB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,001A2194,00000034,?,?,00001004,00000000,00000000), ref: 001AB365
Part of subcall function 001AB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,001A2194,00000034,?,?,00001004,00000000,00000000), ref: 001AB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 001A27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 001A281A

Strings

@, xrefs: 001A2832

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 08d33ada49225c7ee8b6a5afa9991417f3cb84114bb28f8d03a74277def9c077
Instruction ID: 749c1f983208ed85fa35b5715582d1531fc416ee48ea5c42dfdef7e1f5811108
Opcode Fuzzy Hash: 08d33ada49225c7ee8b6a5afa9991417f3cb84114bb28f8d03a74277def9c077
Instruction Fuzzy Hash: FB413D76901218BFDB10DFA4CD81AEEBBB8EF1A300F004055FA55B7191DB706E85CBA0

Function 0017172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00171769
_free.LIBCMT ref: 00171834
_free.LIBCMT ref: 0017183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00171760, 00171767, 00171796, 001717CE

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-517116171
Opcode ID: 08d7852d25cec00e960b4283675515078ac58d08f7642d51255db3fdebae6fd8
Instruction ID: fce55722430450fa2887245692c80eaf782a493cd68275f2ef630f8c73db744c
Opcode Fuzzy Hash: 08d7852d25cec00e960b4283675515078ac58d08f7642d51255db3fdebae6fd8
Instruction Fuzzy Hash: 2E316F71A40218BBDB25DF999885D9EBBFCEBA5310B14816AE90897211DB708A41CB91

Function 001AC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 001AC306
DeleteMenu.USER32(?,00000007,00000000), ref: 001AC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00211990,010E5638), ref: 001AC395

Strings

0, xrefs: 001AC2DF

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 64e57ecb694033376104d46c54aa31e7701561c6e94279b43821aab5ab378cb9
Instruction ID: dcb35d537a9338c044de16deb91eecc945f4c4132f54ed1fb575526816807746
Opcode Fuzzy Hash: 64e57ecb694033376104d46c54aa31e7701561c6e94279b43821aab5ab378cb9
Instruction Fuzzy Hash: CA41C5352083019FDB24DF25D884B6BBBE4BF96310F008A1DF965972D1D770E904CB92

Function 001D4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,001DCC08,00000000,?,?,?,?), ref: 001D44AA
GetWindowLongW.USER32 ref: 001D44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 001D44D7

Strings

SysTreeView32, xrefs: 001D447C

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: f6bcb5ae5029a9092c618e4b3bdccdc48eae330685aa43be84136e485ab53025
Instruction ID: 8e42c2e49ac225311bd2e7b0bfa6f2bdd94db44df63a4ec09883645e99bfebeb
Opcode Fuzzy Hash: f6bcb5ae5029a9092c618e4b3bdccdc48eae330685aa43be84136e485ab53025
Instruction Fuzzy Hash: 77319E31210206AFDF208F38DC45BEA77A9EB09334F204716F975922E0D770EC909750

Function 001C304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 001C335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,001C3077,?,?), ref: 001C3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 001C307A
_wcslen.LIBCMT ref: 001C309B
htons.WSOCK32(00000000,?,?,00000000), ref: 001C3106

Strings

255.255.255.255, xrefs: 001C3095, 001C309A

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 06a0bb487772afe906e6444c99d9217cb0a448d186d216e34b932f46e3e281fc
Instruction ID: 173945ad76c0ba0ad476d1e40bf2277cf21ce2eb61041209446e18ccbed591fd
Opcode Fuzzy Hash: 06a0bb487772afe906e6444c99d9217cb0a448d186d216e34b932f46e3e281fc
Instruction Fuzzy Hash: 8731E7362002059FCB10CF68C485FAA77E0EF64318F29C05DE9268B792DB32DE41C761

Function 001D3EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 001D3F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 001D3F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 001D3F78

Strings

SysMonthCal32, xrefs: 001D3F0B

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: b046272b859d8c81960bc3ce8f57c34ddd14b9415e7a0c6a43d2edd2f41bc7fe
Instruction ID: e59e782daf15adb63e504f2db07f1eeaa3e1eaed5bd5b4e274dfeac510e4d3be
Opcode Fuzzy Hash: b046272b859d8c81960bc3ce8f57c34ddd14b9415e7a0c6a43d2edd2f41bc7fe
Instruction Fuzzy Hash: A421AD32610219BFDF218F50DC46FEA3B75EB48714F110215FA156B2D0D7B1A850CBA1

Function 001D4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 001D4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 001D4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 001D471A

Strings

msctls_updown32, xrefs: 001D4684

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 4f4987ad6de79eb9d83c8f24e51d908e53108001302b15b80841cf8238937817
Instruction ID: de7d3403f66670bc92df98a2b06595a1a37971c619ebfcbacf42dd74421514e7
Opcode Fuzzy Hash: 4f4987ad6de79eb9d83c8f24e51d908e53108001302b15b80841cf8238937817
Instruction Fuzzy Hash: 0E216DB5601209AFDB10DF64DCC5DB737ADEF5A3A4B04055AFA009B3A1CB31EC61CAA0

Function 001A95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001A961D

Strings

#OnAutoItStartRegister, xrefs: 001A95F3
#requireadmin, xrefs: 001A95D9
#notrayicon, xrefs: 001A95B7

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 4a230fa8e78438bbcf90998eb0bc2a29ef860298c68b9c25f76ff041be7652da
Instruction ID: bfa7f76497f60578d843411cb2261d364b948ef7a0b605d2d22b3fe719605d73
Opcode Fuzzy Hash: 4a230fa8e78438bbcf90998eb0bc2a29ef860298c68b9c25f76ff041be7652da
Instruction Fuzzy Hash: F021573660422066D335AB349C03FBB73D89FA6300F11442BF94E97181EB51AED6C2D5

Function 001D37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 001D3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 001D3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 001D3876

Strings

Listbox, xrefs: 001D380F

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 315006e30887a9a4f5ac27230553c22aa549127b93415c6da5b67dad42bd81e7
Instruction ID: 5887ea9ba604a68a86806f2a913e453fd3b31b56180094e4b1aeb51c1bc63702
Opcode Fuzzy Hash: 315006e30887a9a4f5ac27230553c22aa549127b93415c6da5b67dad42bd81e7
Instruction Fuzzy Hash: 8021BE72610219BBEF218F54DC85FAB376AEF89750F118126FA109B290CB71EC5297A0

Function 001B49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001B4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 001B4A5C
SetErrorMode.KERNEL32(00000000,?,?,001DCC08), ref: 001B4AD0

Strings

%lu, xrefs: 001B4A6F

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 6599b33f3124f64663e4d78b99c4bc344553561b1f02643f0e2e9d1b0fed99fb
Instruction ID: b31b5ab45a94ccba4ff775f5d0f440f77945fea0f93d498c7855ddd872fecf07
Opcode Fuzzy Hash: 6599b33f3124f64663e4d78b99c4bc344553561b1f02643f0e2e9d1b0fed99fb
Instruction Fuzzy Hash: 78315075A00119EFD710DF64C885EAA77F8EF05308F148495F909DB262D771ED46CBA1

Function 001D41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 001D424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 001D4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 001D4271

Strings

msctls_trackbar32, xrefs: 001D4226

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: f011bb83809de0c5b0c311d7096a49e06ab6e47ae2c3bcdf924b5c7a2d7bcb45
Instruction ID: 2e719307480e14e0b4d0381848db33416e8804f314b8ebe5ee63e306457a8b47
Opcode Fuzzy Hash: f011bb83809de0c5b0c311d7096a49e06ab6e47ae2c3bcdf924b5c7a2d7bcb45
Instruction Fuzzy Hash: 1411E072240208BFEF209E28DC06FAB3BACEF95B64F110525FA55E21A0D771D8619B20

