Edit tour

Windows Analysis Report
pdfguruhub.msi

Overview

General Information

Sample name:	pdfguruhub.msi
Analysis ID:	1554678
MD5:	64a47700c3c27341180fc7dc08704210
SHA1:	30c46e57d9e08a1dace0c66ff8a8549cf8dd7b98
SHA256:	4c35ada0a8c91af2a483a077d3bda707c208d942f0f2e8ec601bd663d2c8aebf
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Creates multiple autostart registry keys

Drops executables to the windows directory (C:\Windows) and starts them

Tries to harvest and steal browser information (history, passwords, etc)

Adds / modifies Windows certificates

Checks for available system drives (often done to infect USB drives)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Modifies existing windows services

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries keyboard layouts

Queries the volume information (name, serial number etc) of a device

Sigma detected: CurrentVersion Autorun Keys Modification

Stores large binary data to the registry

Too many similar processes found

Tries to disable installed Antivirus / HIPS / PFW

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64native

msiexec.exe (PID: 1556 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\pdfguruhub.msi" MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 2436 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 3496 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding C3CA336A363785E4E24BD9D249C0F3D4 C MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 4376 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 692043C63919A00C951313FE0ECB70AA MD5: 9D09DC1EDA745A5F87553048E57620CF)

onestart_installer.exe (PID: 8348 cmdline: "C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe" "install" "15" "2" "1" "1" MD5: D8B0C9FE7DC26581D1E8DA64D648E0AC)

setup.exe (PID: 8412 cmdline: "C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe" --install-archive="C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\ONESTART.PACKED.7Z" "install" "15" "2" "1" "1" MD5: 40645767C9F2306C3CB537E558C38229)

setup.exe (PID: 8432 cmdline: "C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=OneStart --annotation=ver=128.0.6613.124 --initial-client-data=0x25c,0x260,0x264,0x238,0x268,0x7ff6c92f6a70,0x7ff6c92f6a7c,0x7ff6c92f6a88 MD5: 40645767C9F2306C3CB537E558C38229)

setup.exe (PID: 8628 cmdline: "C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe" --verbose-logging --create-shortcuts=0 --install-level=0 MD5: 40645767C9F2306C3CB537E558C38229)

setup.exe (PID: 8648 cmdline: "C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=OneStart --annotation=ver=128.0.6613.124 --initial-client-data=0x25c,0x260,0x264,0x238,0x268,0x7ff6c92f6a70,0x7ff6c92f6a7c,0x7ff6c92f6a88 MD5: 40645767C9F2306C3CB537E558C38229)

onestart.exe (PID: 8756 cmdline: "C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --from-installer MD5: C49C399B9224AD9391CB801040527F88)

onestart.exe (PID: 8780 cmdline: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe --type=crashpad-handler "--user-data-dir=C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data" /prefetch:4 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data" --monitor-self-argument=/prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=OneStart --annotation=ver=128.0.6613.124 --initial-client-data=0xf0,0xf4,0xf8,0xcc,0xfc,0x7ff871a45c28,0x7ff871a45c34,0x7ff871a45c40 MD5: C49C399B9224AD9391CB801040527F88)

onestart.exe (PID: 8808 cmdline: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe --type=crashpad-handler "--user-data-dir=C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data" /prefetch:4 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=OneStart --annotation=ver=128.0.6613.124 --initial-client-data=0x160,0x164,0x168,0x134,0x170,0x7ff637fa1ef8,0x7ff637fa1f04,0x7ff637fa1f10 MD5: C49C399B9224AD9391CB801040527F88)

onestart.exe (PID: 9072 cmdline: "C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=gpu-process --start-stack-profiler --gpu-preferences=UAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1964,i,18227219205394913117,15046175457726889787,262144 --variations-seed-version --mojo-platform-channel-handle=1960 /prefetch:2 MD5: C49C399B9224AD9391CB801040527F88)

onestart.exe (PID: 9140 cmdline: "C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --start-stack-profiler --field-trial-handle=2156,i,18227219205394913117,15046175457726889787,262144 --variations-seed-version --mojo-platform-channel-handle=2196 /prefetch:3 MD5: C49C399B9224AD9391CB801040527F88)

onestart.exe (PID: 4540 cmdline: "C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2372,i,18227219205394913117,15046175457726889787,262144 --variations-seed-version --mojo-platform-channel-handle=2340 /prefetch:8 MD5: C49C399B9224AD9391CB801040527F88)

onestart.exe (PID: 3236 cmdline: "C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --field-trial-handle=3736,i,18227219205394913117,15046175457726889787,262144 --variations-seed-version --mojo-platform-channel-handle=3748 /prefetch:8 MD5: C49C399B9224AD9391CB801040527F88)

cmd.exe (PID: 6140 cmdline: C:\Windows\System32\cmd.exe /c ""%LOCALAPPDATA%\OneStart.ai\OneStart\Application\onestart.exe" --update" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

onestart.exe (PID: 5640 cmdline: "C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --update MD5: C49C399B9224AD9391CB801040527F88)

explorer.exe (PID: 5072 cmdline: C:\Windows\Explorer.EXE MD5: 5EA66FF5AE5612F921BC9DA23BAC95F7)

onestart.exe (PID: 5088 cmdline: "C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=renderer --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --time-ticks-at-unix-epoch=-1731434441047775 --launch-time-ticks=1758530130 --field-trial-handle=4236,i,18227219205394913117,15046175457726889787,262144 --variations-seed-version --mojo-platform-channel-handle=4244 /prefetch:1 MD5: C49C399B9224AD9391CB801040527F88)

onestart.exe (PID: 6316 cmdline: "C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=renderer --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1731434441047775 --launch-time-ticks=1758989874 --field-trial-handle=4276,i,18227219205394913117,15046175457726889787,262144 --variations-seed-version --mojo-platform-channel-handle=4500 /prefetch:1 MD5: C49C399B9224AD9391CB801040527F88)

onestart.exe (PID: 1504 cmdline: "C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=4484,i,18227219205394913117,15046175457726889787,262144 --variations-seed-version --mojo-platform-channel-handle=4216 /prefetch:8 MD5: C49C399B9224AD9391CB801040527F88)

onestart.exe (PID: 6188 cmdline: "C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=4804,i,18227219205394913117,15046175457726889787,262144 --variations-seed-version --mojo-platform-channel-handle=4988 /prefetch:8 MD5: C49C399B9224AD9391CB801040527F88)

onestart.exe (PID: 5008 cmdline: "C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=renderer --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --time-ticks-at-unix-epoch=-1731434441047775 --launch-time-ticks=1763197266 --field-trial-handle=5260,i,18227219205394913117,15046175457726889787,262144 --variations-seed-version --mojo-platform-channel-handle=3724 /prefetch:1 MD5: C49C399B9224AD9391CB801040527F88)

onestart.exe (PID: 616 cmdline: "C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=5268,i,18227219205394913117,15046175457726889787,262144 --variations-seed-version --mojo-platform-channel-handle=5256 /prefetch:8 MD5: C49C399B9224AD9391CB801040527F88)

onestart.exe (PID: 5212 cmdline: "C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=5000,i,18227219205394913117,15046175457726889787,262144 --variations-seed-version --mojo-platform-channel-handle=5552 /prefetch:8 MD5: C49C399B9224AD9391CB801040527F88)

onestart.exe (PID: 1676 cmdline: "C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=5248,i,18227219205394913117,15046175457726889787,262144 --variations-seed-version --mojo-platform-channel-handle=5296 /prefetch:8 MD5: C49C399B9224AD9391CB801040527F88)

onestart.exe (PID: 7340 cmdline: "C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=5712,i,18227219205394913117,15046175457726889787,262144 --variations-seed-version --mojo-platform-channel-handle=5616 /prefetch:8 MD5: C49C399B9224AD9391CB801040527F88)

onestart.exe (PID: 1172 cmdline: "C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=4460,i,18227219205394913117,15046175457726889787,262144 --variations-seed-version --mojo-platform-channel-handle=5544 /prefetch:8 MD5: C49C399B9224AD9391CB801040527F88)

onestart.exe (PID: 7372 cmdline: "C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=5576,i,18227219205394913117,15046175457726889787,262144 --variations-seed-version --mojo-platform-channel-handle=5304 /prefetch:8 MD5: C49C399B9224AD9391CB801040527F88)

MSIBD59.tmp (PID: 9164 cmdline: "C:\Windows\Installer\MSIBD59.tmp" /HideWindow cmd.exe /c "rmdir /s /q "C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\"" MD5: 7BCF2ADE3295007EDB215B4EDD316B99)

notification_helper.exe (PID: 8552 cmdline: "C:\Program Files\Google\Chrome\Application\128.0.6613.120\notification_helper.exe" -Embedding MD5: 6DEC68B6FD984A4CE3B82BE995745EA1)

chrome.exe (PID: 8572 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\user\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\user\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=128.0.6613.120 --initial-client-data=0x1c0,0x1c4,0x1c8,0x19c,0x1cc,0x7ff67c59e638,0x7ff67c59e644,0x7ff67c59e650 MD5: BB7C48CDDDE076E7EB44022520F40F77)

cmd.exe (PID: 3212 cmdline: "C:\Windows\System32\cmd.exe" /c "rmdir /s /q "C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 828 cmdline: cmd.exe /C "START /MIN /D "C:\Windows\system32\config\systemprofile\AppData\Local\OneStart.ai\OneStart\Application" onestart.exe --existing-window" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

onestart.exe (PID: 6420 cmdline: "C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --existing-window MD5: C49C399B9224AD9391CB801040527F88)

onestart.exe (PID: 6744 cmdline: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe --type=crashpad-handler "--user-data-dir=C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=OneStart --annotation=ver=128.0.6613.124 --initial-client-data=0xf0,0xf4,0xf8,0xcc,0xfc,0x7ff871a45c28,0x7ff871a45c34,0x7ff871a45c40 MD5: C49C399B9224AD9391CB801040527F88)

cmd.exe (PID: 5796 cmdline: "C:\Windows\SysWOW64\cmd.exe" /c MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cleanup

Sigma Signatures

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --existing-window, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe, ProcessId: 8756, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneStartChromium

Sigma detected: Local Accounts Discovery

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c "rmdir /s /q "C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\"", CommandLine: "C:\Windows\System32\cmd.exe" /c "rmdir /s /q "C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\"", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5072, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c "rmdir /s /q "C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\"", ProcessId: 3212, ProcessName: cmd.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: onestart_installer.exe, 00000007.00000000.17174527736.00007FF6A92E8000.00000002.00000001.01000000.00000004.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_b0cc91d8-1

Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Directory created: C:\Program Files\chromium_installer.log	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Directory created: C:\Program Files\scoped_dir8756_2073239630	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Directory created: C:\Program Files\chrome_url_fetcher_8756_1964319343	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Directory created: C:\Program Files\chrome_url_fetcher_8756_811520105	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Directory created: C:\Program Files\chrome_url_fetcher_8756_811520105\oimompecagnajdejgnnjijobebaeigek_4.10.2830.0_win64_dldxogwi36sxwpr57ta4lg57z4.crx3	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Directory created: C:\Program Files\chrome_Unpacker_BeginUnzipping8756_1450361068	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Directory created: C:\Program Files\chrome_Unpacker_BeginUnzipping8756_1450361068\_platform_specific\	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Directory created: C:\Program Files\chrome_Unpacker_BeginUnzipping8756_1450361068\_platform_specific\win_x64\	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Directory created: C:\Program Files\chrome_Unpacker_BeginUnzipping8756_1450361068\_platform_specific\win_x64\widevinecdm.dll.sig	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Directory created: C:\Program Files\chrome_Unpacker_BeginUnzipping8756_1450361068\_platform_specific\win_x64\widevinecdm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Directory created: C:\Program Files\chrome_Unpacker_BeginUnzipping8756_1450361068\LICENSE	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Directory created: C:\Program Files\chrome_Unpacker_BeginUnzipping8756_1450361068\manifest.json	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Directory created: C:\Program Files\chrome_Unpacker_BeginUnzipping8756_1450361068\_metadata\	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Directory created: C:\Program Files\chrome_Unpacker_BeginUnzipping8756_1450361068\_metadata\verified_contents.json	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Directory created: C:\Program Files\chrome_Unpacker_BeginUnzipping8756_1450361068\manifest.fingerprint	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Directory created: C:\Program Files\scoped_dir8756_234605702	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Directory created: C:\Program Files\chrome_BITS_8756_835338025	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Directory created: C:\Program Files\scoped_dir3236_1079717512
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Directory created: C:\Program Files\scoped_dir3236_1079717512\History
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Directory created: C:\Program Files\scoped_dir3236_1079717512\Favicons

Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OneStart.ai OneStart

Jump to behavior

Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe

File created: C:\Program Files\chromium_installer.log

Jump to behavior

Source:	Binary string: .pdb> source: onestart.exe, 0000001D.00000002.17597063172.00003EC800048000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: .pdbb> source: onestart.exe, 0000001D.00000002.17597063172.00003EC800048000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Documents\chromium-browser-scripts\src\out\Release\chrome_proxy.exe.pdb source: setup.exe, 00000008.00000003.17528167852.000002A1DE87A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdbD source: MSIBD59.tmp, 00000014.00000002.17563763650.00000000009CF000.00000002.00000001.01000000.00000010.sdmp, MSIBD59.tmp, 00000014.00000000.17552715363.00000000009CF000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: C:\Users\user\Documents\chromium-browser-scripts\src\out\Release\chrome_elf.dll.pdb source: onestart.exe, 0000001C.00000002.17608870967.00007FF871A05000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: >hrome.dll.pdb> source: onestart.exe, 0000001D.00000002.17597805148.00003EC800070000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ti.pdbbndow> source: onestart.exe, 0000001D.00000002.17598235094.00003EC800090000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: onestart.exe, 0000001D.00000002.17599143294.00003EC8000CC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: se.pdb> source: onestart.exe, 0000001D.00000002.17597063172.00003EC800048000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Documents\chromium-browser-scripts\src\out\Release\mini_installer.exe.pdb source: onestart_installer.exe, 00000007.00000000.17174527736.00007FF6A92E8000.00000002.00000001.01000000.00000004.sdmp, onestart_installer.exe, 00000007.00000002.17538917328.00007FF6A92E8000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: xe.pdb> source: onestart.exe, 0000001D.00000002.17597063172.00003EC800048000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Documents\chromium-browser-scripts\src\out\Release\setup.exe.pdb source: setup.exe, 00000008.00000000.17262676737.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 00000009.00000002.17536290510.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 00000009.00000000.17263931920.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 0000000C.00000002.17527361484.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 0000000C.00000000.17520130297.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 0000000D.00000002.17529835252.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 0000000D.00000000.17521585969.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: ll.pdb> source: onestart.exe, 0000001D.00000002.17597063172.00003EC800048000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Documents\chromium-browser-scripts\src\out\Release\initialexe\chrome.exe.pdb source: setup.exe, 00000008.00000003.17513855538.000002A1DE824000.00000004.00000020.00020000.00000000.sdmp, onestart.exe, 0000000F.00000000.17529224837.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000010.00000000.17530866871.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000011.00000000.17532602492.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000012.00000000.17545701873.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000013.00000000.17550906960.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000015.00000000.17557027141.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000018.00000000.17565578072.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 0000001C.00000000.17579086367.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 0000001C.00000002.17606273532.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 0000001D.00000002.17602603849.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 0000001D.00000000.17580243797.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 0000001F.00000000.17585188024.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000022.00000000.17587103109.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000023.00000000.17593602021.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000024.00000002.17630340443.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000024.00000000.17599688606.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: ome.dll.pdb source: onestart.exe, 0000001D.00000002.17597805148.00003EC800070000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdb source: MSIBD59.tmp, 00000014.00000002.17563763650.00000000009CF000.00000002.00000001.01000000.00000010.sdmp, MSIBD59.tmp, 00000014.00000000.17552715363.00000000009CF000.00000002.00000001.01000000.00000010.sdmp

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: d:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\explorer.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Windows\Installer\MSIBD59.tmp

Code function: 20_2_009C1860 FindFirstFileExW,

20_2_009C1860

Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	File opened: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Temp\source8412_1839449235\onestart-bin\NULL	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	File opened: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Temp\NULL	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	File opened: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Temp\source8412_1839449235\onestart-bin	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	File opened: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Temp\source8412_1839449235\onestart-bin\128.0.6613.124	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	File opened: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Temp\source8412_1839449235	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	File opened: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Temp\source8412_1839449235\NULL	Jump to behavior

Source: Joe Sandbox View	IP Address: 9.9.9.9 9.9.9.9
Source: Joe Sandbox View	IP Address: 1.1.1.1 1.1.1.1