Function 001A2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00146B57: _wcslen.LIBCMT ref: 00146B6A

Part of subcall function 001A2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 001A2DC5
Part of subcall function 001A2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 001A2DD6
Part of subcall function 001A2DA7: GetCurrentThreadId.KERNEL32 ref: 001A2DDD
Part of subcall function 001A2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 001A2DE4

GetFocus.USER32 ref: 001A2F78

Part of subcall function 001A2DEE: GetParent.USER32(00000000), ref: 001A2DF9

GetClassNameW.USER32(?,?,00000100), ref: 001A2FC3
EnumChildWindows.USER32(?,001A303B), ref: 001A2FEB

Strings

%s%d, xrefs: 001A2FFF

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 710d5472d9ea923a56d2fdc177f1298bd36ceb90e5121f50aa459475b7956805
Instruction ID: baf566782493350b7025b0c3497a79246045fd9981e7ec0d60f3d0977a9ec3c5
Opcode Fuzzy Hash: 710d5472d9ea923a56d2fdc177f1298bd36ceb90e5121f50aa459475b7956805
Instruction Fuzzy Hash: A911A279700205ABCF147FA48C85FEE376AAFA6308F044075FD199B292DF309949CB60

Function 001D5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 001D58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 001D58EE
DrawMenuBar.USER32(?), ref: 001D58FD

Strings

0, xrefs: 001D588F

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 194979a5c76aff9879404c2ed82f28d95823bb74f6bf07bd9d745a99c0c403cd
Instruction ID: 388d49f354aea0c43a4c3182e049f0de67b55ee934e057a3a864726af393f383
Opcode Fuzzy Hash: 194979a5c76aff9879404c2ed82f28d95823bb74f6bf07bd9d745a99c0c403cd
Instruction Fuzzy Hash: 2101C031600218EFDB209F15EC45BAEBBB9FF45361F00809AE848DA251DB308A85DF21

Function 0019D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0019D3BF
FreeLibrary.KERNEL32 ref: 0019D3E5

Strings

X64, xrefs: 0019D2A8
GetSystemWow64DirectoryW, xrefs: 0019D3B9

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 28feff0ee3426bfcc4d5010bd25c7d6a2f38430cb224143079815edde21938fe
Instruction ID: cb5326269a2c2e966aceee3a7f4d4ff281f1b98660161e2d45574c09d0915009
Opcode Fuzzy Hash: 28feff0ee3426bfcc4d5010bd25c7d6a2f38430cb224143079815edde21938fe
Instruction Fuzzy Hash: 42F02BB1406723DBDF3C6B24AD489AA3318BF11742B95875AF423F10D5DB70CE86C682

Function 001A007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5c5ccb5473f9f4e7c3eee5605f9242c698286ee98afed27a0fcb4d1d3e3b258
Instruction ID: 1debe85afaceadc88d4a9c85c6ae1f9b2ef1a6574f129f8e36797e3d6c1f0733
Opcode Fuzzy Hash: f5c5ccb5473f9f4e7c3eee5605f9242c698286ee98afed27a0fcb4d1d3e3b258
Instruction Fuzzy Hash: 18C15B79A0020AEFDB15CFA4C894BAEB7B5FF49304F218599E505EB251D731EE81CB90

Function 00173E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00173F0B
__alldvrm.LIBCMT ref: 0017410C
__alldvrm.LIBCMT ref: 0017412E

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 33d14eef37c4ac9553216635baafb50104e2491b01ffb37b9c30ca01bfd09949
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 49A15872E003869FEB25DF18C8917BEBBF4EF65350F18816DE5999B281C3389981C751

Function 001C342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 001C3459
CoUninitialize.OLE32 ref: 001C3463
VariantInit.OLEAUT32(?), ref: 001C346E
VariantClear.OLEAUT32(?), ref: 001C371B

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 14ffb258cad52505b2d0160a0bdc997020d9e0dfc9bc691349098e2683fe2fd2
Instruction ID: 5a0974e35b6748edc973ba36270812cc5c5de39003b712b53f3b959dff0903d3
Opcode Fuzzy Hash: 14ffb258cad52505b2d0160a0bdc997020d9e0dfc9bc691349098e2683fe2fd2
Instruction Fuzzy Hash: 1BA114756042109FCB14DF28C485E2AB7E5FF98714F05885DF99A9B3A2DB30EE05CB92

Function 001A0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,001DFC08,?), ref: 001A05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,001DFC08,?), ref: 001A0608
CLSIDFromProgID.OLE32(?,?,00000000,001DCC40,000000FF,?,00000000,00000800,00000000,?,001DFC08,?), ref: 001A062D
_memcmp.LIBVCRUNTIME ref: 001A064E

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 4112446c38f2c423a1a1bbec3c8df8235400c3c71c1db751350619ea875a8c6b
Instruction ID: 597e065fed8a34c4878cca2b6e8af00dca11112a40910a25f5937b9328cdaf1b
Opcode Fuzzy Hash: 4112446c38f2c423a1a1bbec3c8df8235400c3c71c1db751350619ea875a8c6b
Instruction Fuzzy Hash: C7811A75A00109EFCB05DF94C988EEEB7B9FF8A315F204558E506EB250DB71AE46CB60

Function 00181391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 001814C0

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 80d969e5acbbe3072d136cdab1be6bb555934799ec456128bba353f77374e972
Instruction ID: c1028a7e8015a5469842e718d5686b00af1b8583a992edaeff6a5b68546b70f8
Opcode Fuzzy Hash: 80d969e5acbbe3072d136cdab1be6bb555934799ec456128bba353f77374e972
Instruction Fuzzy Hash: BF413A33A00500BBDB257BB99C45ABE3BADEF61330F144229F819D2191E7748A539F61

Function 001D6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 001D62E2
ScreenToClient.USER32(?,?), ref: 001D6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 001D6382

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: abd356eaccd988d4c34e105561bd75bc3ee036f10033c7fc6fcee41c9977729a
Instruction ID: b982cb899cb9af679a022a45213fc89b706688e0e672f8a7e86b6014c2347c61
Opcode Fuzzy Hash: abd356eaccd988d4c34e105561bd75bc3ee036f10033c7fc6fcee41c9977729a
Instruction Fuzzy Hash: 58512C75A00209AFCF14DF68D8849AE7BB5FF55360F10825AF959973A0D730ED91CB90

Function 001C1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 001C1AFD
WSAGetLastError.WSOCK32 ref: 001C1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 001C1B8A
WSAGetLastError.WSOCK32 ref: 001C1B94

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 2d628aac1900364692552d05848229afd27fe0148e6a82e36426ea5c2fda7933
Instruction ID: 1012104c957695cd8d7190eea263dc0d4315dcddb4132ecce167fcaa02e5e313
Opcode Fuzzy Hash: 2d628aac1900364692552d05848229afd27fe0148e6a82e36426ea5c2fda7933
Instruction Fuzzy Hash: B941B234640201AFE720AF24C886F2977E5AB55718F54844CF92A9F7D3D772DD42CB90

Function 0017B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1052beb42853ecc95dea6d39624b2704f7d998e83a32dffc2011e9515d120e6
Instruction ID: 7e893bd5fa564953d64bedd7fa7348031a3544199d9f998c30598db354f2ac9b
Opcode Fuzzy Hash: e1052beb42853ecc95dea6d39624b2704f7d998e83a32dffc2011e9515d120e6
Instruction Fuzzy Hash: AE411B72A04704BFD7249F38CC81B6A7BF9EB98710F10852EF54BDB282D77199118B80

Function 001B56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 001B5783
GetLastError.KERNEL32(?,00000000), ref: 001B57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 001B57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 001B57FA

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 1db8a3a8f64a913b0ed80aae8d43aad218f486822c97807e2b69e9d1b6948999
Instruction ID: ac4eea02900b73831ee2386fc33be73f5472c8509567f1100753ada4b29edd1c
Opcode Fuzzy Hash: 1db8a3a8f64a913b0ed80aae8d43aad218f486822c97807e2b69e9d1b6948999
Instruction Fuzzy Hash: 6B411D39600611DFCB11DF55D544A5EBBE2EF99320B198888E84AAF372CB35FD40CB91

Function 0017D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00166D71,00000000,00000000,001682D9,?,001682D9,?,00000001,00166D71,8BE85006,00000001,001682D9,001682D9), ref: 0017D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0017D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0017D9AB
__freea.LIBCMT ref: 0017D9B4

Part of subcall function 00173820: RtlAllocateHeap.NTDLL(00000000,?,00211444,?,0015FDF5,?,?,0014A976,00000010,00211440,001413FC,?,001413C6,?,00141129), ref: 00173852

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 90ec978d2fc0f84f691a45b375e549cad0c8eb1893f52d9b885917cbb9c56784
Instruction ID: 717fb07c240f8cdacf47b091976436b71b0feff291d4613a4ab5b9803fe272da
Opcode Fuzzy Hash: 90ec978d2fc0f84f691a45b375e549cad0c8eb1893f52d9b885917cbb9c56784
Instruction Fuzzy Hash: F231CD72A0021AABDF259F64EC41EAE7BB5EF40314F158268FD08D7250EB35CD50CB90

Function 001D52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 001D5352
GetWindowLongW.USER32(?,000000F0), ref: 001D5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 001D5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 001D53A8

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 9601c154b3b1dfc2a8fdc9b8e0f832a4f2c82d3f7880e2dd8e31315c02ec4032
Instruction ID: ae25d632e8096a5f84f41101dc23acbaf8574e5271a1ba6bf53005bc88b44796
Opcode Fuzzy Hash: 9601c154b3b1dfc2a8fdc9b8e0f832a4f2c82d3f7880e2dd8e31315c02ec4032
Instruction Fuzzy Hash: 6631A034A56A08FFEB349E14CC46BE97767BB143D0F584103FA11963E1C7B4A990DB82

Function 001AAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 001AABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 001AAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 001AAC74
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 001AACC6

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: b9afa054a639aade496884fe15731407f80baec0c532f73bf15424a2caca7cee
Instruction ID: 334beef9445980ec1954ea1bdd381796fecca5f3304c883953411ce4c7fc4b8b
Opcode Fuzzy Hash: b9afa054a639aade496884fe15731407f80baec0c532f73bf15424a2caca7cee
Instruction Fuzzy Hash: B1313934A007186FFF35CB648C087FA7BA6AF86330F84471AE481962D9C3759981C792

Function 001D7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 001D769A
GetWindowRect.USER32(?,?), ref: 001D7710
PtInRect.USER32(?,?,001D8B89), ref: 001D7720
MessageBeep.USER32(00000000), ref: 001D778C

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: ad8e3b1d70c8430a9b236663aa9b8335aefa9cd8de7a28242f2882166640ae8f
Instruction ID: 1eeaf14b54c4e8e9a833c041d864844497d18a1ee3500814a5edf8f1795d6ff1
Opcode Fuzzy Hash: ad8e3b1d70c8430a9b236663aa9b8335aefa9cd8de7a28242f2882166640ae8f
Instruction Fuzzy Hash: C641BF38A09255DFCB01CF58D898EA977F4FF58310F1585AAE5249B3A1E730E941CF90

Function 001D16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 001D16EB

Part of subcall function 001A3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 001A3A57
Part of subcall function 001A3A3D: GetCurrentThreadId.KERNEL32 ref: 001A3A5E
Part of subcall function 001A3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001A25B3), ref: 001A3A65

GetCaretPos.USER32(?), ref: 001D16FF
ClientToScreen.USER32(00000000,?), ref: 001D174C
GetForegroundWindow.USER32 ref: 001D1752

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 6d4eaf41881ff02ebf0fe100d8779ed266834753e0243123e70b345b834c5b72
Instruction ID: b149354743e585cfd81a010cac04de2787e8d840bf2c9b14dee90c1b9fcc1647
Opcode Fuzzy Hash: 6d4eaf41881ff02ebf0fe100d8779ed266834753e0243123e70b345b834c5b72
Instruction Fuzzy Hash: 93317075D01249AFC700EFA9C881CEEBBF9EF59304B5080AAE415E7211D731DE45CBA0

Function 001AD4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 001AD501
Process32FirstW.KERNEL32(00000000,?), ref: 001AD50F
Process32NextW.KERNEL32(00000000,?), ref: 001AD52F
CloseHandle.KERNEL32(00000000), ref: 001AD5DC

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 5df991f1c095349d6a1a7224ac38ba68656b2ee0cd076f6d6685bbf21aafd05e
Instruction ID: 38396b62cad367146a7ec13e9bd23a5c2b3ec33c5ff696117d39a27fb28a640e
Opcode Fuzzy Hash: 5df991f1c095349d6a1a7224ac38ba68656b2ee0cd076f6d6685bbf21aafd05e
Instruction Fuzzy Hash: CB31A4721083019FD301EF54D885AAFBBF8EFA9354F14092DF586861A2EB719949CB92

Function 001D8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00159BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00159BB2

GetCursorPos.USER32(?), ref: 001D9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00197711,?,?,?,?,?), ref: 001D9016
GetCursorPos.USER32(?), ref: 001D905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00197711,?,?,?), ref: 001D9094

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: c86bf970ccb812d098fa61fa7da794076ab099082cc9bf39025d528e09bc1f53
Instruction ID: ab969b958e063aed55e7c193c532e46b66267f7c0dc74ea114f5069e8e1d17d8
Opcode Fuzzy Hash: c86bf970ccb812d098fa61fa7da794076ab099082cc9bf39025d528e09bc1f53
Instruction Fuzzy Hash: FF21D131601018EFDB259F94EC58EFA3BB9EF49350F048156F9058B261C73599A0DBA0

Function 001AD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,001DCB68), ref: 001AD2FB
GetLastError.KERNEL32 ref: 001AD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 001AD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,001DCB68), ref: 001AD376

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: a21036e8e5ffa5d1d2c2858a2b593536433f171c3284328963c794731703895d
Instruction ID: f4f5899e157f8388eedcfe4df49a5bd2898db71773b270453b86327aff61ea3d
Opcode Fuzzy Hash: a21036e8e5ffa5d1d2c2858a2b593536433f171c3284328963c794731703895d
Instruction Fuzzy Hash: 352183B45056029F8B10DF28D88146EB7E4FF57364F104A1EF4AAC76A1D731D945CB93

Function 001A1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001A1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 001A102A
Part of subcall function 001A1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 001A1036
Part of subcall function 001A1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001A1045
Part of subcall function 001A1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 001A104C
Part of subcall function 001A1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001A1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 001A15BE
_memcmp.LIBVCRUNTIME ref: 001A15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001A1617
HeapFree.KERNEL32(00000000), ref: 001A161E