Source: onestart.exe, 0000000F.00000003.17567081652.00003BBC00CA4000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000000F.00000003.17567027074.00003BBC00CB0000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000012.00000003.17565636149.000051740015C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000012.00000003.17565717779.0000517400164000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/1423136
Source: onestart.exe, 0000000F.00000003.17567081652.00003BBC00CA4000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000000F.00000003.17567027074.00003BBC00CB0000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000012.00000003.17565636149.000051740015C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000012.00000003.17565717779.0000517400164000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/40096371
Source: onestart.exe, 0000000F.00000003.17567081652.00003BBC00CA4000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000000F.00000003.17567027074.00003BBC00CB0000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000012.00000003.17565636149.000051740015C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000012.00000003.17565717779.0000517400164000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/40096608
Source: onestart.exe, 0000000F.00000003.17567081652.00003BBC00CA4000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000000F.00000003.17567027074.00003BBC00CB0000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000012.00000003.17565636149.000051740015C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000012.00000003.17565717779.0000517400164000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/40096838
Source: onestart.exe, 0000000F.00000003.17567081652.00003BBC00CA4000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000000F.00000003.17567027074.00003BBC00CB0000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000012.00000003.17565636149.000051740015C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000012.00000003.17565717779.0000517400164000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/40644627
Source: onestart.exe, 0000000F.00000003.17567081652.00003BBC00CA4000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000000F.00000003.17567027074.00003BBC00CB0000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000012.00000003.17565636149.000051740015C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000012.00000003.17565717779.0000517400164000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/40644912
Source: onestart.exe, 0000000F.00000003.17567081652.00003BBC00CA4000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000000F.00000003.17567027074.00003BBC00CB0000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000012.00000003.17565636149.000051740015C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000012.00000003.17565717779.0000517400164000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/41488637
Source: onestart.exe, 0000000F.00000003.17567081652.00003BBC00CA4000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000000F.00000003.17567027074.00003BBC00CB0000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000012.00000003.17565636149.000051740015C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000012.00000003.17565717779.0000517400164000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/42261924
Source: onestart.exe, 0000000F.00000003.17567081652.00003BBC00CA4000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000000F.00000003.17567027074.00003BBC00CB0000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000012.00000003.17565636149.000051740015C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000012.00000003.17565717779.0000517400164000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/42263580
Source: onestart.exe, 0000000F.00000003.17567081652.00003BBC00CA4000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000000F.00000003.17567027074.00003BBC00CB0000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000012.00000003.17565636149.000051740015C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000012.00000003.17565717779.0000517400164000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/42264193
Source: onestart.exe, 0000000F.00000003.17567081652.00003BBC00CA4000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000000F.00000003.17567027074.00003BBC00CB0000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000012.00000003.17565636149.000051740015C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000012.00000003.17565717779.0000517400164000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/42264287
Source: onestart.exe, 0000000F.00000003.17567081652.00003BBC00CA4000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000000F.00000003.17567027074.00003BBC00CB0000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000012.00000003.17565636149.000051740015C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000012.00000003.17565717779.0000517400164000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/42264571
Source: onestart.exe, 0000000F.00000003.17567081652.00003BBC00CA4000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000000F.00000003.17567027074.00003BBC00CB0000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000012.00000003.17565636149.000051740015C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000012.00000003.17565717779.0000517400164000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/42265509
Source: onestart.exe, 0000000F.00000003.17567081652.00003BBC00CA4000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000000F.00000003.17567027074.00003BBC00CB0000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000012.00000003.17565636149.000051740015C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000012.00000003.17565717779.0000517400164000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/42266194
Source: onestart.exe, 0000000F.00000003.17567081652.00003BBC00CA4000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000000F.00000003.17567027074.00003BBC00CB0000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000012.00000003.17565636149.000051740015C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000012.00000003.17565717779.0000517400164000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/42266231
Source: onestart.exe, 0000000F.00000003.17567081652.00003BBC00CA4000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000000F.00000003.17567027074.00003BBC00CB0000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000012.00000003.17565636149.000051740015C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000012.00000003.17565717779.0000517400164000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/42266232
Source: onestart.exe, 0000000F.00000003.17567081652.00003BBC00CA4000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000000F.00000003.17567027074.00003BBC00CB0000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000012.00000003.17565636149.000051740015C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000012.00000003.17565717779.0000517400164000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/42266842
Source: onestart_installer.exe, 00000007.00000003.17260555254.000001B10FF60000.00000004.00000020.00020000.00000000.sdmp, onestart_installer.exe, 00000007.00000003.17260632906.000001B10FF60000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000008.00000003.17513855538.000002A1DE824000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000008.00000003.17528167852.000002A1DE8A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: explorer.exe, 00000021.00000000.17618670047.000000000D870000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: onestart_installer.exe, 00000007.00000003.17260555254.000001B10FF60000.00000004.00000020.00020000.00000000.sdmp, onestart_installer.exe, 00000007.00000003.17260632906.000001B10FF60000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000008.00000003.17513855538.000002A1DE824000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000008.00000003.17528167852.000002A1DE8A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: onestart_installer.exe, 00000007.00000003.17260555254.000001B10FF60000.00000004.00000020.00020000.00000000.sdmp, onestart_installer.exe, 00000007.00000003.17260632906.000001B10FF60000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000008.00000003.17513855538.000002A1DE824000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000008.00000003.17528167852.000002A1DE8A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: onestart.exe, 0000000F.00000003.17567081652.00003BBC00CA4000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000000F.00000003.17567027074.00003BBC00CB0000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000012.00000003.17565636149.000051740015C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000012.00000003.17565717779.0000517400164000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/941620
Source: onestart_installer.exe, 00000007.00000003.17260555254.000001B10FF60000.00000004.00000020.00020000.00000000.sdmp, onestart_installer.exe, 00000007.00000003.17260632906.000001B10FF60000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000008.00000003.17513855538.000002A1DE824000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000008.00000003.17528167852.000002A1DE8A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: onestart_installer.exe, 00000007.00000003.17260555254.000001B10FF60000.00000004.00000020.00020000.00000000.sdmp, onestart_installer.exe, 00000007.00000003.17260632906.000001B10FF60000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000008.00000003.17513855538.000002A1DE824000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000008.00000003.17528167852.000002A1DE8A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: onestart_installer.exe, 00000007.00000003.17260555254.000001B10FF60000.00000004.00000020.00020000.00000000.sdmp, onestart_installer.exe, 00000007.00000003.17260632906.000001B10FF60000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000008.00000003.17513855538.000002A1DE824000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000008.00000003.17528167852.000002A1DE8A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: explorer.exe, 00000021.00000000.17618670047.000000000D870000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: onestart_installer.exe, 00000007.00000003.17260555254.000001B10FF60000.00000004.00000020.00020000.00000000.sdmp, onestart_installer.exe, 00000007.00000003.17260632906.000001B10FF60000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000008.00000003.17513855538.000002A1DE824000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000008.00000003.17528167852.000002A1DE8A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: onestart_installer.exe, 00000007.00000003.17260555254.000001B10FF60000.00000004.00000020.00020000.00000000.sdmp, onestart_installer.exe, 00000007.00000003.17260632906.000001B10FF60000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000008.00000003.17513855538.000002A1DE824000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000008.00000003.17528167852.000002A1DE8A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: onestart.exe, 00000023.00000003.17628335067.0000018EC598D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://en.w
Source: onestart_installer.exe, 00000007.00000002.17538125726.000075900007C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000001C.00000002.17603323536.000035E80008C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://log.onestart.ai/
Source: onestart.exe, 0000001C.00000002.17603323536.000035E80008C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://log.onestart.ai/tart.aiContent-Type:
Source: onestart_installer.exe, 00000007.00000002.17538125726.000075900007C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://log.onestart.ai/tart.aiHost:
Source: onestart_installer.exe, 00000007.00000002.17538125726.000075900007C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://log.onestart.ai/tart.aiP
Source: explorer.exe, 00000021.00000000.17618670047.000000000D870000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: onestart_installer.exe, 00000007.00000003.17260555254.000001B10FF60000.00000004.00000020.00020000.00000000.sdmp, onestart_installer.exe, 00000007.00000003.17260632906.000001B10FF60000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000008.00000003.17513855538.000002A1DE824000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000008.00000003.17528167852.000002A1DE8A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: onestart_installer.exe, 00000007.00000003.17260555254.000001B10FF60000.00000004.00000020.00020000.00000000.sdmp, onestart_installer.exe, 00000007.00000003.17260632906.000001B10FF60000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000008.00000003.17513855538.000002A1DE824000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000008.00000003.17528167852.000002A1DE8A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: onestart_installer.exe, 00000007.00000003.17260555254.000001B10FF60000.00000004.00000020.00020000.00000000.sdmp, onestart_installer.exe, 00000007.00000003.17260632906.000001B10FF60000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000008.00000003.17513855538.000002A1DE824000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000008.00000003.17528167852.000002A1DE8A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: explorer.exe, 00000021.00000000.17618670047.000000000D870000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crl(E
Source: onestart_installer.exe, 00000007.00000003.17260555254.000001B10FF60000.00000004.00000020.00020000.00000000.sdmp, onestart_installer.exe, 00000007.00000003.17260632906.000001B10FF60000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000008.00000003.17513855538.000002A1DE824000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000008.00000003.17528167852.000002A1DE8A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: onestart_installer.exe, 00000007.00000003.17260555254.000001B10FF60000.00000004.00000020.00020000.00000000.sdmp, onestart_installer.exe, 00000007.00000003.17260632906.000001B10FF60000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000008.00000003.17513855538.000002A1DE824000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000008.00000003.17528167852.000002A1DE8A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: explorer.exe, 00000021.00000000.17611592583.000000000AA60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000021.00000000.17608342592.0000000009EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000021.00000000.17591931571.0000000003500000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: onestart_installer.exe, 00000007.00000003.17260555254.000001B10FF60000.00000004.00000020.00020000.00000000.sdmp, onestart_installer.exe, 00000007.00000003.17260632906.000001B10FF60000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000008.00000003.17513855538.000002A1DE824000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000008.00000003.17528167852.000002A1DE8A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: onestart_installer.exe, 00000007.00000003.17260555254.000001B10FF60000.00000004.00000020.00020000.00000000.sdmp, onestart_installer.exe, 00000007.00000003.17260632906.000001B10FF60000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000008.00000003.17513855538.000002A1DE824000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000008.00000003.17528167852.000002A1DE8A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: onestart.exe, 00000024.00000002.17609305562.0000017F3643A000.00000004.10000000.00040000.00000000.sdmp, onestart.exe, 00000024.00000002.17625481482.00005CA400074000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000024.00000003.17606436524.00005CA400110000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000024.00000003.17606436524.00005CA400112000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/update2/response
Source: onestart.exe, 00000025.00000002.17616734014.00000224A14D2000.00000002.00000001.00040000.00000015.sdmp	String found in binary or memory: http://www.unicode.org/copyright.html
Source: explorer.exe, 00000021.00000000.17624078294.000000000DE2D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppe
Source: explorer.exe, 00000021.00000000.17603967107.0000000009A37000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirm7
Source: explorer.exe, 00000021.00000000.17603967107.0000000009AE0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: onestart.exe, 0000000F.00000003.17567081652.00003BBC00CA4000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000000F.00000003.17567027074.00003BBC00CB0000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000012.00000003.17565636149.000051740015C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000012.00000003.17565717779.0000517400164000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/42265720
Source: explorer.exe, 00000021.00000000.17603967107.0000000009AE0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000021.00000000.17618670047.000000000D870000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=E1A13A66A4BF44EAABB8D0B485177FE2&timeOut=5000&oc
Source: explorer.exe, 00000021.00000000.17618670047.000000000D81E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?w
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000021.00000000.17618670047.000000000D82B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: onestart_installer.exe, 00000007.00000003.17201152609.0000759000114000.00000004.00001000.00020000.00000000.sdmp, onestart_installer.exe, 00000007.00000003.17201217581.0000759000114000.00000004.00001000.00020000.00000000.sdmp, onestart_installer.exe, 00000007.00000002.17538350328.00007590000D5000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000001C.00000003.17585871833.000035E800114000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000001C.00000002.17604203903.000035E8000D4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.onestart.ai/api/bb/updates.txt
Source: onestart_installer.exe, 00000007.00000000.17174527736.00007FF6A92E8000.00000002.00000001.01000000.00000004.sdmp, onestart_installer.exe, 00000007.00000002.17538917328.00007FF6A92E8000.00000002.00000001.01000000.00000004.sdmp, setup.exe, 00000008.00000000.17262676737.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 00000009.00000002.17536290510.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 00000009.00000000.17263931920.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 0000000C.00000002.17527361484.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 0000000C.00000000.17520130297.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 0000000D.00000002.17529835252.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 0000000D.00000000.17521585969.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, onestart.exe, 0000000F.00000000.17529224837.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000010.00000000.17530866871.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000011.00000000.17532602492.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000012.00000000.17545701873.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000013.00000000.17550906960.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000015.00000000.17557027141.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000018.00000000.17565578072.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 0000001C.00000000.17579086367.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 0000001C.00000002.17606273532.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 0000001D.00000002.17602603849.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: https://api2.onestart.ai/api/bb/updates.txt
Source: explorer.exe, 00000021.00000000.17603967107.0000000009AFA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000021.00000000.17602606993.00000000097F0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdat
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/AAehR3S.png
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/AAehR3S.svg
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/20240908.1/Weather/W01_Sunn
Source: onestart.exe, 0000001C.00000003.17592980483.000035E800122000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000001C.00000003.17592351953.000035E800122000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000001C.00000003.17594882118.0000022143F30000.00000004.00000800.00020000.00000000.sdmp, onestart.exe, 0000001C.00000003.17592351953.000035E800118000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000001C.00000003.17592980483.000035E800114000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000001C.00000003.17592980483.000035E800118000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000001C.00000002.17602067560.000035E800004000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://atlasox.s3.amazonaws.com/bb/OneStartSetup-v10.116.180.0.msi
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA12PNdd
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA12PNdd-dark
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA12QGBm
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA12QGBm-dark
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13D4or
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13D4or-dark
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gD5m
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gD5m-dark
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gowI
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gowI-dark
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gyc7
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gyc7-dark
Source: onestart.exe, 00000022.00000003.17593241862.00000DD0004DC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: onestart.exe, 0000000F.00000003.17607439365.00003BBC01390000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000022.00000003.17593241862.00000DD0004DC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstoreG?Discover
Source: notification_helper.exe, 0000000A.00000002.17520154193.000001ABFF9AF000.00000004.00000020.00020000.00000000.sdmp, notification_helper.exe, 0000000A.00000003.17519166852.00002F98000E8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/cr/report
Source: setup.exe, 00000008.00000000.17262676737.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 00000009.00000002.17536290510.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 00000009.00000000.17263931920.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 0000000C.00000002.17527361484.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 0000000C.00000000.17520130297.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 0000000D.00000002.17529835252.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 0000000D.00000000.17521585969.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, onestart.exe, 0000000F.00000000.17529224837.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000010.00000000.17530866871.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000011.00000000.17532602492.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000012.00000000.17545701873.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000013.00000000.17550906960.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000015.00000000.17557027141.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000018.00000000.17565578072.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 0000001C.00000000.17579086367.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 0000001C.00000002.17606273532.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 0000001D.00000002.17602603849.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 0000001D.00000000.17580243797.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 0000001F.00000000.17585188024.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: https://crashpad.chromium.org/
Source: setup.exe, 00000008.00000000.17262676737.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 00000009.00000002.17536290510.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 00000009.00000000.17263931920.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 0000000C.00000002.17527361484.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 0000000C.00000000.17520130297.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 0000000D.00000002.17529835252.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 0000000D.00000000.17521585969.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, onestart.exe, 0000000F.00000000.17529224837.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000010.00000000.17530866871.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000011.00000000.17532602492.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000012.00000000.17545701873.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000013.00000000.17550906960.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000015.00000000.17557027141.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000018.00000000.17565578072.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 0000001C.00000000.17579086367.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 0000001C.00000002.17606273532.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 0000001D.00000002.17602603849.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 0000001D.00000000.17580243797.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 0000001F.00000000.17585188024.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: https://crashpad.chromium.org/bug/new
Source: setup.exe, 00000008.00000000.17262676737.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 00000009.00000002.17536290510.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 00000009.00000000.17263931920.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 0000000C.00000002.17527361484.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 0000000C.00000000.17520130297.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 0000000D.00000002.17529835252.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 0000000D.00000000.17521585969.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, onestart.exe, 0000000F.00000000.17529224837.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000010.00000000.17530866871.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000011.00000000.17532602492.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000012.00000000.17545701873.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000013.00000000.17550906960.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000015.00000000.17557027141.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000018.00000000.17565578072.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 0000001C.00000000.17579086367.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 0000001C.00000002.17606273532.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 0000001D.00000002.17602603849.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 0000001D.00000000.17580243797.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 0000001F.00000000.17585188024.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new
Source: onestart.exe, 0000000F.00000003.17567081652.00003BBC00CA4000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000000F.00000003.17567027074.00003BBC00CB0000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000012.00000003.17565636149.000051740015C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000012.00000003.17565717779.0000517400164000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/593024
Source: onestart.exe, 0000000F.00000003.17567081652.00003BBC00CA4000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000000F.00000003.17567027074.00003BBC00CB0000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000012.00000003.17565636149.000051740015C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000012.00000003.17565717779.0000517400164000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/650547
Source: onestart.exe, 0000000F.00000003.17567081652.00003BBC00CA4000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000000F.00000003.17567027074.00003BBC00CB0000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000012.00000003.17565636149.000051740015C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000012.00000003.17565717779.0000517400164000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/655534