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: e73d0edc1abb02aff5b3685989606b3e4486fb2f3b6ff4f868146043d3f52666
Instruction ID: 751d3f6e0f2b61ea8d284d40f47befb184b96ff40c752c06be381aa18f7933f6
Opcode Fuzzy Hash: e73d0edc1abb02aff5b3685989606b3e4486fb2f3b6ff4f868146043d3f52666
Instruction Fuzzy Hash: B0219A75E41209FFDF00DFA4C945BEEB7B8EF46354F088859E445AB241E770AA45CBA0

Function 001D2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 001D280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 001D2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 001D2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 001D2840

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: f9ee01ae9cef3944731c2bc51e3b9a611440ecce98771a06badef998c2bf1cc9
Instruction ID: d3425d8cffbc1f823f49516f34f0a7029d180c42adf815a2eb072248c6c1f39d
Opcode Fuzzy Hash: f9ee01ae9cef3944731c2bc51e3b9a611440ecce98771a06badef998c2bf1cc9
Instruction Fuzzy Hash: 2421D331309111AFD7149B24D884FAA7B95EF65324F14825AF42A8B7E2C771FC82C7D0

Function 001A78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 001A8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,001A790A,?,000000FF,?,001A8754,00000000,?,0000001C,?,?), ref: 001A8D8C
Part of subcall function 001A8D7D: lstrcpyW.KERNEL32(00000000,?), ref: 001A8DB2
Part of subcall function 001A8D7D: lstrcmpiW.KERNEL32(00000000,?,001A790A,?,000000FF,?,001A8754,00000000,?,0000001C,?,?), ref: 001A8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,001A8754,00000000,?,0000001C,?,?,00000000), ref: 001A7923
lstrcpyW.KERNEL32(00000000,?), ref: 001A7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,001A8754,00000000,?,0000001C,?,?,00000000), ref: 001A7984

Strings

cdecl, xrefs: 001A797B

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 18503998cb4f82eb7b0eef11c55b39018cfdf543f6c33e1d0082e92a7b03dccf
Instruction ID: b0f9679e31fbcca8ab186aa5f9bb4ed07c34725ed0639469fe5b70be65eaa835
Opcode Fuzzy Hash: 18503998cb4f82eb7b0eef11c55b39018cfdf543f6c33e1d0082e92a7b03dccf
Instruction Fuzzy Hash: 3111063E201342ABCB156F34CC45D7B77A9FF56364B00402BF802CB2A4EB319911C791

Function 001D7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 001D7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 001D7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 001D7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,001BB7AD,00000000), ref: 001D7D6B

Part of subcall function 00159BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00159BB2

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 11900efe9db4b3def96f16945884c72bf2194001b8e3ddd5c61b39aae5923443
Instruction ID: 1cebeb028cb2d20f904ccd307a7dcc3b6f961b68e805fa6901221500ed3726de
Opcode Fuzzy Hash: 11900efe9db4b3def96f16945884c72bf2194001b8e3ddd5c61b39aae5923443
Instruction Fuzzy Hash: 0F11D231215A55AFCF108F68DC04AA63BA6AF45370B118726F936C73F0E7308960CB80

Function 001D5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 001D56BB
_wcslen.LIBCMT ref: 001D56CD
_wcslen.LIBCMT ref: 001D56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 001D5816

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 7a67e468f5b02eb0d94a754705ca2e393712d5410bccd5a856be6aedceef4dae
Instruction ID: 62e257a65f5c3aa068c61cd54e9b63701686403b82bc5f2afe58c233a2e42568
Opcode Fuzzy Hash: 7a67e468f5b02eb0d94a754705ca2e393712d5410bccd5a856be6aedceef4dae
Instruction Fuzzy Hash: 1B11D375A0161896DF209F65CC85AEE7BBCEF21764B10852BF915D6281EB70CA84CF60

Function 00171D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3ac2ae4b3b6b82b3c12aa5f92c335ca59c30ce3024449e8e6014d7d17ddbc3c
Instruction ID: ba98e09f2e28d49580b72e65bacdf8938a290fd3b300015f2a2be08796380ce2
Opcode Fuzzy Hash: e3ac2ae4b3b6b82b3c12aa5f92c335ca59c30ce3024449e8e6014d7d17ddbc3c
Instruction Fuzzy Hash: 7F01DFB220A6167EFA2126BCBCC5F67673CDF513B8F358326F528A21D2DB608C404560

Function 001A1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 001A1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 001A1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 001A1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 001A1A8A

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 101513a081d6ebab7764af8ea91754c1ce3ac3731eca1699b0581c54db4255cf
Instruction ID: 72a9af8f8fb1db717b0be27f620b0b4ae2b77884714e4b8448a25d522c4e2409
Opcode Fuzzy Hash: 101513a081d6ebab7764af8ea91754c1ce3ac3731eca1699b0581c54db4255cf
Instruction Fuzzy Hash: CE113C3AD01219FFEB10DBA4CD85FADBB79EB04750F200091E600B7290D7716E50DB94

Function 001AE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 001AE1FD
MessageBoxW.USER32(?,?,?,?), ref: 001AE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 001AE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 001AE24D

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: d91e48f40ee49e88dbabf040b5bd7ec8589e9ae2d831e784cf3e43479b0db210
Instruction ID: 077a847b03c5dbc1467d8c7bf20598f3feb7611fb6913fc166ad25d6db3f0e53
Opcode Fuzzy Hash: d91e48f40ee49e88dbabf040b5bd7ec8589e9ae2d831e784cf3e43479b0db210
Instruction Fuzzy Hash: 48110876905259BBC7019FA8AC09BDE7FACEB46310F008656F925D3294D7708900C7A0

Function 0016D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0016CFF9,00000000,00000004,00000000), ref: 0016D218
GetLastError.KERNEL32 ref: 0016D224
__dosmaperr.LIBCMT ref: 0016D22B
ResumeThread.KERNEL32(00000000), ref: 0016D249

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 34223a482e1388c2a064256b58349c974abcb1166992c9a4ccc6d1736af324d6
Instruction ID: 21cb7982f37cc88a7c2411b7896db8132233e347fafd999b75ea5992bd0df2ff
Opcode Fuzzy Hash: 34223a482e1388c2a064256b58349c974abcb1166992c9a4ccc6d1736af324d6
Instruction Fuzzy Hash: 4D01F536E06205BBCB115BA9EC09BAF7B69EF92330F11421DF925921D0CF71C961C6E0

Function 001D9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00159BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00159BB2

GetClientRect.USER32(?,?), ref: 001D9F31
GetCursorPos.USER32(?), ref: 001D9F3B
ScreenToClient.USER32(?,?), ref: 001D9F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 001D9F7A

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 1d5877f591bfa6d4d561cb13f6c2a5f89146c9dc187f416ca58c42558eaffea7
Instruction ID: 9771a7f58405ac20dc32a38e096eb1615acfb9ae66f690b938c8beaadab9a9c0
Opcode Fuzzy Hash: 1d5877f591bfa6d4d561cb13f6c2a5f89146c9dc187f416ca58c42558eaffea7
Instruction Fuzzy Hash: 16114532A0111AABDB10DFA8D8899EE7BB9FB05311F400952F911E7240D730BA91CBE1

Function 0014600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0014604C
GetStockObject.GDI32(00000011), ref: 00146060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0014606A

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 2750fbe99486142f832b1a47af18c1e6f0f3e3a547ccec292ebd17dad5c640e8
Instruction ID: 7cad1087c4379e5f857ffa487a2a79b1fac1f05d4f21aa3206c8b460decf9cb2
Opcode Fuzzy Hash: 2750fbe99486142f832b1a47af18c1e6f0f3e3a547ccec292ebd17dad5c640e8
Instruction Fuzzy Hash: F3116172502509BFEF125F94DC44EEABB69EF19359F040216FA1452120D736DCA0DB91

Function 00163B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00163B56

Part of subcall function 00163AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00163AD2
Part of subcall function 00163AA3: ___AdjustPointer.LIBCMT ref: 00163AED

_UnwindNestedFrames.LIBCMT ref: 00163B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00163B7C
CallCatchBlock.LIBVCRUNTIME ref: 00163BA4

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: fd5582462925d18449fa0a7daaa8daf82291ba45aaa651b3f4888fe70ac4298f
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: EF010832100149BBDF126E95CC46EEB7F6EEFA9754F044018FE58A6121C732E971EBA0

Function 00173073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,001413C6,00000000,00000000,?,0017301A,001413C6,00000000,00000000,00000000,?,0017328B,00000006,FlsSetValue), ref: 001730A5
GetLastError.KERNEL32(?,0017301A,001413C6,00000000,00000000,00000000,?,0017328B,00000006,FlsSetValue,001E2290,FlsSetValue,00000000,00000364,?,00172E46), ref: 001730B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0017301A,001413C6,00000000,00000000,00000000,?,0017328B,00000006,FlsSetValue,001E2290,FlsSetValue,00000000), ref: 001730BF

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 4b22338b428c2f52aa2fe402a82fb1afbddfd39a22fb8cb037f13b248c2ac7e0
Instruction ID: da732492a210482fc94ce615119fa091c00f402b77a3fa111e55bbd8d14fb1b4
Opcode Fuzzy Hash: 4b22338b428c2f52aa2fe402a82fb1afbddfd39a22fb8cb037f13b248c2ac7e0
Instruction Fuzzy Hash: 3B012032353333ABCB314B789C4895777A8AF05761B118720F92DD7140DB21D981D6E0

Function 001A7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 001A747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 001A7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 001A74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 001A74CA

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 58a4140ec6c088bfb7660f6d16dbb1320d5978e8fb013305239cb622cb75cc91
Instruction ID: d1af6292444f21981fc726b26f53bf7ed9ec2b12b1119876212313db93c82275
Opcode Fuzzy Hash: 58a4140ec6c088bfb7660f6d16dbb1320d5978e8fb013305239cb622cb75cc91
Instruction Fuzzy Hash: 9F11C4B920A3119FE7208F14DC08FD27FFCEB05B00F10896AA616D6591D770EA44DB90

Function 001AB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,001AACD3,?,00008000), ref: 001AB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,001AACD3,?,00008000), ref: 001AB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,001AACD3,?,00008000), ref: 001AB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,001AACD3,?,00008000), ref: 001AB126

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 8cc6f8a32ea1a7fde43f4d03b134c46c0efc883e69eae6f685cd22b98708fb6c
Instruction ID: 66d34676667986ddb3db1a4b3756674a44254dcb2f60ab69306639a72d3fb8f9
Opcode Fuzzy Hash: 8cc6f8a32ea1a7fde43f4d03b134c46c0efc883e69eae6f685cd22b98708fb6c
Instruction Fuzzy Hash: 2F116D75C0666DE7CF04AFE4E9A86EEBF78FF0A711F114496E941B2182CB305650CB91

Function 001D7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 001D7E33
ScreenToClient.USER32(?,?), ref: 001D7E4B
ScreenToClient.USER32(?,?), ref: 001D7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 001D7E8A

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 89496995c04a76450006dec6781b54150f6ea08c8bad9f7beb64e212d26324dd
Instruction ID: e0029f3608a2b307712ad0b5df288ab7d06da03f4b99d04a0cce21c0928bc5ee
Opcode Fuzzy Hash: 89496995c04a76450006dec6781b54150f6ea08c8bad9f7beb64e212d26324dd
Instruction Fuzzy Hash: C11143B9D0124AAFDB41CF98C884AEEBBF5FB18310F505156E915E2610D735AA94CF90

Function 001A2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 001A2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 001A2DD6
GetCurrentThreadId.KERNEL32 ref: 001A2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 001A2DE4

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: af17a1000fa4928e070a51ebfaec0bfcda257eba46847e18728ab2110589c627
Instruction ID: 70b927f17055e72d22d9d6b5e67bbde3eeafa786b2bfa4ae85d5fcf61f57a055
Opcode Fuzzy Hash: af17a1000fa4928e070a51ebfaec0bfcda257eba46847e18728ab2110589c627
Instruction Fuzzy Hash: ADE06D71103225BADB201BA69C0DEEB3F6CEF43BA1F000416F505D15819AA4C880C6F0

Function 001D8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00159639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00159693
Part of subcall function 00159639: SelectObject.GDI32(?,00000000), ref: 001596A2
Part of subcall function 00159639: BeginPath.GDI32(?), ref: 001596B9
Part of subcall function 00159639: SelectObject.GDI32(?,00000000), ref: 001596E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 001D8887
LineTo.GDI32(?,?,?), ref: 001D8894
EndPath.GDI32(?), ref: 001D88A4
StrokePath.GDI32(?), ref: 001D88B2

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 5972598863771347024d7ecb5e83b5da2e19f153e91eedbd9d7645405c2582ab
Instruction ID: 9378d8a142e007910f83493a8c1b00e891066800d780456f1f2909d8200b8f03
Opcode Fuzzy Hash: 5972598863771347024d7ecb5e83b5da2e19f153e91eedbd9d7645405c2582ab
Instruction Fuzzy Hash: B4F03A3A046299FADB125F94AC0DFCA3B59AF16311F048002FA11651E1CB755561DFE5

Function 001598B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 001598CC
SetTextColor.GDI32(?,?), ref: 001598D6
SetBkMode.GDI32(?,00000001), ref: 001598E9
GetStockObject.GDI32(00000005), ref: 001598F1

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 3418e80532398347235d1ac238895dc4385aca7fbbc96b99a09d582552087ebb
Instruction ID: bd73a60f5cafb77630cdbaa122297ca273fc1f9e3a5397edc2a2b14d23a5b62c
Opcode Fuzzy Hash: 3418e80532398347235d1ac238895dc4385aca7fbbc96b99a09d582552087ebb
Instruction Fuzzy Hash: C8E06D31246291EAEF215B74BC0DBE83F21AB52336F04871AF6FA584E1C3714680DB11

Function 001A162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 001A1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,001A11D9), ref: 001A163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,001A11D9), ref: 001A1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,001A11D9), ref: 001A164F

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 66ad14f2796259376129af5997427e640f3aee19375349e381345db5394a2b72
Instruction ID: 03398e7d9fc27fdaf1273539c10448ca221e33a86297dbd0844ff1dad2326a1d
Opcode Fuzzy Hash: 66ad14f2796259376129af5997427e640f3aee19375349e381345db5394a2b72
Instruction Fuzzy Hash: 6BE08635603212EBD7201FF09E0DB473B7CAF557A1F144C09F245C9080D7744480C790

Function 0019D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0019D858
GetDC.USER32(00000000), ref: 0019D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0019D882
ReleaseDC.USER32(?), ref: 0019D8A3

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 2d7110bddd3612dbe3324d80481a8101e310fb9602983ec747d4b2b797cad437
Instruction ID: 440fbc9afcbe89b910fb8ee4d88f1fc10cf8eaeedc8292e3416fa4e7ea6b9ff9
Opcode Fuzzy Hash: 2d7110bddd3612dbe3324d80481a8101e310fb9602983ec747d4b2b797cad437
Instruction Fuzzy Hash: BAE01AB4802206DFCF419FA4D80866DBBB1FB08311F15880AF806E7750C7389985EF80

Function 0019D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0019D86C
GetDC.USER32(00000000), ref: 0019D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0019D882
ReleaseDC.USER32(?), ref: 0019D8A3