Source: onestart_installer.exe, 00000007.00000000.17174527736.00007FF6A92E8000.00000002.00000001.01000000.00000004.sdmp, onestart_installer.exe, 00000007.00000002.17538917328.00007FF6A92E8000.00000002.00000001.01000000.00000004.sdmp, setup.exe, 00000008.00000000.17262676737.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 00000009.00000002.17536290510.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 00000009.00000000.17263931920.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 0000000C.00000002.17527361484.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 0000000C.00000000.17520130297.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 0000000D.00000002.17529835252.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 0000000D.00000000.17521585969.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, onestart.exe, 0000000F.00000000.17529224837.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000010.00000000.17530866871.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000011.00000000.17532602492.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000012.00000000.17545701873.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000013.00000000.17550906960.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000015.00000000.17557027141.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000018.00000000.17565578072.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 0000001C.00000000.17579086367.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 0000001C.00000002.17606273532.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 0000001D.00000002.17602603849.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: onestart.exe, 0000001C.00000003.17592980483.000035E800122000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000001C.00000003.17592351953.000035E800122000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000001C.00000003.17594882118.0000022143F30000.00000004.00000800.00020000.00000000.sdmp, onestart.exe, 0000001C.00000003.17592351953.000035E800118000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000001C.00000003.17592980483.000035E800114000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000001C.00000003.17592980483.000035E800118000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000001C.00000002.17602067560.000035E800004000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://d1cvahyfkfdxyq.cloudfront.net/OneStartSetup-v10.116.180.0.msi
Source: onestart.exe, 00000022.00000003.17595367872.00000DD000578000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000022.00000003.17594063744.00000DD00059C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000022.00000003.17595977736.00000DD000678000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000022.00000003.17595107240.00000DD00066C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000023.00000003.17602899497.000036E00058C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000023.00000003.17603727265.000036E00066C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000023.00000003.17604326816.000036E000678000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000023.00000003.17603083891.000036E000568000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drafts.csswg.org/css-page-3/#margin-text-alignment
Source: explorer.exe, 00000021.00000000.17618670047.000000000D870000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: onestart.exe, 00000022.00000003.17595367872.00000DD000578000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000022.00000003.17594063744.00000DD00059C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000022.00000003.17595977736.00000DD000678000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000022.00000003.17595107240.00000DD00066C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000023.00000003.17602899497.000036E00058C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000023.00000003.17603727265.000036E00066C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000023.00000003.17604326816.000036E000678000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000023.00000003.17603083891.000036E000568000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://fullscreen.spec.whatwg.org/#user-agent-level-style-sheet-defaults:
Source: onestart.exe, 00000022.00000003.17595367872.00000DD000578000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000022.00000003.17594063744.00000DD00059C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000022.00000003.17595977736.00000DD000678000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000022.00000003.17595107240.00000DD00066C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000023.00000003.17602899497.000036E00058C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000023.00000003.17603727265.000036E00066C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000023.00000003.17604326816.000036E000678000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000023.00000003.17603083891.000036E000568000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/w3c/csswg-drafts/issues/6939#issuecomment-1016679588
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://hgic.clemson.edu/
Source: onestart.exe, 00000022.00000003.17595367872.00000DD000578000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000022.00000003.17594063744.00000DD00059C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000022.00000003.17595977736.00000DD000678000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000022.00000003.17595107240.00000DD00066C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000023.00000003.17602899497.000036E00058C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000023.00000003.17603727265.000036E00066C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000023.00000003.17604326816.000036E000678000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000023.00000003.17603083891.000036E000568000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/C/#the-details-and-summary-elements
Source: onestart.exe, 00000022.00000003.17595367872.00000DD000578000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000022.00000003.17594063744.00000DD00059C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000022.00000003.17595977736.00000DD000678000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000022.00000003.17595107240.00000DD00066C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000023.00000003.17602899497.000036E00058C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000023.00000003.17603727265.000036E00066C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000023.00000003.17604326816.000036E000678000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000023.00000003.17603083891.000036E000568000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/rendering.html#bidi-rendering
Source: onestart.exe, 00000022.00000003.17595367872.00000DD000578000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000022.00000003.17594063744.00000DD00059C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000022.00000003.17595977736.00000DD000678000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000022.00000003.17595107240.00000DD00066C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000023.00000003.17602899497.000036E00058C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000023.00000003.17603727265.000036E00066C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000023.00000003.17604326816.000036E000678000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000023.00000003.17603083891.000036E000568000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/rendering.html#flow-content-3
Source: onestart.exe, 00000022.00000003.17595367872.00000DD000578000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000022.00000003.17594063744.00000DD00059C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000022.00000003.17595977736.00000DD000678000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000022.00000003.17595107240.00000DD00066C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000023.00000003.17602899497.000036E00058C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000023.00000003.17603727265.000036E00066C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000023.00000003.17604326816.000036E000678000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000023.00000003.17603083891.000036E000568000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/rendering.html#hidden-elements
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA12I8qo.img
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1qFBqf.img
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1tM8RF.img
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1tXDSk.img
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1tXek1.img
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1tXkaV.img
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1tXs0g.img
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA36Tom.img
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA6oz5z.img
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AABp9vq.img
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAaeOki.img
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAywGC0.img
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1iktXS.img
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1nDkpC.img
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBERG9W.img
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
Source: onestart.exe, 00000012.00000003.17565717779.0000517400164000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/220069903
Source: onestart.exe, 00000012.00000003.17565717779.0000517400164000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/292285899
Source: onestart.exe, 00000012.00000003.17565717779.0000517400164000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/349489248
Source: onestart_installer.exe, 00000007.00000000.17174527736.00007FF6A92E8000.00000002.00000001.01000000.00000004.sdmp, onestart_installer.exe, 00000007.00000002.17538917328.00007FF6A92E8000.00000002.00000001.01000000.00000004.sdmp, setup.exe, 00000008.00000000.17262676737.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 00000009.00000002.17536290510.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 00000009.00000000.17263931920.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 0000000C.00000002.17527361484.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 0000000C.00000000.17520130297.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 0000000D.00000002.17529835252.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 0000000D.00000000.17521585969.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, onestart.exe, 0000000F.00000000.17529224837.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000010.00000000.17530866871.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000011.00000000.17532602492.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000012.00000000.17545701873.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000013.00000000.17550906960.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000015.00000000.17557027141.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000018.00000000.17565578072.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 0000001C.00000000.17579086367.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 0000001C.00000002.17606273532.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 0000001D.00000002.17602603849.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: https://log.onestart.ai
Source: onestart_installer.exe, 00000007.00000000.17174527736.00007FF6A92E8000.00000002.00000001.01000000.00000004.sdmp, onestart_installer.exe, 00000007.00000002.17538917328.00007FF6A92E8000.00000002.00000001.01000000.00000004.sdmp, setup.exe, 00000008.00000000.17262676737.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 00000009.00000002.17536290510.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 00000009.00000000.17263931920.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 0000000C.00000002.17527361484.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 0000000C.00000000.17520130297.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 0000000D.00000002.17529835252.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 0000000D.00000000.17521585969.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, onestart.exe, 0000000F.00000000.17529224837.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000010.00000000.17530866871.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000011.00000000.17532602492.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000012.00000000.17545701873.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000013.00000000.17550906960.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000015.00000000.17557027141.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000018.00000000.17565578072.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 0000001C.00000000.17579086367.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 0000001C.00000002.17606273532.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 0000001D.00000002.17602603849.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: https://log.onestart.aihttps://api2.onestart.ai/api/bb/updates.txtLOCALAPPDATAhttps://onestart.ai/ch
Source: onestart_installer.exe, 00000007.00000000.17174527736.00007FF6A92E8000.00000002.00000001.01000000.00000004.sdmp, onestart_installer.exe, 00000007.00000002.17538917328.00007FF6A92E8000.00000002.00000001.01000000.00000004.sdmp, onestart_installer.exe, 00000007.00000002.17537982205.0000759000048000.00000004.00001000.00020000.00000000.sdmp, onestart_installer.exe, 00000007.00000002.17538096350.0000759000070000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000008.00000000.17262676737.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 00000009.00000002.17536290510.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 00000009.00000000.17263931920.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 0000000C.00000002.17527361484.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 0000000C.00000000.17520130297.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 0000000D.00000002.17529835252.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 0000000D.00000000.17521585969.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, onestart.exe, 0000000F.00000000.17529224837.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000010.00000000.17530866871.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000011.00000000.17532602492.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000012.00000000.17545701873.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000013.00000000.17550906960.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000015.00000000.17557027141.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000018.00000000.17565578072.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 0000001C.00000000.17579086367.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: https://onestart.ai/chr/gcsett?iid=
Source: onestart.exe, 0000001C.00000002.17603139470.000035E80007C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000001C.00000002.17602865138.000035E80004C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://onestart.ai/chr/gcsett?iid=40f05e8e-ef61-4211-af81-78bf374c0ab8
Source: onestart.exe, 0000001C.00000002.17602865138.000035E80004C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://onestart.ai/chr/gcsett?iid=40f05e8e-ef61-4211-af81-78bf374c0ab85
Source: onestart.exe, 0000001C.00000002.17603139470.000035E80007C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://onestart.ai/chr/gcsett?iid=40f05e8e-ef61-4211-af81-78bf374c0ab8rt.ai
Source: onestart_installer.exe, 00000007.00000002.17537982205.0000759000048000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://onestart.ai/chr/gcsett?iid=pData
Source: onestart_installer.exe, 00000007.00000002.17538096350.0000759000070000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://onestart.ai/chr/gcsett?iid=u
Source: onestart_installer.exe, 00000007.00000000.17174527736.00007FF6A92E8000.00000002.00000001.01000000.00000004.sdmp, onestart_installer.exe, 00000007.00000002.17538917328.00007FF6A92E8000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: https://onestart.ai/chr/ri?
Source: onestart_installer.exe, 00000007.00000002.17538155184.0000759000080000.00000004.00001000.00020000.00000000.sdmp, onestart_installer.exe, 00000007.00000002.17538063483.000075900006C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://onestart.ai/chr/ri?fhnid=ip&product=2&bversion=128.0.6613.124&wversion=4.5.258.2
Source: onestart_installer.exe, 00000007.00000002.17538063483.000075900006C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://onestart.ai/chr/ri?fhnid=ip&product=2&bversion=128.0.6613.124&wversion=4.5.258.2Start
Source: onestart_installer.exe, 00000007.00000002.17538155184.0000759000080000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://onestart.ai/chr/ri?fhnid=ip&product=2&bversion=128.0.6613.124&wversion=4.5.258.2u
Source: onestart_installer.exe, 00000007.00000000.17174527736.00007FF6A92E8000.00000002.00000001.01000000.00000004.sdmp, onestart_installer.exe, 00000007.00000002.17538917328.00007FF6A92E8000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: https://onestart.ai/chr/ri?productbrowsertyphttps://onestart.ai/chr/ui?iid=
Source: onestart_installer.exe, 00000007.00000000.17174527736.00007FF6A92E8000.00000002.00000001.01000000.00000004.sdmp, onestart_installer.exe, 00000007.00000002.17538917328.00007FF6A92E8000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: https://onestart.ai/chr/ui?iid=
Source: setup.exe, 0000000D.00000000.17521585969.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: https://onestart.ai/chr/uninstall?iid=
Source: onestart.exe, 00000024.00000002.17609305562.0000017F3643A000.00000004.10000000.00040000.00000000.sdmp, onestart.exe, 00000024.00000003.17606436524.00005CA400110000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000024.00000003.17606436524.00005CA400112000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://onestart.ai/resources/extension/c1/capitalone-101.0.1.10.crx
Source: explorer.exe, 00000021.00000000.17618670047.000000000DC44000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000021.00000000.17618670047.000000000D8CC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.coms
Source: onestart.exe, 0000001C.00000003.17592980483.000035E800122000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000001C.00000003.17592351953.000035E800122000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000001C.00000003.17594882118.0000022143F30000.00000004.00000800.00020000.00000000.sdmp, onestart.exe, 0000001C.00000003.17592351953.000035E800118000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000001C.00000003.17592980483.000035E800114000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000001C.00000003.17592980483.000035E800118000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000001C.00000002.17602067560.000035E800004000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://resources.onestart.ai/onestart_installer_128.0.6613.125.exe
Source: onestart.exe, 00000018.00000002.17575506737.000001DC40D9A000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://secure.eicar.org/eicar.com
Source: onestart.exe, 00000018.00000002.17575506737.000001DC40D9A000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://secure.eicar.org/eicar.com.txt
Source: onestart.exe, 00000018.00000003.17567887218.000001DC40ACC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.eicar.org/eicar.com;
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://thehouseplantguru.com/
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://weathermapdata.blob.core.windows.net/static/finance/1stparty/FinanceTaskbarIcons/Finance_Sto
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-us&chosenMarketReason=implicitNew
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-us&chosenMarketReason=implicitNew
Source: explorer.exe, 00000021.00000000.17597360774.00000000054AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/
Source: explorer.exe, 00000021.00000000.17618670047.000000000DC44000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comPRYMo
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/Bloom-secrets-flowering-houseplants-year-round/dp/0760374155/?tag=syndication
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.delish.com/cooking/recipe-ideas/a42024981/chocolate-strawberry-turkeys-recipe/
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.delish.com/cooking/recipe-ideas/a44007618/sweet-potato-pie-recipe/
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.delish.com/cooking/recipe-ideas/a44391109/pumpkin-pie-recipe/
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.delish.com/cooking/recipe-ideas/a55685/easy-pecan-pie-recipe/
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.delish.com/cooking/recipe-ideas/a62045743/krispie-turkey-recipe/
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.delish.com/cooking/recipe-ideas/a62046866/turkey-oreo-balls-recipe/
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.delish.com/cooking/recipe-ideas/a62669266/turkey-leg-rice-krispies-recipe/
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.delish.com/cooking/recipe-ideas/recipes/a56500/pumpkin-pie-turkeys-recipe/
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.delish.com/holiday-recipes/g22593950/vegetarian-thanksgiving-recipes/
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.delish.com/holiday-recipes/thanksgiving/a29167451/turkey-cheese-ball-recipe/
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.delish.com/holiday-recipes/thanksgiving/a29505453/turkey-cake-recipe/
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.delish.com/holiday-recipes/thanksgiving/g1183/mini-thanksgiving-desserts/
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.delish.com/holiday-recipes/thanksgiving/g3011/thanksgiving-cocktails/
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.delish.com/holiday-recipes/thanksgiving/g3763/thanksgiving-pies/
Source: onestart.exe, 0000000F.00000003.17587316297.00003BBC005A4000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000000F.00000003.17561258244.00003BBC005A4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.dillards.com/webapp/wcs/stores/servlet/OrderItemDisplay
Source: onestart.exe, 0000000F.00000003.17561258244.00003BBC005A4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=
Source: onestart.exe, 00000018.00000003.17574702913.0000495C0010C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000018.00000003.17571577298.000001DC40AB4000.00000004.00000020.00020000.00000000.sdmp, onestart.exe, 00000018.00000002.17575506737.000001DC40D9A000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.eicar.org/download-anti-malware-testfile/
Source: onestart.exe, 00000018.00000003.17574702913.0000495C0010C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000018.00000002.17575506737.000001DC40D9A000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.eicar.org/download-anti-malware-testfile/&Download
Source: onestart.exe, 00000018.00000003.17571577298.000001DC40AB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.eicar.org/download-anti-malware-testfile/.
Source: onestart.exe, 00000018.00000003.17567887218.000001DC40ACC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.eicar.org/download-anti-malware-testfile/:
Source: onestart.exe, 00000018.00000003.17571577298.000001DC40AB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.eicar.org/wp-content/uploads/2018/04/cropped-e-32x32.png
Source: onestart.exe, 00000018.00000003.17571577298.000001DC40AB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.eicar.org/wp-content/uploads/2018/04/cropped-e-32x32.pngK
Source: onestart_installer.exe, 00000007.00000003.17260555254.000001B10FF60000.00000004.00000020.00020000.00000000.sdmp, onestart_installer.exe, 00000007.00000003.17260632906.000001B10FF60000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000008.00000003.17513855538.000002A1DE824000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000008.00000003.17528167852.000002A1DE8A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: onestart.exe, 00000018.00000002.17582601314.0000495C00060000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/?&brand=CHWL&utm_campaign=en&utm_source=en-et-na-us-chrome-bubble&utm_
Source: onestart.exe, 00000018.00000002.17575506737.000001DC40D9A000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/next-steps.html?brand=CHWL&statcb=0&installdataindex=empty&defaultbrow
Source: onestart.exe, 00000018.00000003.17571577298.000001DC40AB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-32x32.png
Source: onestart.exe, 00000018.00000003.17571577298.000001DC40AB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/favicon.ico
Source: onestart.exe, 0000000F.00000003.17587316297.00003BBC005A4000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000000F.00000003.17561258244.00003BBC005A4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: onestart.exe, 00000018.00000002.17575506737.000001DC40D9A000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com/search?q=eicar
Source: onestart.exe, 0000000F.00000003.17587316297.00003BBC005A4000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000000F.00000003.17561258244.00003BBC005A4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.llbean.com/webapp/wcs/stores/servlet/LLBShoppingCartDisplay
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/channel/topic/US%20Elections/tp-Y_cc072da4-ecb2-413a-9ffe-5ec5ad54ca41
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/feed
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/home-and-garden/15-things-you-shouldn-t-do-to-your-lawn/ss-AA1tK
Source: explorer.exe, 00000021.00000000.17602606993.0000000009839000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/m)
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/markets/john-paulson-drops-out-of-running-to-become-trump-treasury-s
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/markets?id=a33k6h
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/markets?id=a3oxnm
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/markets?id=a6qja2
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/quiet-millionaires-5-understated-signs-that-whisper-
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/retirement/i-m-46-years-old-single-and-live-paycheck-to-paycheck-but
Source: explorer.exe, 00000021.00000000.17602606993.0000000009839000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/crime/dick-van-dyke-forever-young/ar-AA1lDpRD
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/crime/jose-ibarra-waives-jury-trial-in-case-of-laken-hope-riley-s-kil
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/chris-wallace-leaving-cnn/ar-AA1tUo1L
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/joe-manchin-reminds-gop-senators-who-their-boss-is/ar-AA1tXn
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/judge-delays-decision-in-trump-s-hush-money-case-as-he-prepa
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/judge-delays-decisions-on-trump-criminal-case-after-election
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/laken-riley-killing-judge-to-decide-fate-of-undocumented-mig
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/trump-expected-to-move-space-command-headquarters-out-of-col
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/trump-picks-gov-kristi-noem-to-serve-as-homeland-security-se
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/trump-s-house-gop-picks-have-republicans-worried/ar-AA1tXhyZ
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/warren-trump-transition-already-breaking-the-law/ar-AA1tU04S
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/louisiana-s-ten-commandments-law-in-public-schools-is-blocked-by-f
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/after-188-years-the-world-s-longest-venomous-snake-is-officiall
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/haiti-s-main-airport-and-capital-frozen-a-day-after-a-plane-was
Source: explorer.exe, 00000021.00000000.17602606993.000000000981F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/play/games/dominoes/cg-9p72cwq04mkt
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/nfl/cowboys-9x-all-pro-predicted-to-cut-ties-with-dallas-join-bears
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/nfl/the-dallas-cowboys-set-an-nfl-record-on-sunday/ar-AA1tTyC8
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/tv/news/a-look-back-at-50-years-of-political-humor-on-saturday-night-live/
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/forecast/in-Bremen%2CAlabama?loc=eyJsIjoiQnJlbWVuIiwiciI6IkFsYWJhb
Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/tropical-system-brewing-in-the-caribbean-now-is-forecas