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: ec0e2d33c0415f80698f0f1a1646f5be5802a584069800bb54cc9b999dac4ddd
Instruction ID: fa30728835824eee6c17c608ebbdb1ac2f17e4b52fc3c376c1403429ec368ebd
Opcode Fuzzy Hash: ec0e2d33c0415f80698f0f1a1646f5be5802a584069800bb54cc9b999dac4ddd
Instruction Fuzzy Hash: 1FE01A74802201DFCB509FA4D80866DBBB1FB08311B14880AF806E7750C7389945DF80

Function 001B4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00147620: _wcslen.LIBCMT ref: 00147625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 001B4ED4

Strings

LPT, xrefs: 001B4DFB
*, xrefs: 001B4E10

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: e218f149beb8e9e2de2eef5f5179ca8e9744791572ae37d255708fa810f4ac9c
Instruction ID: edf992a8f91b6359f39ecbf46afe38b3249f2554dbaac33e98868413c299c199
Opcode Fuzzy Hash: e218f149beb8e9e2de2eef5f5179ca8e9744791572ae37d255708fa810f4ac9c
Instruction Fuzzy Hash: 73914B75A002149FDB14DF58C484EAABBF1AF49304F19C09DE84A9F3A2D735EE85CB91

Function 0016E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0016E30D

Strings

pow, xrefs: 0016E2E5, 0016E302

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: e53fa85134740f383c9a41b6f870271c8ef5a8a431d35bfaa7107712ee169eec
Instruction ID: 2c9060c557a36ac11a8cea32a0421c579a67994569cd23ad372f1f13c60e4844
Opcode Fuzzy Hash: e53fa85134740f383c9a41b6f870271c8ef5a8a431d35bfaa7107712ee169eec
Instruction Fuzzy Hash: 1D518C65A0C20296CB297764CD513BD3BF8EB50740F30CA58E0D9863E8EF308CE59A86

Function 001C7771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0019569E,00000000,?,001DCC08,?,00000000,00000000), ref: 001C78DD

Part of subcall function 00146B57: _wcslen.LIBCMT ref: 00146B6A

CharUpperBuffW.USER32(0019569E,00000000,?,001DCC08,00000000,?,00000000,00000000), ref: 001C783B

Strings

<s , xrefs: 001C77C8

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <s
API String ID: 3544283678-3981233947
Opcode ID: 76f1896e9119716373f1102051bbf1ee39312fa555283f7fa9e469611556a05e
Instruction ID: 79dcd3f0ebccd62e6a4644d38705aea9e85817070d1dacfff80994505d432fe5
Opcode Fuzzy Hash: 76f1896e9119716373f1102051bbf1ee39312fa555283f7fa9e469611556a05e
Instruction Fuzzy Hash: E2612C72914219AACF04EFA4DC91EFDB378BF38704B444529E642A71A1EB749A05DBA0

Function 0015E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0015E1B1

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 42fade8ab753c932c0527542617677b1c3baca34b3a32f5e0a853e85b3ebeb6e
Instruction ID: 4fd751cba138a7330bc0acd0be9d1aa34a5b009be2be51fcd19d8e376f29c185
Opcode Fuzzy Hash: 42fade8ab753c932c0527542617677b1c3baca34b3a32f5e0a853e85b3ebeb6e
Instruction Fuzzy Hash: A051F175904246DFDF1DDFA8C481ABA7BE8EF25310F244055ECA19B2D0D7349E86CBA1

Function 0015F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0015F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0015F2BB

Strings

@, xrefs: 0015F2AF

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 863f091553ad633069fae15b091466f19517cfc7ddd43567f04c4c81fda5f47b
Instruction ID: 659161b1cd7652ae21756b8b40f7e5be5de4ae2daea8594422abecc8d1c7ea3f
Opcode Fuzzy Hash: 863f091553ad633069fae15b091466f19517cfc7ddd43567f04c4c81fda5f47b
Instruction Fuzzy Hash: 47515671409744ABD320AF54DC86BABBBF8FF95300F81884DF1D9421A5EB318569CB67

Function 001C5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 001C57E0
_wcslen.LIBCMT ref: 001C57EC

Strings

CALLARGARRAY, xrefs: 001C57E6, 001C57EB

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 29a1a13458e58e71fa29065ae49025f8b28515fc65b90e941f617da5ecd51446
Instruction ID: 379e4c822782dd35716905ba69c05f0e43dc12fd52167ab200217ec40317c00e
Opcode Fuzzy Hash: 29a1a13458e58e71fa29065ae49025f8b28515fc65b90e941f617da5ecd51446
Instruction Fuzzy Hash: 0E418E31E002099FCB14DFA9C885DAEBBB6EF69354F14406DF515AB291E730ED81CBA0

Function 001BD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001BD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 001BD13A

Strings

|, xrefs: 001BD10B

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 6fa9f0f0f6c970f267d9c186d920203ecd45f833ada8c66928e2d97ecb5aa5e8
Instruction ID: 6a7bd4e7d086c8662589adf74576558c44498e963331e79414c19ebbb02d119c
Opcode Fuzzy Hash: 6fa9f0f0f6c970f267d9c186d920203ecd45f833ada8c66928e2d97ecb5aa5e8
Instruction Fuzzy Hash: D1313C71D01219ABCF15EFA4DC85AEEBFB9FF19304F100059F815B6162EB31AA56CB60

Function 001D356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 001D3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 001D365C

Strings

static, xrefs: 001D35BC

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: d7268bc74fdf09ec64ade0bc541aa612cdd53ebda98ab3001ee79a4ea8a7541c
Instruction ID: cb7f381069775604c49a01d96454f3bf01bb6bcfe29fa577e6d49c0204f64b55
Opcode Fuzzy Hash: d7268bc74fdf09ec64ade0bc541aa612cdd53ebda98ab3001ee79a4ea8a7541c
Instruction Fuzzy Hash: 3531BC71100204AEDB209F28DC80EFB73A9FF98760F00861AF8A597290DB31ED81D7A1

Function 001D4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 001D461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 001D4634

Strings

', xrefs: 001D458E

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 38ea29b4d31ddc00a1ca803a8631c5d401984aeb55b878dc4379c2779c31fd6b
Instruction ID: aee73bf6bab2029c860e0b673304cc6a80c798a655c974afcac832b749f32750
Opcode Fuzzy Hash: 38ea29b4d31ddc00a1ca803a8631c5d401984aeb55b878dc4379c2779c31fd6b
Instruction Fuzzy Hash: EC312574A0130A9FDB14CFA9D981BDABBB6FF09300F10406AE905AB391D770E941CF90

Function 001D31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 001D327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001D3287

Strings

Combobox, xrefs: 001D3249

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 46d1c70c3a34c8c9a761fd1e470ec8220453c5e11ee4a8d1d421fa254d1a5b35
Instruction ID: a694430c8b82da6dbf0c2e29f4bb3b96782ac6010dd070609ad1bdd72f90dd8b
Opcode Fuzzy Hash: 46d1c70c3a34c8c9a761fd1e470ec8220453c5e11ee4a8d1d421fa254d1a5b35
Instruction Fuzzy Hash: 7011B271B002087FFF259E54DC85EFB3B6AEB943A4F10412AF92897390D7719D518761

Function 001D3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0014600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0014604C
Part of subcall function 0014600E: GetStockObject.GDI32(00000011), ref: 00146060
Part of subcall function 0014600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0014606A

GetWindowRect.USER32(00000000,?), ref: 001D377A
GetSysColor.USER32(00000012), ref: 001D3794

Strings

static, xrefs: 001D3757

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 579583ca90fb1c9dccc968f06c04f6ed08f0e3cc4c70fe6937f5eae64e466c4d
Instruction ID: 0a8c7f53e4ceb40714af694478847ac6d8098c6d7ee18f057249c2e47e2994a2
Opcode Fuzzy Hash: 579583ca90fb1c9dccc968f06c04f6ed08f0e3cc4c70fe6937f5eae64e466c4d
Instruction Fuzzy Hash: 2A113AB261060AAFDF01DFA8CC46EEA7BB8FB08354F014916F965E3250D735E851DB60

Function 001BCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 001BCD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 001BCDA6

Strings

<local>, xrefs: 001BCD66

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: ae05a815d39d979dc19507aef3a3835fe3c05545b210632ede5ecdbd8f3d1944
Instruction ID: d8f93eabb95142019fd16a26bf92ec38239a1e359d82f522369b809bbd949d7d
Opcode Fuzzy Hash: ae05a815d39d979dc19507aef3a3835fe3c05545b210632ede5ecdbd8f3d1944
Instruction Fuzzy Hash: 9E11C279205632BAD7384BA6CC89FE7BEACEF527A4F40422AF14983080D7709840D6F0

Function 001D3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 001D34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 001D34BA

Strings

edit, xrefs: 001D348F

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 6fb16ae88c82e252dc0f7657912d5097931449a780b19e77422f509b5ae61877
Instruction ID: 1f1964c8c35dc84e7e6df508088c55b38d3552c03a3f9c4bf653667300c3e960
Opcode Fuzzy Hash: 6fb16ae88c82e252dc0f7657912d5097931449a780b19e77422f509b5ae61877
Instruction Fuzzy Hash: 69118F71101108AFEF124E68EC44AEB376AEB15378F504726F971932E0C779DC91D752

Function 001A6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00149CB3: _wcslen.LIBCMT ref: 00149CBD

CharUpperBuffW.USER32(?,?,?), ref: 001A6CB6
_wcslen.LIBCMT ref: 001A6CC2

Strings

STOP, xrefs: 001A6CBC, 001A6CC1

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 7ed3e84a33a13d059d72506ed13189488a9be8b49161f0dec706e7fe43d83e2b
Instruction ID: ac738b012c733a1938f1894a8e184de461aeac5aa144fce53687f49515b3278e
Opcode Fuzzy Hash: 7ed3e84a33a13d059d72506ed13189488a9be8b49161f0dec706e7fe43d83e2b
Instruction Fuzzy Hash: 230126366005278BCB209FFDDC808BF33B4EF727607050524E86297199EB31D900C650

Function 001A1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00149CB3: _wcslen.LIBCMT ref: 00149CBD

Part of subcall function 001A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 001A3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 001A1D4C

Strings

ListBox, xrefs: 001A1D16
ComboBox, xrefs: 001A1CEB

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 7737cfed9cf24ef82dbdb7f1a10c8118d02a290c1e78511960970edcae39b15c
Instruction ID: b1cfe0503431d914be9cd3e93c9451e1fb0bb360e159163f17a2cb7b1ab2e503
Opcode Fuzzy Hash: 7737cfed9cf24ef82dbdb7f1a10c8118d02a290c1e78511960970edcae39b15c
Instruction Fuzzy Hash: 5001B579651229ABCB08EBA4DC559FF7768EB57350F040A1AB832572D2EB3059088660

Function 001A1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00149CB3: _wcslen.LIBCMT ref: 00149CBD

Part of subcall function 001A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 001A3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 001A1C46

Strings

ListBox, xrefs: 001A1C10
ComboBox, xrefs: 001A1BE5

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 4c4863927ae73134d95519e7f1db3e04e720c47301d38017e8de8e2204d50f66
Instruction ID: b3bf7d1e7e98e051b8a3d97d8da8d148f036717e3793c4cc7e78043f45ec7c27
Opcode Fuzzy Hash: 4c4863927ae73134d95519e7f1db3e04e720c47301d38017e8de8e2204d50f66
Instruction Fuzzy Hash: BE01A779AC121976CB08EBA0DD51AFF77A89F23350F14001AB416672D6EB209F18D6B1

Function 001A1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00149CB3: _wcslen.LIBCMT ref: 00149CBD

Part of subcall function 001A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 001A3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 001A1CC8

Strings

ListBox, xrefs: 001A1C94
ComboBox, xrefs: 001A1C69

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: c58e04c8991655d75becd37b50de53faddc0ebd18ff3f7e614bdabd484760aba
Instruction ID: dd82e784be399194cb3ef58569e3fe09b4cb99fd543f99689da3b8eb43771f62
Opcode Fuzzy Hash: c58e04c8991655d75becd37b50de53faddc0ebd18ff3f7e614bdabd484760aba
Instruction Fuzzy Hash: 6F01D679A8122977CF04EBA4DE41AFF77A89B23350F540016B80277296EB209F18D6B1

Function 001A1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00149CB3: _wcslen.LIBCMT ref: 00149CBD

Part of subcall function 001A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 001A3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 001A1DD3

Strings

ListBox, xrefs: 001A1DA0
ComboBox, xrefs: 001A1D75

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 0c175d6ea66739bf9209a973b4af0eb30753b9d329baaf90ba69f0ab50a3c08b
Instruction ID: 97fe115999870f4793239cf6e6f1c3195fb1748a057a8c9ea3247eef8b90e5b0
Opcode Fuzzy Hash: 0c175d6ea66739bf9209a973b4af0eb30753b9d329baaf90ba69f0ab50a3c08b
Instruction Fuzzy Hash: 38F02879B4122976DB08F7E4DC96FFF7778AF13350F040915B822672D2DB60590C86A0

Function 001D8172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00213018,0021305C), ref: 001D81BF
CloseHandle.KERNEL32 ref: 001D81D1

Strings

\0!, xrefs: 001D818A

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0!
API String ID: 3712363035-164112491
Opcode ID: e74e039740a4d91f20489b1c354c304c66225294e0d22c71fb63f5188a3d9d27
Instruction ID: 9df83eb801d096974f8937d6466b1690e5375bb548a1a16386e61746f3f64d2b
Opcode Fuzzy Hash: e74e039740a4d91f20489b1c354c304c66225294e0d22c71fb63f5188a3d9d27
Instruction Fuzzy Hash: 1FF05EB2641300BEE620AB65AC49FF73ADDEB2C750F004421FB08D51A2DB758B5082F8

Function 001C747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001C7493
_wcslen.LIBCMT ref: 001C74B9

Strings

3, 3, 16, 1, xrefs: 001C7483

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 9219cbad763a18f53fe582cf218f58476ee704bff2619c29a94df3e727192d1f
Instruction ID: 31c8778d193ad774edceb5731ac2ba9c7f57cf9144b20c706d7cbf611cdeb6df
Opcode Fuzzy Hash: 9219cbad763a18f53fe582cf218f58476ee704bff2619c29a94df3e727192d1f
Instruction Fuzzy Hash: 27E02B0265472011A33512799CC1F7F568ADFF9750710182FF981C22E6EBD4CDA193A0

Function 001A0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 001A0B23

Strings

AutoIt, xrefs: 001A0B17
Error allocating memory., xrefs: 001A0B1C

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: e8c41bb93344f4fbbe0e14a6e4f84f2e1b662241b1181c2f56b7ad45ae28b274
Instruction ID: 195a88de5975f8624879f2c016e132932459fc7a95a19e04891a9686813ee987
Opcode Fuzzy Hash: e8c41bb93344f4fbbe0e14a6e4f84f2e1b662241b1181c2f56b7ad45ae28b274
Instruction Fuzzy Hash: 02E0D83124531966D2143794BC03FC97B848F16B25F10082BFB58595C38BD224A086E9