Source: onestart.exe

Process created: 42

Source: C:\Windows\Installer\MSIBD59.tmp

Code function: 20_2_009866A0 GetProcAddress,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,LocalFree,GetLastError,FreeLibrary,

20_2_009866A0

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\79f3f8.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF540.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF5AF.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF5EE.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{4338DD3D-C6E7-44F1-8FDD-8394E9076A9A}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF68B.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF6BB.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF7A7.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIBD59.tmp	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSIF540.tmp

Jump to behavior

Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 8_2_00007FF6C9183A3C	8_2_00007FF6C9183A3C
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 8_2_00007FF6C9147A90	8_2_00007FF6C9147A90
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 8_2_00007FF6C90232C0	8_2_00007FF6C90232C0
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 8_2_00007FF6C917FAF0	8_2_00007FF6C917FAF0
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 8_2_00007FF6C915B2F0	8_2_00007FF6C915B2F0
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 8_2_00007FF6C902BAF2	8_2_00007FF6C902BAF2
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 8_2_00007FF6C91AFAD4	8_2_00007FF6C91AFAD4
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 8_2_00007FF6C9149B30	8_2_00007FF6C9149B30
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 8_2_00007FF6C9144B00	8_2_00007FF6C9144B00
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 8_2_00007FF6C9187964	8_2_00007FF6C9187964
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 8_2_00007FF6C9188950	8_2_00007FF6C9188950
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 8_2_00007FF6C9025980	8_2_00007FF6C9025980
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 8_2_00007FF6C919E1E8	8_2_00007FF6C919E1E8
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 8_2_00007FF6C91B2230	8_2_00007FF6C91B2230
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 8_2_00007FF6C9210200	8_2_00007FF6C9210200
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 8_2_00007FF6C9183C40	8_2_00007FF6C9183C40
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 8_2_00007FF6C918BC7C	8_2_00007FF6C918BC7C
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 8_2_00007FF6C91A6CD0	8_2_00007FF6C91A6CD0
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 8_2_00007FF6C902A4E0	8_2_00007FF6C902A4E0
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 8_2_00007FF6C9023D10	8_2_00007FF6C9023D10
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 8_2_00007FF6C9189370	8_2_00007FF6C9189370
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 8_2_00007FF6C9096340	8_2_00007FF6C9096340
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 8_2_00007FF6C9187B68	8_2_00007FF6C9187B68
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 8_2_00007FF6C9023B70	8_2_00007FF6C9023B70
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 8_2_00007FF6C91A73B0	8_2_00007FF6C91A73B0
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 8_2_00007FF6C902CBA8	8_2_00007FF6C902CBA8
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 8_2_00007FF6C902BBC0	8_2_00007FF6C902BBC0
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 8_2_00007FF6C9090400	8_2_00007FF6C9090400
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 8_2_00007FF6C91ABC00	8_2_00007FF6C91ABC00
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 8_2_00007FF6C91ADBF8	8_2_00007FF6C91ADBF8
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 8_2_00007FF6C9188E64	8_2_00007FF6C9188E64
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 8_2_00007FF6C902AE40	8_2_00007FF6C902AE40
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 8_2_00007FF6C9183E44	8_2_00007FF6C9183E44
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 8_2_00007FF6C914EEE0	8_2_00007FF6C914EEE0
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 8_2_00007FF6C915AEC0	8_2_00007FF6C915AEC0
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 8_2_00007FF6C9059D50	8_2_00007FF6C9059D50
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 8_2_00007FF6C9187D6C	8_2_00007FF6C9187D6C
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 8_2_00007FF6C9021D60	8_2_00007FF6C9021D60
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 8_2_00007FF6C902CDD0	8_2_00007FF6C902CDD0
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 8_2_00007FF6C90225D0	8_2_00007FF6C90225D0
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 8_2_00007FF6C9184624	8_2_00007FF6C9184624
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 8_2_00007FF6C9157630	8_2_00007FF6C9157630
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 8_2_00007FF6C91800A0	8_2_00007FF6C91800A0
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 8_2_00007FF6C902B880	8_2_00007FF6C902B880
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 8_2_00007FF6C915B880	8_2_00007FF6C915B880
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 8_2_00007FF6C9184088	8_2_00007FF6C9184088
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 8_2_00007FF6C918F0C8	8_2_00007FF6C918F0C8
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 8_2_00007FF6C90238E0	8_2_00007FF6C90238E0
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 8_2_00007FF6C9021760	8_2_00007FF6C9021760
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 8_2_00007FF6C9159750	8_2_00007FF6C9159750
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 8_2_00007FF6C90B9780	8_2_00007FF6C90B9780
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 8_2_00007FF6C9023780	8_2_00007FF6C9023780
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 8_2_00007FF6C920FF90	8_2_00007FF6C920FF90
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 8_2_00007FF6C902A7A0	8_2_00007FF6C902A7A0
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 8_2_00007FF6C920EFD0	8_2_00007FF6C920EFD0
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 8_2_00007FF6C91A6FB8	8_2_00007FF6C91A6FB8
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 9_2_00007FF6C9183A3C	9_2_00007FF6C9183A3C
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 9_2_00007FF6C9147A90	9_2_00007FF6C9147A90
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 9_2_00007FF6C90232C0	9_2_00007FF6C90232C0
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 9_2_00007FF6C917FAF0	9_2_00007FF6C917FAF0
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 9_2_00007FF6C915B2F0	9_2_00007FF6C915B2F0
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 9_2_00007FF6C902BAF2	9_2_00007FF6C902BAF2
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 9_2_00007FF6C91AFAD4	9_2_00007FF6C91AFAD4
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 9_2_00007FF6C9149B30	9_2_00007FF6C9149B30
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 9_2_00007FF6C9144B00	9_2_00007FF6C9144B00
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 9_2_00007FF6C9187964	9_2_00007FF6C9187964
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 9_2_00007FF6C9188950	9_2_00007FF6C9188950
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 9_2_00007FF6C9025980	9_2_00007FF6C9025980
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 9_2_00007FF6C919E1E8	9_2_00007FF6C919E1E8
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 9_2_00007FF6C91B2230	9_2_00007FF6C91B2230
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 9_2_00007FF6C9210200	9_2_00007FF6C9210200
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 9_2_00007FF6C9183C40	9_2_00007FF6C9183C40
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 9_2_00007FF6C918BC7C	9_2_00007FF6C918BC7C
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 9_2_00007FF6C91A6CD0	9_2_00007FF6C91A6CD0
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 9_2_00007FF6C902A4E0	9_2_00007FF6C902A4E0
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 9_2_00007FF6C9023D10	9_2_00007FF6C9023D10
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 9_2_00007FF6C9189370	9_2_00007FF6C9189370
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 9_2_00007FF6C9096340	9_2_00007FF6C9096340
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 9_2_00007FF6C9187B68	9_2_00007FF6C9187B68
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 9_2_00007FF6C9023B70	9_2_00007FF6C9023B70
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 9_2_00007FF6C91A73B0	9_2_00007FF6C91A73B0
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 9_2_00007FF6C902CBA8	9_2_00007FF6C902CBA8
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 9_2_00007FF6C902BBC0	9_2_00007FF6C902BBC0
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 9_2_00007FF6C9090400	9_2_00007FF6C9090400
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 9_2_00007FF6C91ABC00	9_2_00007FF6C91ABC00
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 9_2_00007FF6C91ADBF8	9_2_00007FF6C91ADBF8
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 9_2_00007FF6C9188E64	9_2_00007FF6C9188E64
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 9_2_00007FF6C902AE40	9_2_00007FF6C902AE40
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 9_2_00007FF6C9183E44	9_2_00007FF6C9183E44
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 9_2_00007FF6C914EEE0	9_2_00007FF6C914EEE0
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 9_2_00007FF6C915AEC0	9_2_00007FF6C915AEC0
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 9_2_00007FF6C9059D50	9_2_00007FF6C9059D50
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 9_2_00007FF6C9187D6C	9_2_00007FF6C9187D6C
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 9_2_00007FF6C9021D60	9_2_00007FF6C9021D60
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 9_2_00007FF6C902CDD0	9_2_00007FF6C902CDD0
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 9_2_00007FF6C90225D0	9_2_00007FF6C90225D0
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 9_2_00007FF6C9184624	9_2_00007FF6C9184624
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 9_2_00007FF6C9157630	9_2_00007FF6C9157630
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 9_2_00007FF6C91800A0	9_2_00007FF6C91800A0
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 9_2_00007FF6C902B880	9_2_00007FF6C902B880
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 9_2_00007FF6C915B880	9_2_00007FF6C915B880
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 9_2_00007FF6C9184088	9_2_00007FF6C9184088
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 9_2_00007FF6C918F0C8	9_2_00007FF6C918F0C8
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 9_2_00007FF6C90238E0	9_2_00007FF6C90238E0
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 9_2_00007FF6C9021760	9_2_00007FF6C9021760
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 9_2_00007FF6C9159750	9_2_00007FF6C9159750
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 9_2_00007FF6C90B9780	9_2_00007FF6C90B9780
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 9_2_00007FF6C9023780	9_2_00007FF6C9023780
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 9_2_00007FF6C920FF90	9_2_00007FF6C920FF90
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 9_2_00007FF6C902A7A0	9_2_00007FF6C902A7A0
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 9_2_00007FF6C920EFD0	9_2_00007FF6C920EFD0
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 9_2_00007FF6C91A6FB8	9_2_00007FF6C91A6FB8
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 12_2_00007FF6C9183A3C	12_2_00007FF6C9183A3C
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 12_2_00007FF6C9147A90	12_2_00007FF6C9147A90
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 12_2_00007FF6C90232C0	12_2_00007FF6C90232C0
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 12_2_00007FF6C917FAF0	12_2_00007FF6C917FAF0
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 12_2_00007FF6C915B2F0	12_2_00007FF6C915B2F0
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 12_2_00007FF6C902BAF2	12_2_00007FF6C902BAF2
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 12_2_00007FF6C91AFAD4	12_2_00007FF6C91AFAD4
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 12_2_00007FF6C9149B30	12_2_00007FF6C9149B30
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 12_2_00007FF6C9144B00	12_2_00007FF6C9144B00
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 12_2_00007FF6C9187964	12_2_00007FF6C9187964
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 12_2_00007FF6C9188950	12_2_00007FF6C9188950
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 12_2_00007FF6C9025980	12_2_00007FF6C9025980
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 12_2_00007FF6C919E1E8	12_2_00007FF6C919E1E8
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 12_2_00007FF6C91B2230	12_2_00007FF6C91B2230
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 12_2_00007FF6C9210200	12_2_00007FF6C9210200
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 12_2_00007FF6C9183C40	12_2_00007FF6C9183C40
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 12_2_00007FF6C918BC7C	12_2_00007FF6C918BC7C
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 12_2_00007FF6C91A6CD0	12_2_00007FF6C91A6CD0
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 12_2_00007FF6C902A4E0	12_2_00007FF6C902A4E0
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 12_2_00007FF6C9023D10	12_2_00007FF6C9023D10
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 12_2_00007FF6C9189370	12_2_00007FF6C9189370
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 12_2_00007FF6C9096340	12_2_00007FF6C9096340
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 12_2_00007FF6C9187B68	12_2_00007FF6C9187B68
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 12_2_00007FF6C9023B70	12_2_00007FF6C9023B70
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 12_2_00007FF6C91A73B0	12_2_00007FF6C91A73B0
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 12_2_00007FF6C902CBA8	12_2_00007FF6C902CBA8
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 12_2_00007FF6C902BBC0	12_2_00007FF6C902BBC0
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 12_2_00007FF6C9090400	12_2_00007FF6C9090400
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 12_2_00007FF6C91ABC00	12_2_00007FF6C91ABC00
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 12_2_00007FF6C91ADBF8	12_2_00007FF6C91ADBF8
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 12_2_00007FF6C9188E64	12_2_00007FF6C9188E64
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 12_2_00007FF6C902AE40	12_2_00007FF6C902AE40
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 12_2_00007FF6C9183E44	12_2_00007FF6C9183E44
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 12_2_00007FF6C914EEE0	12_2_00007FF6C914EEE0
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 12_2_00007FF6C915AEC0	12_2_00007FF6C915AEC0
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 12_2_00007FF6C9059D50	12_2_00007FF6C9059D50
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 12_2_00007FF6C9187D6C	12_2_00007FF6C9187D6C
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 12_2_00007FF6C9021D60	12_2_00007FF6C9021D60
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 12_2_00007FF6C902CDD0	12_2_00007FF6C902CDD0
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 12_2_00007FF6C90225D0	12_2_00007FF6C90225D0
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 12_2_00007FF6C9184624	12_2_00007FF6C9184624
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 12_2_00007FF6C9157630	12_2_00007FF6C9157630
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 12_2_00007FF6C91800A0	12_2_00007FF6C91800A0
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 12_2_00007FF6C902B880	12_2_00007FF6C902B880
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 12_2_00007FF6C915B880	12_2_00007FF6C915B880
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 12_2_00007FF6C9184088	12_2_00007FF6C9184088
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 12_2_00007FF6C918F0C8	12_2_00007FF6C918F0C8
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 12_2_00007FF6C90238E0	12_2_00007FF6C90238E0
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 12_2_00007FF6C9021760	12_2_00007FF6C9021760
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 12_2_00007FF6C9159750	12_2_00007FF6C9159750
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 12_2_00007FF6C90B9780	12_2_00007FF6C90B9780
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 12_2_00007FF6C9023780	12_2_00007FF6C9023780
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 12_2_00007FF6C920FF90	12_2_00007FF6C920FF90
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 12_2_00007FF6C902A7A0	12_2_00007FF6C902A7A0
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 12_2_00007FF6C920EFD0	12_2_00007FF6C920EFD0
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 12_2_00007FF6C91A6FB8	12_2_00007FF6C91A6FB8
Source: C:\Windows\Installer\MSIBD59.tmp	Code function: 20_2_009B8393	20_2_009B8393
Source: C:\Windows\Installer\MSIBD59.tmp	Code function: 20_2_009B71A9	20_2_009B71A9
Source: C:\Windows\Installer\MSIBD59.tmp	Code function: 20_2_009C0150	20_2_009C0150
Source: C:\Windows\Installer\MSIBD59.tmp	Code function: 20_2_0098D400	20_2_0098D400
Source: C:\Windows\Installer\MSIBD59.tmp	Code function: 20_2_009AB570	20_2_009AB570
Source: C:\Windows\Installer\MSIBD59.tmp	Code function: 20_2_009B168D	20_2_009B168D
Source: C:\Windows\Installer\MSIBD59.tmp	Code function: 20_2_009BF7A4	20_2_009BF7A4
Source: C:\Windows\Installer\MSIBD59.tmp	Code function: 20_2_009B37DC	20_2_009B37DC
Source: C:\Windows\Installer\MSIBD59.tmp	Code function: 20_2_009B1ACC	20_2_009B1ACC
Source: C:\Windows\Installer\MSIBD59.tmp	Code function: 20_2_009C5A59	20_2_009C5A59
Source: C:\Windows\Installer\MSIBD59.tmp	Code function: 20_2_009B5B10	20_2_009B5B10
Source: C:\Windows\Installer\MSIBD59.tmp	Code function: 20_2_009B3B75	20_2_009B3B75
Source: C:\Windows\Installer\MSIBD59.tmp	Code function: 20_2_009A9CEC	20_2_009A9CEC
Source: C:\Windows\Installer\MSIBD59.tmp	Code function: 20_2_009BFDF0	20_2_009BFDF0
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637D85FE0	24_2_00007FF637D85FE0
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637D83760	24_2_00007FF637D83760
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637DA05B0	24_2_00007FF637DA05B0
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637CED9F0	24_2_00007FF637CED9F0
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637D85970	24_2_00007FF637D85970
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637EA112C	24_2_00007FF637EA112C
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637E4F8E0	24_2_00007FF637E4F8E0
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637E658D0	24_2_00007FF637E658D0
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637CEF8E4	24_2_00007FF637CEF8E4
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637E7E09C	24_2_00007FF637E7E09C
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637DF4090	24_2_00007FF637DF4090
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637E10080	24_2_00007FF637E10080
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637D21890	24_2_00007FF637D21890
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637EAA854	24_2_00007FF637EAA854
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637E05800	24_2_00007FF637E05800
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637CE67F0	24_2_00007FF637CE67F0
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637E81FC4	24_2_00007FF637E81FC4
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637E7B788	24_2_00007FF637E7B788
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637D44790	24_2_00007FF637D44790
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637E8AF7C	24_2_00007FF637E8AF7C
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637E64F50	24_2_00007FF637E64F50
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637CF4760	24_2_00007FF637CF4760
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637CEF710	24_2_00007FF637CEF710
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637E07F00	24_2_00007FF637E07F00
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637E43700	24_2_00007FF637E43700
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637E7A700	24_2_00007FF637E7A700
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637E7E6E8	24_2_00007FF637E7E6E8
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637E97EB8	24_2_00007FF637E97EB8
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637E7DE98	24_2_00007FF637E7DE98
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637E82E80	24_2_00007FF637E82E80
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637E1DE20	24_2_00007FF637E1DE20
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637EA5DEC	24_2_00007FF637EA5DEC
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637EA7DD8	24_2_00007FF637EA7DD8
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637E62590	24_2_00007FF637E62590
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637D11560	24_2_00007FF637D11560
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637DA2570	24_2_00007FF637DA2570
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637CE2540	24_2_00007FF637CE2540
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637EA0D34	24_2_00007FF637EA0D34
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637E45D30	24_2_00007FF637E45D30
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637E1E530	24_2_00007FF637E1E530
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637E60D30	24_2_00007FF637E60D30
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637E5FCC0	24_2_00007FF637E5FCC0
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637E7E4A4	24_2_00007FF637E7E4A4
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637E7DC94	24_2_00007FF637E7DC94
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637E7EC84	24_2_00007FF637E7EC84
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637DA1470	24_2_00007FF637DA1470
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637E893E0	24_2_00007FF637E893E0
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637E823CC	24_2_00007FF637E823CC
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637EB1BB0	24_2_00007FF637EB1BB0
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637DAF360	24_2_00007FF637DAF360
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637E32B40	24_2_00007FF637E32B40
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637E7E2A0	24_2_00007FF637E7E2A0
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637E7DA90	24_2_00007FF637E7DA90
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637CECA50	24_2_00007FF637CECA50
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637D72240	24_2_00007FF637D72240
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637D56A40	24_2_00007FF637D56A40
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637EA0A4C	24_2_00007FF637EA0A4C
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637E2A210	24_2_00007FF637E2A210
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637CFFA20	24_2_00007FF637CFFA20
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637E7B1F0	24_2_00007FF637E7B1F0
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637D1F1F0	24_2_00007FF637D1F1F0
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637E821C8	24_2_00007FF637E821C8
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637EAD1B0	24_2_00007FF637EAD1B0
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637E109A0	24_2_00007FF637E109A0
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637E7A150	24_2_00007FF637E7A150
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637D13950	24_2_00007FF637D13950

Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: String function: 00007FF6C91A5880 appears 69 times
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: String function: 00007FF6C9143610 appears 48 times
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: String function: 00007FF6C91B9EA0 appears 39 times
Source: C:\Windows\Installer\MSIBD59.tmp	Code function: String function: 009AA06F appears 72 times
Source: C:\Windows\Installer\MSIBD59.tmp	Code function: String function: 009AA400 appears 40 times
Source: C:\Windows\Installer\MSIBD59.tmp	Code function: String function: 009AA03C appears 103 times

Source: onestart_installer.exe.part.6.dr	Static PE information: Resource name: B7 type: 7-zip archive data, version 0.4
Source: onestart_installer.exe.part.6.dr	Static PE information: Resource name: BL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 1601999 bytes, 1 file, at 0x2c "setup.exe", number 1, 102 datablocks, 0x1 compression
Source: setup.exe.7.dr	Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)

Source: widevinecdm.dll.15.dr	Static PE information: Number of sections : 13 > 10
Source: setup.exe.7.dr	Static PE information: Number of sections : 12 > 10
Source: chrome.dll.8.dr	Static PE information: Number of sections : 15 > 10

Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp

Binary or memory string: ;.VBp

Source: classification engine

Classification label: mal52.spyw.evad.winMSI@82/312@0/17

Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe

Code function: 8_2_00007FF6C91F20F0 FormatMessageW,LocalFree,GetLastError,

8_2_00007FF6C91F20F0

Source: C:\Windows\Installer\MSIBD59.tmp

Code function: 20_2_009862B0 CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,OpenProcess,CloseHandle,Process32NextW,CloseHandle,

20_2_009862B0

Source: C:\Windows\Installer\MSIBD59.tmp

Code function: 20_2_00986FE0 CoInitialize,CoCreateInstance,VariantInit,IUnknown_QueryService,IUnknown_QueryInterface_Proxy,IUnknown_QueryInterface_Proxy,CoAllowSetForegroundWindow,SysAllocString,SysAllocString,SysAllocString,VariantInit,LocalFree,OpenProcess,WaitForSingleObject,GetExitCodeProcess,CloseHandle,LocalFree,VariantClear,VariantClear,VariantClear,VariantClear,SysFreeString,VariantClear,CoUninitialize,

20_2_00986FE0

Source: C:\Windows\Installer\MSIBD59.tmp

Code function: 20_2_00981D80 LoadResource,LockResource,SizeofResource,

20_2_00981D80

Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe

File created: C:\Program Files\chromium_installer.log

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Installer

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7712:120:WilError_03
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6416:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6416:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5920:304:WilStaging_02
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ChromeSetupExitEventMutex_6568215876866717414
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7712:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5920:120:WilError_03
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ChromeSetupMutex_6568215876866717414

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Local\Temp\MSIE62D.tmp

Jump to behavior

Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: onestart.exe, 0000000F.00000003.17562000325.00003BBC00B30000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE plus_addresses (profile_id VARCHAR PRIMARY KEY, facet VARCHAR, plus_address VARCHAR);
Source: onestart.exe, 0000000F.00000003.17574633944.00003BBC00938000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: setup.exe	String found in binary or memory: .jChromiumista ei voi asentaa versiota, joka on tll hetkell kynniss. Sulje Chromium ja yrit uudelleen.sHindi ma-install ang
Source: setup.exe	String found in binary or memory: mn virheen vuoksi. Lataa Chromium uudelleen.`Nabigo ang pag-install dahil sa hindi natukoy na error. Mangyaring i-download muli a
Source: setup.exe	String found in binary or memory: Jy het nie die gepaste regte vir stelselvlak-installering nie. Probeer om die installeerder weer te laat loop as Administrateur.>
Source: setup.exe	String found in binary or memory: jrjestelmvirhe. Lataa Chromium uudelleen.lMay naganap na error sa operating system sa panahon ng pag-install. Mangyaring i-downl
Source: setup.exe	String found in binary or memory: <Chromium on jo asennettuna kaikille tietokoneen kyttjille.ENaka-install na ang Chromium para sa lahat ng user sa iyong computer
Source: setup.exe	String found in binary or memory: Wala kang naaangkop na mga karapatan para sa pag-install sa antas ng system. Subukan muling patakbuhin ang installer bilang Admini
Source: setup.exe	String found in binary or memory: .jChromiumista ei voi asentaa versiota, joka on tll hetkell kynniss. Sulje Chromium ja yrit uudelleen.sHindi ma-install ang
Source: setup.exe	String found in binary or memory: mn virheen vuoksi. Lataa Chromium uudelleen.`Nabigo ang pag-install dahil sa hindi natukoy na error. Mangyaring i-download muli a
Source: setup.exe	String found in binary or memory: Jy het nie die gepaste regte vir stelselvlak-installering nie. Probeer om die installeerder weer te laat loop as Administrateur.>
Source: setup.exe	String found in binary or memory: jrjestelmvirhe. Lataa Chromium uudelleen.lMay naganap na error sa operating system sa panahon ng pag-install. Mangyaring i-downl
Source: setup.exe	String found in binary or memory: <Chromium on jo asennettuna kaikille tietokoneen kyttjille.ENaka-install na ang Chromium para sa lahat ng user sa iyong computer
Source: setup.exe	String found in binary or memory: Wala kang naaangkop na mga karapatan para sa pag-install sa antas ng system. Subukan muling patakbuhin ang installer bilang Admini
Source: setup.exe	String found in binary or memory: .jChromiumista ei voi asentaa versiota, joka on tll hetkell kynniss. Sulje Chromium ja yrit uudelleen.sHindi ma-install ang
Source: setup.exe	String found in binary or memory: mn virheen vuoksi. Lataa Chromium uudelleen.`Nabigo ang pag-install dahil sa hindi natukoy na error. Mangyaring i-download muli a
Source: setup.exe	String found in binary or memory: Jy het nie die gepaste regte vir stelselvlak-installering nie. Probeer om die installeerder weer te laat loop as Administrateur.>
Source: setup.exe	String found in binary or memory: jrjestelmvirhe. Lataa Chromium uudelleen.lMay naganap na error sa operating system sa panahon ng pag-install. Mangyaring i-downl
Source: setup.exe	String found in binary or memory: <Chromium on jo asennettuna kaikille tietokoneen kyttjille.ENaka-install na ang Chromium para sa lahat ng user sa iyong computer
Source: setup.exe	String found in binary or memory: Wala kang naaangkop na mga karapatan para sa pag-install sa antas ng system. Subukan muling patakbuhin ang installer bilang Admini

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\pdfguruhub.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding C3CA336A363785E4E24BD9D249C0F3D4 C
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 692043C63919A00C951313FE0ECB70AA
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe "C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe" "install" "15" "2" "1" "1"
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe	Process created: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe "C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe" --install-archive="C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\ONESTART.PACKED.7Z" "install" "15" "2" "1" "1"
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Process created: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe "C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=OneStart --annotation=ver=128.0.6613.124 --initial-client-data=0x25c,0x260,0x264,0x238,0x268,0x7ff6c92f6a70,0x7ff6c92f6a7c,0x7ff6c92f6a88
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\128.0.6613.120\notification_helper.exe "C:\Program Files\Google\Chrome\Application\128.0.6613.120\notification_helper.exe" -Embedding
Source: C:\Program Files\Google\Chrome\Application\128.0.6613.120\notification_helper.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\user\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\user\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=128.0.6613.120 --initial-client-data=0x1c0,0x1c4,0x1c8,0x19c,0x1cc,0x7ff67c59e638,0x7ff67c59e644,0x7ff67c59e650
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Process created: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe "C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe" --verbose-logging --create-shortcuts=0 --install-level=0
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Process created: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe "C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=OneStart --annotation=ver=128.0.6613.124 --initial-client-data=0x25c,0x260,0x264,0x238,0x268,0x7ff6c92f6a70,0x7ff6c92f6a7c,0x7ff6c92f6a88
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Process created: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe "C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --from-installer
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process created: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe --type=crashpad-handler "--user-data-dir=C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data" /prefetch:4 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data" --monitor-self-argument=/prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=OneStart --annotation=ver=128.0.6613.124 --initial-client-data=0xf0,0xf4,0xf8,0xcc,0xfc,0x7ff871a45c28,0x7ff871a45c34,0x7ff871a45c40
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process created: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe --type=crashpad-handler "--user-data-dir=C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data" /prefetch:4 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=OneStart --annotation=ver=128.0.6613.124 --initial-client-data=0x160,0x164,0x168,0x134,0x170,0x7ff637fa1ef8,0x7ff637fa1f04,0x7ff637fa1f10
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process created: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe "C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=gpu-process --start-stack-profiler --gpu-preferences=UAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1964,i,18227219205394913117,15046175457726889787,262144 --variations-seed-version --mojo-platform-channel-handle=1960 /prefetch:2
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process created: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe "C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --start-stack-profiler --field-trial-handle=2156,i,18227219205394913117,15046175457726889787,262144 --variations-seed-version --mojo-platform-channel-handle=2196 /prefetch:3
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\Installer\MSIBD59.tmp "C:\Windows\Installer\MSIBD59.tmp" /HideWindow cmd.exe /c "rmdir /s /q "C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\""
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process created: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe "C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2372,i,18227219205394913117,15046175457726889787,262144 --variations-seed-version --mojo-platform-channel-handle=2340 /prefetch:8
Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c "rmdir /s /q "C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process created: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe "C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --field-trial-handle=3736,i,18227219205394913117,15046175457726889787,262144 --variations-seed-version --mojo-platform-channel-handle=3748 /prefetch:8
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd.exe /C "START /MIN /D "C:\Windows\system32\config\systemprofile\AppData\Local\OneStart.ai\OneStart\Application" onestart.exe --existing-window"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c ""%LOCALAPPDATA%\OneStart.ai\OneStart\Application\onestart.exe" --update"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe "C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --update
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe "C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --existing-window
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\SysWOW64\cmd.exe" /c
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process created: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe --type=crashpad-handler "--user-data-dir=C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=OneStart --annotation=ver=128.0.6613.124 --initial-client-data=0xf0,0xf4,0xf8,0xcc,0xfc,0x7ff871a45c28,0x7ff871a45c34,0x7ff871a45c40
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process created: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe "C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=renderer --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --time-ticks-at-unix-epoch=-1731434441047775 --launch-time-ticks=1758530130 --field-trial-handle=4236,i,18227219205394913117,15046175457726889787,262144 --variations-seed-version --mojo-platform-channel-handle=4244 /prefetch:1
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process created: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe "C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=renderer --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1731434441047775 --launch-time-ticks=1758989874 --field-trial-handle=4276,i,18227219205394913117,15046175457726889787,262144 --variations-seed-version --mojo-platform-channel-handle=4500 /prefetch:1
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process created: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe "C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=4484,i,18227219205394913117,15046175457726889787,262144 --variations-seed-version --mojo-platform-channel-handle=4216 /prefetch:8
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process created: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe "C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=4804,i,18227219205394913117,15046175457726889787,262144 --variations-seed-version --mojo-platform-channel-handle=4988 /prefetch:8
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process created: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe "C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=renderer --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --time-ticks-at-unix-epoch=-1731434441047775 --launch-time-ticks=1763197266 --field-trial-handle=5260,i,18227219205394913117,15046175457726889787,262144 --variations-seed-version --mojo-platform-channel-handle=3724 /prefetch:1
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process created: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe "C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=5268,i,18227219205394913117,15046175457726889787,262144 --variations-seed-version --mojo-platform-channel-handle=5256 /prefetch:8
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process created: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe "C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=5000,i,18227219205394913117,15046175457726889787,262144 --variations-seed-version --mojo-platform-channel-handle=5552 /prefetch:8
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process created: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe "C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=5248,i,18227219205394913117,15046175457726889787,262144 --variations-seed-version --mojo-platform-channel-handle=5296 /prefetch:8
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process created: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe "C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=5712,i,18227219205394913117,15046175457726889787,262144 --variations-seed-version --mojo-platform-channel-handle=5616 /prefetch:8
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process created: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe "C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=4460,i,18227219205394913117,15046175457726889787,262144 --variations-seed-version --mojo-platform-channel-handle=5544 /prefetch:8
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process created: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe "C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=5576,i,18227219205394913117,15046175457726889787,262144 --variations-seed-version --mojo-platform-channel-handle=5304 /prefetch:8
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding C3CA336A363785E4E24BD9D249C0F3D4 C	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 692043C63919A00C951313FE0ECB70AA	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe "C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe" "install" "15" "2" "1" "1"	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\Installer\MSIBD59.tmp "C:\Windows\Installer\MSIBD59.tmp" /HideWindow cmd.exe /c "rmdir /s /q "C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\""	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe	Process created: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe "C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe" --install-archive="C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\ONESTART.PACKED.7Z" "install" "15" "2" "1" "1"	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Process created: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe "C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=OneStart --annotation=ver=128.0.6613.124 --initial-client-data=0x25c,0x260,0x264,0x238,0x268,0x7ff6c92f6a70,0x7ff6c92f6a7c,0x7ff6c92f6a88	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Process created: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe "C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe" --verbose-logging --create-shortcuts=0 --install-level=0	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Process created: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe "C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --from-installer	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\128.0.6613.120\notification_helper.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\user\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\user\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=128.0.6613.120 --initial-client-data=0x1c0,0x1c4,0x1c8,0x19c,0x1cc,0x7ff67c59e638,0x7ff67c59e644,0x7ff67c59e650	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Process created: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe "C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=OneStart --annotation=ver=128.0.6613.124 --initial-client-data=0x25c,0x260,0x264,0x238,0x268,0x7ff6c92f6a70,0x7ff6c92f6a7c,0x7ff6c92f6a88	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process created: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe --type=crashpad-handler "--user-data-dir=C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data" /prefetch:4 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data" --monitor-self-argument=/prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=OneStart --annotation=ver=128.0.6613.124 --initial-client-data=0xf0,0xf4,0xf8,0xcc,0xfc,0x7ff871a45c28,0x7ff871a45c34,0x7ff871a45c40	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process created: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe "C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=gpu-process --start-stack-profiler --gpu-preferences=UAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1964,i,18227219205394913117,15046175457726889787,262144 --variations-seed-version --mojo-platform-channel-handle=1960 /prefetch:2	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process created: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe "C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --start-stack-profiler --field-trial-handle=2156,i,18227219205394913117,15046175457726889787,262144 --variations-seed-version --mojo-platform-channel-handle=2196 /prefetch:3	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process created: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe "C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2372,i,18227219205394913117,15046175457726889787,262144 --variations-seed-version --mojo-platform-channel-handle=2340 /prefetch:8	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process created: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe "C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --field-trial-handle=3736,i,18227219205394913117,15046175457726889787,262144 --variations-seed-version --mojo-platform-channel-handle=3748 /prefetch:8	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c ""%LOCALAPPDATA%\OneStart.ai\OneStart\Application\onestart.exe" --update"	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process created: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe "C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=renderer --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --time-ticks-at-unix-epoch=-1731434441047775 --launch-time-ticks=1758530130 --field-trial-handle=4236,i,18227219205394913117,15046175457726889787,262144 --variations-seed-version --mojo-platform-channel-handle=4244 /prefetch:1	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process created: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe "C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=renderer --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1731434441047775 --launch-time-ticks=1758989874 --field-trial-handle=4276,i,18227219205394913117,15046175457726889787,262144 --variations-seed-version --mojo-platform-channel-handle=4500 /prefetch:1	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process created: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe "C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=4484,i,18227219205394913117,15046175457726889787,262144 --variations-seed-version --mojo-platform-channel-handle=4216 /prefetch:8	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process created: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe "C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=4804,i,18227219205394913117,15046175457726889787,262144 --variations-seed-version --mojo-platform-channel-handle=4988 /prefetch:8	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process created: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe "C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=renderer --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --time-ticks-at-unix-epoch=-1731434441047775 --launch-time-ticks=1763197266 --field-trial-handle=5260,i,18227219205394913117,15046175457726889787,262144 --variations-seed-version --mojo-platform-channel-handle=3724 /prefetch:1	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process created: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe "C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=5268,i,18227219205394913117,15046175457726889787,262144 --variations-seed-version --mojo-platform-channel-handle=5256 /prefetch:8	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process created: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe "C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=5000,i,18227219205394913117,15046175457726889787,262144 --variations-seed-version --mojo-platform-channel-handle=5552 /prefetch:8	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process created: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe "C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=5248,i,18227219205394913117,15046175457726889787,262144 --variations-seed-version --mojo-platform-channel-handle=5296 /prefetch:8	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process created: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe "C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=5712,i,18227219205394913117,15046175457726889787,262144 --variations-seed-version --mojo-platform-channel-handle=5616 /prefetch:8	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process created: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe "C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=4460,i,18227219205394913117,15046175457726889787,262144 --variations-seed-version --mojo-platform-channel-handle=5544 /prefetch:8	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process created: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe "C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=5576,i,18227219205394913117,15046175457726889787,262144 --variations-seed-version --mojo-platform-channel-handle=5304 /prefetch:8	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process created: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe --type=crashpad-handler "--user-data-dir=C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data" /prefetch:4 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=OneStart --annotation=ver=128.0.6613.124 --initial-client-data=0x160,0x164,0x168,0x134,0x170,0x7ff637fa1ef8,0x7ff637fa1f04,0x7ff637fa1f10
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe "C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --existing-window
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe "C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --update
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process created: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe --type=crashpad-handler "--user-data-dir=C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=OneStart --annotation=ver=128.0.6613.124 --initial-client-data=0xf0,0xf4,0xf8,0xcc,0xfc,0x7ff871a45c28,0x7ff871a45c34,0x7ff871a45c40
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vss_ps.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\128.0.6613.120\notification_helper.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\128.0.6613.120\notification_helper.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\128.0.6613.120\notification_helper.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\128.0.6613.120\notification_helper.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\128.0.6613.120\notification_helper.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: kbdus.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: mdmregistration.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: mdmregistration.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: omadmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: dmcmnutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: iri.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: wpnapps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: windows.media.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: directmanipulation.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: cryptowinrt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: cryptngc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: pcpksp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: ngcksp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: tbs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: ncryptprov.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: dxcore.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: mf.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: mfplat.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: rtworkq.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: dcomp.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: dxcore.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: netprofm.dll
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Section loaded: npmproxy.dll

Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}\InprocServer32

Jump to behavior

Source: OneStart.lnk.12.dr	LNK file: ..\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
Source: OneStart.lnk0.12.dr	LNK file: ..\..\..\..\Local\OneStart.ai\OneStart\Application\onestart.exe
Source: OneStart.lnk1.12.dr	LNK file: ..\..\..\..\..\Local\OneStart.ai\OneStart\Application\onestart.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Office\16.0\Outlook\Capabilities\UrlAssociations

Jump to behavior

Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Directory created: C:\Program Files\chromium_installer.log	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Directory created: C:\Program Files\scoped_dir8756_2073239630	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Directory created: C:\Program Files\chrome_url_fetcher_8756_1964319343	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Directory created: C:\Program Files\chrome_url_fetcher_8756_811520105	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Directory created: C:\Program Files\chrome_url_fetcher_8756_811520105\oimompecagnajdejgnnjijobebaeigek_4.10.2830.0_win64_dldxogwi36sxwpr57ta4lg57z4.crx3	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Directory created: C:\Program Files\chrome_Unpacker_BeginUnzipping8756_1450361068	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Directory created: C:\Program Files\chrome_Unpacker_BeginUnzipping8756_1450361068\_platform_specific\	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Directory created: C:\Program Files\chrome_Unpacker_BeginUnzipping8756_1450361068\_platform_specific\win_x64\	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Directory created: C:\Program Files\chrome_Unpacker_BeginUnzipping8756_1450361068\_platform_specific\win_x64\widevinecdm.dll.sig	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Directory created: C:\Program Files\chrome_Unpacker_BeginUnzipping8756_1450361068\_platform_specific\win_x64\widevinecdm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Directory created: C:\Program Files\chrome_Unpacker_BeginUnzipping8756_1450361068\LICENSE	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Directory created: C:\Program Files\chrome_Unpacker_BeginUnzipping8756_1450361068\manifest.json	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Directory created: C:\Program Files\chrome_Unpacker_BeginUnzipping8756_1450361068\_metadata\	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Directory created: C:\Program Files\chrome_Unpacker_BeginUnzipping8756_1450361068\_metadata\verified_contents.json	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Directory created: C:\Program Files\chrome_Unpacker_BeginUnzipping8756_1450361068\manifest.fingerprint	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Directory created: C:\Program Files\scoped_dir8756_234605702	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Directory created: C:\Program Files\chrome_BITS_8756_835338025	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Directory created: C:\Program Files\scoped_dir3236_1079717512
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Directory created: C:\Program Files\scoped_dir3236_1079717512\History
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Directory created: C:\Program Files\scoped_dir3236_1079717512\Favicons

Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OneStart.ai OneStart

Jump to behavior

Source: pdfguruhub.msi

Static file information: File size 4000768 > 1048576

Source:	Binary string: .pdb> source: onestart.exe, 0000001D.00000002.17597063172.00003EC800048000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: .pdbb> source: onestart.exe, 0000001D.00000002.17597063172.00003EC800048000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Documents\chromium-browser-scripts\src\out\Release\chrome_proxy.exe.pdb source: setup.exe, 00000008.00000003.17528167852.000002A1DE87A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdbD source: MSIBD59.tmp, 00000014.00000002.17563763650.00000000009CF000.00000002.00000001.01000000.00000010.sdmp, MSIBD59.tmp, 00000014.00000000.17552715363.00000000009CF000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: C:\Users\user\Documents\chromium-browser-scripts\src\out\Release\chrome_elf.dll.pdb source: onestart.exe, 0000001C.00000002.17608870967.00007FF871A05000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: >hrome.dll.pdb> source: onestart.exe, 0000001D.00000002.17597805148.00003EC800070000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ti.pdbbndow> source: onestart.exe, 0000001D.00000002.17598235094.00003EC800090000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: onestart.exe, 0000001D.00000002.17599143294.00003EC8000CC000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: se.pdb> source: onestart.exe, 0000001D.00000002.17597063172.00003EC800048000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Documents\chromium-browser-scripts\src\out\Release\mini_installer.exe.pdb source: onestart_installer.exe, 00000007.00000000.17174527736.00007FF6A92E8000.00000002.00000001.01000000.00000004.sdmp, onestart_installer.exe, 00000007.00000002.17538917328.00007FF6A92E8000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: xe.pdb> source: onestart.exe, 0000001D.00000002.17597063172.00003EC800048000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Documents\chromium-browser-scripts\src\out\Release\setup.exe.pdb source: setup.exe, 00000008.00000000.17262676737.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 00000009.00000002.17536290510.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 00000009.00000000.17263931920.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 0000000C.00000002.17527361484.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 0000000C.00000000.17520130297.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 0000000D.00000002.17529835252.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 0000000D.00000000.17521585969.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: ll.pdb> source: onestart.exe, 0000001D.00000002.17597063172.00003EC800048000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Documents\chromium-browser-scripts\src\out\Release\initialexe\chrome.exe.pdb source: setup.exe, 00000008.00000003.17513855538.000002A1DE824000.00000004.00000020.00020000.00000000.sdmp, onestart.exe, 0000000F.00000000.17529224837.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000010.00000000.17530866871.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000011.00000000.17532602492.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000012.00000000.17545701873.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000013.00000000.17550906960.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000015.00000000.17557027141.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000018.00000000.17565578072.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 0000001C.00000000.17579086367.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 0000001C.00000002.17606273532.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 0000001D.00000002.17602603849.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 0000001D.00000000.17580243797.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 0000001F.00000000.17585188024.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000022.00000000.17587103109.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000023.00000000.17593602021.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000024.00000002.17630340443.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000024.00000000.17599688606.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: ome.dll.pdb source: onestart.exe, 0000001D.00000002.17597805148.00003EC800070000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdb source: MSIBD59.tmp, 00000014.00000002.17563763650.00000000009CF000.00000002.00000001.01000000.00000010.sdmp, MSIBD59.tmp, 00000014.00000000.17552715363.00000000009CF000.00000002.00000001.01000000.00000010.sdmp

Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe

Code function: 8_2_00007FF6C9157630 LoadLibraryW,GetProcAddress,

8_2_00007FF6C9157630

Source: MSIC904.tmp.0.dr	Static PE information: section name: .fptable
Source: MSICA1F.tmp.0.dr	Static PE information: section name: .fptable
Source: MSIE62D.tmp.0.dr	Static PE information: section name: .fptable
Source: MSIE6AB.tmp.0.dr	Static PE information: section name: .fptable
Source: MSIE719.tmp.0.dr	Static PE information: section name: .fptable
Source: MSIE768.tmp.0.dr	Static PE information: section name: .fptable
Source: MSIE7C7.tmp.0.dr	Static PE information: section name: .fptable
Source: MSIE816.tmp.0.dr	Static PE information: section name: .fptable
Source: MSIE875.tmp.0.dr	Static PE information: section name: .fptable
Source: MSIE8C4.tmp.0.dr	Static PE information: section name: .fptable
Source: MSIE913.tmp.0.dr	Static PE information: section name: .fptable
Source: MSIF540.tmp.1.dr	Static PE information: section name: .fptable
Source: MSIF5AF.tmp.1.dr	Static PE information: section name: .fptable
Source: MSIF5EE.tmp.1.dr	Static PE information: section name: .fptable
Source: MSIF6BB.tmp.1.dr	Static PE information: section name: .fptable
Source: MSIF7A7.tmp.1.dr	Static PE information: section name: .fptable
Source: MSIBD59.tmp.1.dr	Static PE information: section name: .fptable
Source: onestart_installer.exe.part.6.dr	Static PE information: section name: .gxfg
Source: onestart_installer.exe.part.6.dr	Static PE information: section name: .retplne
Source: onestart_installer.exe.part.6.dr	Static PE information: section name: _RDATA
Source: setup.exe.7.dr	Static PE information: section name: .gxfg
Source: setup.exe.7.dr	Static PE information: section name: .retplne
Source: setup.exe.7.dr	Static PE information: section name: CPADinfo
Source: setup.exe.7.dr	Static PE information: section name: LZMADEC
Source: setup.exe.7.dr	Static PE information: section name: _RDATA
Source: chrome.dll.8.dr	Static PE information: section name: .gxfg
Source: chrome.dll.8.dr	Static PE information: section name: .retplne
Source: chrome.dll.8.dr	Static PE information: section name: .rodata
Source: chrome.dll.8.dr	Static PE information: section name: CPADinfo
Source: chrome.dll.8.dr	Static PE information: section name: LZMADEC
Source: chrome.dll.8.dr	Static PE information: section name: _RDATA
Source: chrome.dll.8.dr	Static PE information: section name: malloc_h
Source: chrome.dll.8.dr	Static PE information: section name: prot
Source: widevinecdm.dll.15.dr	Static PE information: section name: .00cfg
Source: widevinecdm.dll.15.dr	Static PE information: section name: .gxfg
Source: widevinecdm.dll.15.dr	Static PE information: section name: .retplne
Source: widevinecdm.dll.15.dr	Static PE information: section name: .rodata
Source: widevinecdm.dll.15.dr	Static PE information: section name: _RDATA
Source: widevinecdm.dll.15.dr	Static PE information: section name: malloc_h

Source: C:\Windows\Installer\MSIBD59.tmp	Code function: 20_2_009AA019 push ecx; ret		20_2_009AA02C
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637CE8693 push rbx; ret		24_2_00007FF637CE8696

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\System32\msiexec.exe

Executable created and started: C:\Windows\Installer\MSIBD59.tmp

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIE6AB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe	File created: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIE8C4.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIC904.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIE7C7.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIE875.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	File created: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Temp\source8412_1839449235\onestart-bin\128.0.6613.124\chrome.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF540.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF7A7.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIE816.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF5EE.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIE719.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIE768.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIE913.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	File created: C:\Program Files\chrome_Unpacker_BeginUnzipping8756_1450361068\_platform_specific\win_x64\widevinecdm.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIE62D.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe.part	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF5AF.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIBD59.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSICA1F.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	File created: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\chrome_proxy.exe (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF6BB.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF540.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF7A7.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF5EE.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF5AF.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIBD59.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF6BB.tmp	Jump to dropped file

Source: C:\Windows\SysWOW64\msiexec.exe

File created: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe.part

Jump to dropped file

Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe

File created: C:\Program Files\chromium_installer.log

Jump to behavior

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OneStartChromium	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OneStartUpdate	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OneStartAutoLaunch_B4891BEF8823FC13D1A3C1E0C5B71E0B	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore

Jump to behavior

Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OneStartChromium	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OneStartChromium	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OneStartUpdate	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OneStartUpdate	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OneStartAutoLaunch_B4891BEF8823FC13D1A3C1E0C5B71E0B	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OneStartAutoLaunch_B4891BEF8823FC13D1A3C1E0C5B71E0B	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 Blob

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\128.0.6613.120\notification_helper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe

Code function: 8_2_00007FF6C9146D00 rdtsc

8_2_00007FF6C9146D00

Source: C:\Windows\explorer.exe

Window / User API: foregroundWindowGot 609

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIE6AB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIE8C4.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIE7C7.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIC904.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIE875.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Temp\source8412_1839449235\onestart-bin\128.0.6613.124\chrome.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIF540.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIF7A7.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIE816.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIF5EE.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIE719.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Dropped PE file which has not been started: C:\Program Files\chrome_Unpacker_BeginUnzipping8756_1450361068\_platform_specific\win_x64\widevinecdm.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIE768.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIE913.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIE62D.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIF5AF.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSICA1F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIF6BB.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe

Evasive API call chain: GetLocalTime,DecisionNodes

graph_24-27190

Source: C:\Windows\Installer\MSIBD59.tmp

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_20-34888

Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	API coverage: 5.9 %
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	API coverage: 5.5 %

Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010409			Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010409

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	File Volume queried: C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Code Cache\js FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	File Volume queried: C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Code Cache\wasm FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	File Volume queried: C:\Program Files\scoped_dir8756_2073239630 FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	File Volume queried: C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	File Volume queried: C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	File Volume queried: C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	File Volume queried: C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	File Volume queried: C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	File Volume queried: C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\blob_storage\b34a635f-6f0a-4cc7-8cad-7e7da9360115 FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	File Volume queried: C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	File Volume queried: C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	File Volume queried: C:\Program Files\scoped_dir8756_234605702 FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	File Volume queried: C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Cache\Cache_Data FullSizeInformation

Source: C:\Windows\Installer\MSIBD59.tmp

Code function: 20_2_009C1860 FindFirstFileExW,

20_2_009C1860

Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	File opened: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Temp\source8412_1839449235\onestart-bin\NULL	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	File opened: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Temp\NULL	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	File opened: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Temp\source8412_1839449235\onestart-bin	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	File opened: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Temp\source8412_1839449235\onestart-bin\128.0.6613.124	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	File opened: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Temp\source8412_1839449235	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	File opened: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Temp\source8412_1839449235\NULL	Jump to behavior

Source: onestart.exe, 0000001D.00000002.17604040477.00007FF860641000.00000020.00000001.01000000.00000009.sdmp	Binary or memory string: uVMcI
Source: onestart.exe, 0000001C.00000003.17592233996.000035E800034000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: YIVMci4=
Source: onestart_installer.exe, 00000007.00000002.17537569244.000001B10FF19000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000021.00000000.17618670047.000000000D870000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: onestart.exe, 0000001C.00000002.17599722375.00000221424E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW=
Source: onestart.exe, 0000001C.00000002.17599722375.00000221424E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll!
Source: explorer.exe, 00000021.00000000.17603967107.00000000099FF000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWstem Management BIOS Driver
Source: onestart_installer.exe, 00000007.00000002.17537569244.000001B10FF19000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: explorer.exe, 00000021.00000000.17618670047.000000000D81E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0U
Source: onestart_installer.exe, 00000007.00000003.17496001642.000001B10FF3F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllAA

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe

Code function: 8_2_00007FF6C9146D00 rdtsc

8_2_00007FF6C9146D00

Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe

Code function: 8_2_00007FF6C9195B80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

8_2_00007FF6C9195B80

Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe

Code function: 8_2_00007FF6C9157630 LoadLibraryW,GetProcAddress,

8_2_00007FF6C9157630

Source: C:\Windows\Installer\MSIBD59.tmp

Code function: 20_2_009825A0 GetProcessHeap,

20_2_009825A0

Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 8_2_00007FF6C9195B80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00007FF6C9195B80
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 8_2_00007FF6C917C698 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00007FF6C917C698
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 9_2_00007FF6C9195B80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_00007FF6C9195B80
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 9_2_00007FF6C917C698 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_00007FF6C917C698
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 12_2_00007FF6C9195B80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_00007FF6C9195B80
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: 12_2_00007FF6C917C698 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_00007FF6C917C698
Source: C:\Windows\Installer\MSIBD59.tmp	Code function: 20_2_009AA1F1 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_009AA1F1
Source: C:\Windows\Installer\MSIBD59.tmp	Code function: 20_2_009AE23B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_009AE23B
Source: C:\Windows\Installer\MSIBD59.tmp	Code function: 20_2_009AA385 SetUnhandledExceptionFilter,	20_2_009AA385
Source: C:\Windows\Installer\MSIBD59.tmp	Code function: 20_2_009A985D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	20_2_009A985D
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637E77638 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	24_2_00007FF637E77638
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: 24_2_00007FF637EA047C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_00007FF637EA047C

Source: C:\Windows\Installer\MSIBD59.tmp

Code function: 20_2_00987800 GetWindowsDirectoryW,GetForegroundWindow,ShellExecuteExW,ShellExecuteExW,GetModuleHandleW,GetProcAddress,AllowSetForegroundWindow,GetModuleHandleW,GetProcAddress,Sleep,EnumWindows,SetWindowPos,WaitForSingleObject,GetExitCodeProcess,GetWindowThreadProcessId,GetWindowLongW,

20_2_00987800

Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe

File opened: Windows Firewall: C:\Windows\System32\FirewallAPI.dll

Jump to behavior

Source: explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWndmR
Source: explorer.exe, 00000021.00000000.17597255379.0000000004C60000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000021.00000000.17589845191.0000000001530000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000021.00000000.17587897935.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000021.00000000.17589845191.0000000001530000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000021.00000000.17589845191.0000000001530000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Managerb
Source: explorer.exe, 00000021.00000000.17589845191.0000000001530000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: EnumSystemLocalesW,	8_2_00007FF6C91A5A78
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: GetLocaleInfoW,	8_2_00007FF6C91A5164
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: EnumSystemLocalesW,	8_2_00007FF6C91AA1EC
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: EnumSystemLocalesW,	8_2_00007FF6C91AA508
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	8_2_00007FF6C91A9EEC
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	8_2_00007FF6C91AA798
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: EnumSystemLocalesW,	9_2_00007FF6C91A5A78
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: GetLocaleInfoW,	9_2_00007FF6C91A5164
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: EnumSystemLocalesW,	9_2_00007FF6C91AA1EC
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: EnumSystemLocalesW,	9_2_00007FF6C91AA508
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	9_2_00007FF6C91A9EEC
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	9_2_00007FF6C91AA798
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: EnumSystemLocalesW,	12_2_00007FF6C91A5A78
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: GetLocaleInfoW,	12_2_00007FF6C91A5164
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: EnumSystemLocalesW,	12_2_00007FF6C91AA1EC
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: EnumSystemLocalesW,	12_2_00007FF6C91AA508
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	12_2_00007FF6C91A9EEC
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	12_2_00007FF6C91AA798
Source: C:\Windows\Installer\MSIBD59.tmp	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	20_2_009C50B7
Source: C:\Windows\Installer\MSIBD59.tmp	Code function: GetLocaleInfoW,	20_2_009BF310
Source: C:\Windows\Installer\MSIBD59.tmp	Code function: GetLocaleInfoEx,FormatMessageA,	20_2_009926C1
Source: C:\Windows\Installer\MSIBD59.tmp	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	20_2_009C4714
Source: C:\Windows\Installer\MSIBD59.tmp	Code function: EnumSystemLocalesW,	20_2_009C49D3
Source: C:\Windows\Installer\MSIBD59.tmp	Code function: EnumSystemLocalesW,	20_2_009C4AB9
Source: C:\Windows\Installer\MSIBD59.tmp	Code function: EnumSystemLocalesW,	20_2_009C4A1E
Source: C:\Windows\Installer\MSIBD59.tmp	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	20_2_009C4B50
Source: C:\Windows\Installer\MSIBD59.tmp	Code function: GetLocaleInfoW,	20_2_009C4DB0
Source: C:\Windows\Installer\MSIBD59.tmp	Code function: EnumSystemLocalesW,	20_2_009BEDE2
Source: C:\Windows\Installer\MSIBD59.tmp	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	20_2_009C4ED5
Source: C:\Windows\Installer\MSIBD59.tmp	Code function: GetLocaleInfoEx,	20_2_009A8F9C
Source: C:\Windows\Installer\MSIBD59.tmp	Code function: GetLocaleInfoW,	20_2_009C4FDB
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: EnumSystemLocalesW,	24_2_00007FF637EA3F5C
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	24_2_00007FF637EA4508
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	24_2_00007FF637EA3C5C
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: EnumSystemLocalesW,	24_2_00007FF637E9F408
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: GetLocaleInfoW,	24_2_00007FF637E9EAF4
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Code function: EnumSystemLocalesW,	24_2_00007FF637EA4278

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Queries volume information: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Queries volume information: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\master_preferences VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Queries volume information: C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Preferences VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Queries volume information: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\128.0.6613.124\PrivacySandboxAttestationsPreloaded\manifest.json VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Queries volume information: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\128.0.6613.124\MEIPreload\manifest.json VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Queries volume information: C:\Windows\System32\spool\drivers\color\sRGB Color Space Profile.icm VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Queries volume information: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Queries volume information: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\128.0.6613.124\MEIPreload\preloaded_data.pb VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\scoped_dir8756_1626695629\CRX_INSTALL\manifest.json VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\scoped_dir8756_1626695629\CRX_INSTALL\manifest.json VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\scoped_dir8756_1626695629\CRX_INSTALL\conversion-tracking.js VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Queries volume information: C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Extensions\memhbiihnoblfombkckdfmemihcnlihc\1.0.1.30_0\manifest.json VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Queries volume information: C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Extensions\memhbiihnoblfombkckdfmemihcnlihc\1.0.1.30_0\conversion-tracking.js VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Queries volume information: C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Extensions\memhbiihnoblfombkckdfmemihcnlihc\1.0.1.30_0\conversion-tracking.js VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Queries volume information: C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Service Worker\ScriptCache\2cc80dabc69f58b6_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\scoped_dir8756_1359693283\CRX_INSTALL\manifest.json VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\scoped_dir8756_1359693283\CRX_INSTALL\page.js VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Queries volume information: C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Extensions\iogmhikihfgnimkplhkcpapibpafdmmh\101.0.1.10_0\manifest.json VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Queries volume information: C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Extensions\iogmhikihfgnimkplhkcpapibpafdmmh\101.0.1.10_0\page.js VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Queries volume information: C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Extensions\iogmhikihfgnimkplhkcpapibpafdmmh\101.0.1.10_0\page.js VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Queries volume information: C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Service Worker\ScriptCache\4cb013792b196a35_0 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Queries volume information: C:\Program Files\chrome_Unpacker_BeginUnzipping8756_1450361068\manifest.json VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	Queries volume information: C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Network\SCT Auditing Pending Reports VolumeInformation

Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe

Code function: 7_2_00007FF6A9286094 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

7_2_00007FF6A9286094

Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe

Code function: 8_2_00007FF6C9198594 GetTimeZoneInformation,

8_2_00007FF6C9198594

Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe

Code function: 24_2_00007FF637E31BB0 GetVersionExW,GetProductInfo,GetNativeSystemInfo,

24_2_00007FF637E31BB0

Source: C:\Windows\System32\msiexec.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 Blob

Jump to behavior

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Favicons
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	File opened: C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	3 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	12 Command and Scripting Interpreter	11 Windows Service	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	1 Data from Local System	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	11 Registry Run Keys / Startup Folder	11 Windows Service	2 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	12 Process Injection	1 DLL Side-Loading	NTDS	35 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	11 Registry Run Keys / Startup Folder	1 File Deletion	LSA Secrets	31 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	133 Masquerading	Cached Domain Credentials	3 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Modify Registry	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Process Injection	Proc Filesystem	1 Remote System Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
pdfguruhub.msi	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Program Files\chrome_Unpacker_BeginUnzipping8756_1450361068\_platform_specific\win_x64\widevinecdm.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe	3%	ReversingLabs
C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe (copy)	3%	ReversingLabs
C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe.part	3%	ReversingLabs
C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\chrome_proxy.exe (copy)	3%	ReversingLabs
C:\Users\user\AppData\Local\OneStart.ai\OneStart\Temp\source8412_1839449235\onestart-bin\128.0.6613.124\chrome.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIC904.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSICA1F.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIE62D.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIE6AB.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIE719.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIE768.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIE7C7.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIE816.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIE875.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIE8C4.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIE913.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIBD59.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIF540.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIF5AF.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIF5EE.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIF6BB.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIF7A7.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
https://hgic.clemson.edu/	0%	Avira URL Cloud	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA12QGBm-dark	0%	Avira URL Cloud	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA12PNdd-dark	0%	Avira URL Cloud	safe
https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new	0%	Avira URL Cloud	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13D4or-dark	0%	Avira URL Cloud	safe
https://drafts.csswg.org/css-page-3/#margin-text-alignment	0%	Avira URL Cloud	safe
https://api2.onestart.ai/api/bb/updates.txt	0%	Avira URL Cloud	safe
https://atlasox.s3.amazonaws.com/bb/OneStartSetup-v10.116.180.0.msi	0%	Avira URL Cloud	safe
https://issuetracker.google.com/220069903	0%	Avira URL Cloud	safe
https://html.spec.whatwg.org/multipage/rendering.html#flow-content-3	0%	Avira URL Cloud	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gyc7-dark	0%	Avira URL Cloud	safe
https://d1cvahyfkfdxyq.cloudfront.net/OneStartSetup-v10.116.180.0.msi	0%	Avira URL Cloud	safe
http://anglebug.com/41488637	0%	Avira URL Cloud	safe
http://anglebug.com/40096838	0%	Avira URL Cloud	safe
https://crashpad.chromium.org/	0%	Avira URL Cloud	safe
http://anglebug.com/42261924	0%	Avira URL Cloud	safe
https://word.office.comPRYMo	0%	Avira URL Cloud	safe
https://crbug.com/593024	0%	Avira URL Cloud	safe
http://anglebug.com/42264193	0%	Avira URL Cloud	safe
https://crbug.com/650547	0%	Avira URL Cloud	safe
http://anglebug.com/40096608	0%	Avira URL Cloud	safe
https://issuetracker.google.com/349489248	0%	Avira URL Cloud	safe
http://crbug.com/941620	0%	Avira URL Cloud	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark	0%	Avira URL Cloud	safe
http://en.w	0%	Avira URL Cloud	safe
https://fullscreen.spec.whatwg.org/#user-agent-level-style-sheet-defaults:	0%	Avira URL Cloud	safe
https://android.notify.windows.com/iOS	0%	Avira URL Cloud	safe
https://html.spec.whatwg.org/multipage/rendering.html#hidden-elements	0%	Avira URL Cloud	safe
http://anglebug.com/42265509	0%	Avira URL Cloud	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA12PNdd	0%	Avira URL Cloud	safe
https://crashpad.chromium.org/bug/new	0%	Avira URL Cloud	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gowI	0%	Avira URL Cloud	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT	0%	Avira URL Cloud	safe
https://html.spec.whatwg.org/C/#the-details-and-summary-elements	0%	Avira URL Cloud	safe
http://schemas.micro	0%	Avira URL Cloud	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gowI-dark	0%	Avira URL Cloud	safe
http://anglebug.com/42266842	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://onestart.ai/chr/uninstall?iid=	setup.exe, 0000000D.00000000.17521585969.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp	false		high
https://api2.onestart.ai/api/bb/updates.txt	onestart_installer.exe, 00000007.00000000.17174527736.00007FF6A92E8000.00000002.00000001.01000000.00000004.sdmp, onestart_installer.exe, 00000007.00000002.17538917328.00007FF6A92E8000.00000002.00000001.01000000.00000004.sdmp, setup.exe, 00000008.00000000.17262676737.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 00000009.00000002.17536290510.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 00000009.00000000.17263931920.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 0000000C.00000002.17527361484.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 0000000C.00000000.17520130297.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 0000000D.00000002.17529835252.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 0000000D.00000000.17521585969.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, onestart.exe, 0000000F.00000000.17529224837.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000010.00000000.17530866871.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000011.00000000.17532602492.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000012.00000000.17545701873.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000013.00000000.17550906960.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000015.00000000.17557027141.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000018.00000000.17565578072.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 0000001C.00000000.17579086367.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 0000001C.00000002.17606273532.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 0000001D.00000002.17602603849.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp	false	Avira URL Cloud: safe	unknown
https://drafts.csswg.org/css-page-3/#margin-text-alignment	onestart.exe, 00000022.00000003.17595367872.00000DD000578000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000022.00000003.17594063744.00000DD00059C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000022.00000003.17595977736.00000DD000678000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000022.00000003.17595107240.00000DD00066C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000023.00000003.17602899497.000036E00058C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000023.00000003.17603727265.000036E00066C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000023.00000003.17604326816.000036E000678000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000023.00000003.17603083891.000036E000568000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/money/m)	explorer.exe, 00000021.00000000.17602606993.0000000009839000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/weather/topstories/tropical-system-brewing-in-the-caribbean-now-is-forecas	explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	false		high
https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/20240908.1/Weather/W01_Sunn	explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA12PNdd-dark	explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA12QGBm-dark	explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/politics/trump-s-house-gop-picks-have-republicans-worried/ar-AA1tXhyZ	explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.eicar.org/wp-content/uploads/2018/04/cropped-e-32x32.png	onestart.exe, 00000018.00000003.17571577298.000001DC40AB4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/money/markets?id=a3oxnm	explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.delish.com/holiday-recipes/thanksgiving/a29505453/turkey-cake-recipe/	explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.delish.com/holiday-recipes/thanksgiving/g1183/mini-thanksgiving-desserts/	explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	false		high
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000021.00000000.17618670047.000000000D82B000.00000004.00000001.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13D4or-dark	explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/chrome/?&brand=CHWL&utm_campaign=en&utm_source=en-et-na-us-chrome-bubble&utm_	onestart.exe, 00000018.00000002.17582601314.0000495C00060000.00000004.00001000.00020000.00000000.sdmp	false		high
https://html.spec.whatwg.org/multipage/rendering.html#flow-content-3	onestart.exe, 00000022.00000003.17595367872.00000DD000578000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000022.00000003.17594063744.00000DD00059C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000022.00000003.17595977736.00000DD000678000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000022.00000003.17595107240.00000DD00066C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000023.00000003.17602899497.000036E00058C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000023.00000003.17603727265.000036E00066C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000023.00000003.17604326816.000036E000678000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000023.00000003.17603083891.000036E000568000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/v1/news/Feed/Windows?w	explorer.exe, 00000021.00000000.17618670047.000000000D81E000.00000004.00000001.00020000.00000000.sdmp	false		high
https://resources.onestart.ai/onestart_installer_128.0.6613.125.exe	onestart.exe, 0000001C.00000003.17592980483.000035E800122000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000001C.00000003.17592351953.000035E800122000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000001C.00000003.17594882118.0000022143F30000.00000004.00000800.00020000.00000000.sdmp, onestart.exe, 0000001C.00000003.17592351953.000035E800118000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000001C.00000003.17592980483.000035E800114000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000001C.00000003.17592980483.000035E800118000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000001C.00000002.17602067560.000035E800004000.00000004.00001000.00020000.00000000.sdmp	false		high
https://atlasox.s3.amazonaws.com/bb/OneStartSetup-v10.116.180.0.msi	onestart.exe, 0000001C.00000003.17592980483.000035E800122000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000001C.00000003.17592351953.000035E800122000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000001C.00000003.17594882118.0000022143F30000.00000004.00000800.00020000.00000000.sdmp, onestart.exe, 0000001C.00000003.17592351953.000035E800118000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000001C.00000003.17592980483.000035E800114000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000001C.00000003.17592980483.000035E800118000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000001C.00000002.17602067560.000035E800004000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://excel.office.com	explorer.exe, 00000021.00000000.17618670047.000000000D870000.00000004.00000001.00020000.00000000.sdmp	false		high
https://onestart.ai/chr/ri?	onestart_installer.exe, 00000007.00000000.17174527736.00007FF6A92E8000.00000002.00000001.01000000.00000004.sdmp, onestart_installer.exe, 00000007.00000002.17538917328.00007FF6A92E8000.00000002.00000001.01000000.00000004.sdmp	false		high
https://hgic.clemson.edu/	explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.delish.com/cooking/recipe-ideas/a44007618/sweet-potato-pie-recipe/	explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	false		high
https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new	setup.exe, 00000008.00000000.17262676737.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 00000009.00000002.17536290510.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 00000009.00000000.17263931920.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 0000000C.00000002.17527361484.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 0000000C.00000000.17520130297.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 0000000D.00000002.17529835252.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 0000000D.00000000.17521585969.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, onestart.exe, 0000000F.00000000.17529224837.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000010.00000000.17530866871.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000011.00000000.17532602492.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000012.00000000.17545701873.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000013.00000000.17550906960.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000015.00000000.17557027141.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000018.00000000.17565578072.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 0000001C.00000000.17579086367.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 0000001C.00000002.17606273532.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 0000001D.00000002.17602603849.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 0000001D.00000000.17580243797.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 0000001F.00000000.17585188024.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp	false	Avira URL Cloud: safe	unknown
https://www.delish.com/cooking/recipe-ideas/a55685/easy-pecan-pie-recipe/	explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	false		high
https://issuetracker.google.com/220069903	onestart.exe, 00000012.00000003.17565717779.0000517400164000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://anglebug.com/41488637	onestart.exe, 0000000F.00000003.17567081652.00003BBC00CA4000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000000F.00000003.17567027074.00003BBC00CB0000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000012.00000003.17565636149.000051740015C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000012.00000003.17565717779.0000517400164000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/crime/dick-van-dyke-forever-young/ar-AA1lDpRD	explorer.exe, 00000021.00000000.17602606993.0000000009839000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.eicar.org/wp-content/uploads/2018/04/cropped-e-32x32.pngK	onestart.exe, 00000018.00000003.17571577298.000001DC40AB4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/tv/news/a-look-back-at-50-years-of-political-humor-on-saturday-night-live/	explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	false		high
https://word.office.comPRYMo	explorer.exe, 00000021.00000000.17618670047.000000000DC44000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.eicar.org/download-anti-malware-testfile/:	onestart.exe, 00000018.00000003.17567887218.000001DC40ACC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://anglebug.com/42261924	onestart.exe, 0000000F.00000003.17567081652.00003BBC00CA4000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000000F.00000003.17567027074.00003BBC00CB0000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000012.00000003.17565636149.000051740015C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000012.00000003.17565717779.0000517400164000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/chrome/static/images/favicons/favicon-32x32.png	onestart.exe, 00000018.00000003.17571577298.000001DC40AB4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/world/after-188-years-the-world-s-longest-venomous-snake-is-officiall	explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	false		high
https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/AAehR3S.svg	explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/money/markets/john-paulson-drops-out-of-running-to-become-trump-treasury-s	explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	false		high
https://secure.eicar.org/eicar.com;	onestart.exe, 00000018.00000003.17567887218.000001DC40ACC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gyc7-dark	explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://onestart.ai/chr/ri?fhnid=ip&product=2&bversion=128.0.6613.124&wversion=4.5.258.2Start	onestart_installer.exe, 00000007.00000002.17538063483.000075900006C000.00000004.00001000.00020000.00000000.sdmp	false		high
https://crbug.com/650547	onestart.exe, 0000000F.00000003.17567081652.00003BBC00CA4000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000000F.00000003.17567027074.00003BBC00CB0000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000012.00000003.17565636149.000051740015C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000012.00000003.17565717779.0000517400164000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://anglebug.com/40096838	onestart.exe, 0000000F.00000003.17567081652.00003BBC00CA4000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000000F.00000003.17567027074.00003BBC00CB0000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000012.00000003.17565636149.000051740015C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000012.00000003.17565717779.0000517400164000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://anglebug.com/42264193	onestart.exe, 0000000F.00000003.17567081652.00003BBC00CA4000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000000F.00000003.17567027074.00003BBC00CB0000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000012.00000003.17565636149.000051740015C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000012.00000003.17565717779.0000517400164000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wns.windows.com/	explorer.exe, 00000021.00000000.17597360774.00000000054AA000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.delish.com/cooking/recipe-ideas/a62045743/krispie-turkey-recipe/	explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	false		high
https://d1cvahyfkfdxyq.cloudfront.net/OneStartSetup-v10.116.180.0.msi	onestart.exe, 0000001C.00000003.17592980483.000035E800122000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000001C.00000003.17592351953.000035E800122000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000001C.00000003.17594882118.0000022143F30000.00000004.00000800.00020000.00000000.sdmp, onestart.exe, 0000001C.00000003.17592351953.000035E800118000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000001C.00000003.17592980483.000035E800114000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000001C.00000003.17592980483.000035E800118000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000001C.00000002.17602067560.000035E800004000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/politics/chris-wallace-leaving-cnn/ar-AA1tUo1L	explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	false		high
https://crashpad.chromium.org/	setup.exe, 00000008.00000000.17262676737.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 00000009.00000002.17536290510.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 00000009.00000000.17263931920.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 0000000C.00000002.17527361484.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 0000000C.00000000.17520130297.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 0000000D.00000002.17529835252.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 0000000D.00000000.17521585969.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, onestart.exe, 0000000F.00000000.17529224837.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000010.00000000.17530866871.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000011.00000000.17532602492.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000012.00000000.17545701873.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000013.00000000.17550906960.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000015.00000000.17557027141.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000018.00000000.17565578072.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 0000001C.00000000.17579086367.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 0000001C.00000002.17606273532.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 0000001D.00000002.17602603849.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 0000001D.00000000.17580243797.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 0000001F.00000000.17585188024.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/money/markets?id=a6qja2	explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	false		high
http://log.onestart.ai/tart.aiP	onestart_installer.exe, 00000007.00000002.17538125726.000075900007C000.00000004.00001000.00020000.00000000.sdmp	false		high
https://crbug.com/593024	onestart.exe, 0000000F.00000003.17567081652.00003BBC00CA4000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000000F.00000003.17567027074.00003BBC00CB0000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000012.00000003.17565636149.000051740015C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000012.00000003.17565717779.0000517400164000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore	onestart.exe, 00000022.00000003.17593241862.00000DD0004DC000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.eicar.org/download-anti-malware-testfile/&Download	onestart.exe, 00000018.00000003.17574702913.0000495C0010C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000018.00000002.17575506737.000001DC40D9A000.00000004.10000000.00040000.00000000.sdmp	false		high
https://aka.ms/odirm7	explorer.exe, 00000021.00000000.17603967107.0000000009A37000.00000004.00000001.00020000.00000000.sdmp	false		high
https://secure.eicar.org/eicar.com	onestart.exe, 00000018.00000002.17575506737.000001DC40D9A000.00000004.10000000.00040000.00000000.sdmp	false		high
https://issuetracker.google.com/349489248	onestart.exe, 00000012.00000003.17565717779.0000517400164000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://onestart.ai/chr/gcsett?iid=u	onestart_installer.exe, 00000007.00000002.17538096350.0000759000070000.00000004.00001000.00020000.00000000.sdmp	false		high
http://anglebug.com/40096608	onestart.exe, 0000000F.00000003.17567081652.00003BBC00CA4000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000000F.00000003.17567027074.00003BBC00CB0000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000012.00000003.17565636149.000051740015C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000012.00000003.17565717779.0000517400164000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crbug.com/941620	onestart.exe, 0000000F.00000003.17567081652.00003BBC00CA4000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000000F.00000003.17567027074.00003BBC00CB0000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000012.00000003.17565636149.000051740015C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000012.00000003.17565717779.0000517400164000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark	explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://fullscreen.spec.whatwg.org/#user-agent-level-style-sheet-defaults:	onestart.exe, 00000022.00000003.17595367872.00000DD000578000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000022.00000003.17594063744.00000DD00059C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000022.00000003.17595977736.00000DD000678000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000022.00000003.17595107240.00000DD00066C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000023.00000003.17602899497.000036E00058C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000023.00000003.17603727265.000036E00066C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000023.00000003.17604326816.000036E000678000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000023.00000003.17603083891.000036E000568000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.llbean.com/webapp/wcs/stores/servlet/LLBShoppingCartDisplay	onestart.exe, 0000000F.00000003.17587316297.00003BBC005A4000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000000F.00000003.17561258244.00003BBC005A4000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.google.com/search?q=eicar	onestart.exe, 00000018.00000002.17575506737.000001DC40D9A000.00000004.10000000.00040000.00000000.sdmp	false		high
https://outlook.com	explorer.exe, 00000021.00000000.17618670047.000000000DC44000.00000004.00000001.00020000.00000000.sdmp	false		high
http://en.w	onestart.exe, 00000023.00000003.17628335067.0000018EC598D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppe	explorer.exe, 00000021.00000000.17624078294.000000000DE2D000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.google.com/favicon.ico	onestart.exe, 00000018.00000003.17571577298.000001DC40AB4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://onestart.ai/resources/extension/c1/capitalone-101.0.1.10.crx	onestart.exe, 00000024.00000002.17609305562.0000017F3643A000.00000004.10000000.00040000.00000000.sdmp, onestart.exe, 00000024.00000003.17606436524.00005CA400110000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000024.00000003.17606436524.00005CA400112000.00000004.00001000.00020000.00000000.sdmp	false		high
https://assets.msn.com/weathermapdat	explorer.exe, 00000021.00000000.17602606993.00000000097F0000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.eicar.org/download-anti-malware-testfile/	onestart.exe, 00000018.00000003.17574702913.0000495C0010C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000018.00000003.17571577298.000001DC40AB4000.00000004.00000020.00020000.00000000.sdmp, onestart.exe, 00000018.00000002.17575506737.000001DC40D9A000.00000004.10000000.00040000.00000000.sdmp	false		high
http://anglebug.com/42265509	onestart.exe, 0000000F.00000003.17567081652.00003BBC00CA4000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000000F.00000003.17567027074.00003BBC00CB0000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000012.00000003.17565636149.000051740015C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000012.00000003.17565717779.0000517400164000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://onestart.ai/chr/ui?iid=	onestart_installer.exe, 00000007.00000000.17174527736.00007FF6A92E8000.00000002.00000001.01000000.00000004.sdmp, onestart_installer.exe, 00000007.00000002.17538917328.00007FF6A92E8000.00000002.00000001.01000000.00000004.sdmp	false		high
https://www.msn.com/en-us/money/personalfinance/quiet-millionaires-5-understated-signs-that-whisper-	explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/money/retirement/i-m-46-years-old-single-and-live-paycheck-to-paycheck-but	explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.delish.com/holiday-recipes/thanksgiving/a29167451/turkey-cheese-ball-recipe/	explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	false		high
https://android.notify.windows.com/iOS	explorer.exe, 00000021.00000000.17603967107.0000000009AE0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://onestart.ai/chr/gcsett?iid=40f05e8e-ef61-4211-af81-78bf374c0ab8rt.ai	onestart.exe, 0000001C.00000002.17603139470.000035E80007C000.00000004.00001000.00020000.00000000.sdmp	false		high
https://assets.msn.com/weathermapdata/1/static/weather/Icons/MSIAWwA=/Condition/AAehR3S.png	explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	false		high
https://html.spec.whatwg.org/multipage/rendering.html#hidden-elements	onestart.exe, 00000022.00000003.17595367872.00000DD000578000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000022.00000003.17594063744.00000DD00059C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000022.00000003.17595977736.00000DD000678000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000022.00000003.17595107240.00000DD00066C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000023.00000003.17602899497.000036E00058C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000023.00000003.17603727265.000036E00066C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000023.00000003.17604326816.000036E000678000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000023.00000003.17603083891.000036E000568000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.delish.com/cooking/recipe-ideas/a62046866/turkey-oreo-balls-recipe/	explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	false		high
http://log.onestart.ai/	onestart_installer.exe, 00000007.00000002.17538125726.000075900007C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000001C.00000002.17603323536.000035E80008C000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/weather/forecast/in-Bremen%2CAlabama?loc=eyJsIjoiQnJlbWVuIiwiciI6IkFsYWJhb	explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	false		high
https://onestart.ai/chr/ri?productbrowsertyphttps://onestart.ai/chr/ui?iid=	onestart_installer.exe, 00000007.00000000.17174527736.00007FF6A92E8000.00000002.00000001.01000000.00000004.sdmp, onestart_installer.exe, 00000007.00000002.17538917328.00007FF6A92E8000.00000002.00000