Function 00160D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0015F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00160D71,?,?,?,0014100A), ref: 0015F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0014100A), ref: 00160D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0014100A), ref: 00160D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00160D7F

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 78630259d3aad55394a1a5f2f66189c708c4b3af4a89876acaf4adf546276de6
Instruction ID: 8b0d07bfc05fd925af3341857fdefebf93bd8972346b0c49060d384bd9a36091
Opcode Fuzzy Hash: 78630259d3aad55394a1a5f2f66189c708c4b3af4a89876acaf4adf546276de6
Instruction Fuzzy Hash: DAE06D742013018BD3219FB8E908342BBE5AB18745F018A2EE496C6B55DBB0E585CB91

Function 0015E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0015E3D5

Strings

8%!, xrefs: 0015E3CA
0%!, xrefs: 0015E3B5

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%!$8%!
API String ID: 1385522511-1065198821
Opcode ID: 837148ef5c32b636cf358924d3da68580e2fa536bc2938f4ddbf88812af61c96
Instruction ID: c3f22c9e5228aa34614b65f391388ad547562bd53b1df859a7a6ad4caa45320a
Opcode Fuzzy Hash: 837148ef5c32b636cf358924d3da68580e2fa536bc2938f4ddbf88812af61c96
Instruction Fuzzy Hash: 24E02631C10910EBCA0D971CFBE8ACA33D7BB39321B904168F8228F1D1DF7029AD8644

Function 001B3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 001B302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 001B3044

Strings

aut, xrefs: 001B3038

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: d8b45ffe04d28ffa3b87e8a504a23131f6e6b4ab44c5777c589b08136eef225f
Instruction ID: 099ac8ea2b148826340cfc260353ff582d930e8149904b942d67048d3a9c6c08
Opcode Fuzzy Hash: d8b45ffe04d28ffa3b87e8a504a23131f6e6b4ab44c5777c589b08136eef225f
Instruction Fuzzy Hash: CBD05B7150131467DB20A7949C0DFC77B7CD705750F000652B655D24D1DAB09584CAD0

Function 0019D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0019D220

Strings

%.3d, xrefs: 0019D22B
X64, xrefs: 0019D2A8

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 60798cbe7507f406b0a734a7a3379160fa831d857a87def05267856782d29101
Instruction ID: 638605dd74c88080b8afcde245ab66bbefd96b768a5aed5b859270ef346d07ff
Opcode Fuzzy Hash: 60798cbe7507f406b0a734a7a3379160fa831d857a87def05267856782d29101
Instruction Fuzzy Hash: 09D01275C09109E9CF5897D0EC458BAB37CAB18341F518452FC1691080D724D548A761

Function 001D2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 001D232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 001D233F

Part of subcall function 001AE97B: Sleep.KERNELBASE ref: 001AE9F3

Strings

Shell_TrayWnd, xrefs: 001D2325

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: a3d713ad2416e6088185b7a0b85de1db84bd8b17a13f7fb7ac4de66f16c9f6ec
Instruction ID: 1f5c3b3dfcdc74140179a91cb3c60adf7f460ca5ea7da740c5ba58013d3e8876
Opcode Fuzzy Hash: a3d713ad2416e6088185b7a0b85de1db84bd8b17a13f7fb7ac4de66f16c9f6ec
Instruction Fuzzy Hash: 41D0C9363D6311B6EA64A770AC4FFC6BA589B11B14F004916B645AA1E1CAA0A851CA94

Function 001D2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 001D236C
PostMessageW.USER32(00000000), ref: 001D2373

Part of subcall function 001AE97B: Sleep.KERNELBASE ref: 001AE9F3

Strings

Shell_TrayWnd, xrefs: 001D2365

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: fa7341c9bf3ecd2e8f26ade6ebde91dfe806cce37d1d9f3c11d35c5eb3fc3031
Instruction ID: 494339cda6569f6227e580b88a0df4951fc2fbf3fb72253d93059f796da22e0a
Opcode Fuzzy Hash: fa7341c9bf3ecd2e8f26ade6ebde91dfe806cce37d1d9f3c11d35c5eb3fc3031
Instruction Fuzzy Hash: 9FD0C9363D23117AEA64A770AC4FFC6B6589B15B14F004916B645AA1E1CAA0A851CA94

Function 0017BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0017BE93
GetLastError.KERNEL32 ref: 0017BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0017BEFC

Memory Dump Source

Source File: 00000000.00000002.3263224332.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true

Associated: 00000000.00000002.3263201239.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.00000000001DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263320813.0000000000202000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263386538.000000000020C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3263408120.0000000000214000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 303318cdbe2b66eec5155b8228fe0044c01345c334aa273f5cea6e0204a6ec36
Instruction ID: 2a964ca765100fa3481da81c94e315e0c6f2429af5da7a98ae48f07d58b389e9
Opcode Fuzzy Hash: 303318cdbe2b66eec5155b8228fe0044c01345c334aa273f5cea6e0204a6ec36
Instruction Fuzzy Hash: 9241F535609216AFCF258F64CCD4BBA7BB4EF45B20F25816AF95D972A1DB308C01CB60

Source: Joe Sandbox View	IP Address: 23.200.0.42 23.200.0.42
Source: Joe Sandbox View	IP Address: 13.107.246.60 13.107.246.60
Source: Joe Sandbox View	IP Address: 162.159.61.3 162.159.61.3
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.73

Source: global traffic	HTTP traffic detected: GET /assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtractionDomainsConfig HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: EntityExtractionDomainsConfigSec-Mesh-Client-Edge-Version: 117.0.2045.47Sec-Mesh-Client-Edge-Channel: stableSec-Mesh-Client-OS: WindowsSec-Mesh-Client-OS-Version: 10.0.19045Sec-Mesh-Client-Arch: x86_64Sec-Mesh-Client-WebView: 0Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /assets/arbitration_priority_list/4.0.5/asset?assetgroup=ArbitrationService HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: ArbitrationServiceSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.2045.47"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Microsoft Edge";v="117.0.2045.47", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=afZbmkM1trbov72&MD=fEzD+wNS HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=afZbmkM1trbov72&MD=fEzD+wNS HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: global traffic	DNS traffic detected: DNS query: bzib.nelreports.net
Source: global traffic	DNS traffic detected: DNS query: chrome.cloudflare-dns.com

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\08473ab5-7d11-47b0-b8eb-eb4a8fe28ad8.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\0b015a5a-2a37-46e1-b868-16ded29eb6a9.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\19ab92a7-1013-420a-8120-53b21d3fc5d7.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\321cbfa8-7fd2-4654-a7b7-2bad120c002e.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\4b64e0dd-f8b9-463a-ad4a-68256b99e15f.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\4dc10f84-4ab9-4a97-b6ae-0f84277282a3.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\66990a7d-ec61-402e-9afb-1b046817cb50.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\93acff2e-fdba-4895-9e3c-6b9bc0c494a6.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Ad Blocking\098adde5-440e-4ee2-9e71-aaee8c7c95ab.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Ad Blocking\blocklist (copy)

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics-spare.pma (copy)

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics-spare.pma.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics\BrowserMetrics-66D840B4-10D4.pma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\BrowserMetrics\BrowserMetrics-66D840B4-B0C.pma

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\settings.dat

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Crashpad\throttle_store.dat

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\005a8f30-04f6-4de5-9ab3-757abe166b18.tmp

C:\Users\user\AppData\Local\Microsoft\Edge\User Data Kiosk\Default\27527af2-e863-4913-81fc-737b4acd3dea.tmp

Windows Analysis Report
file.exe

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre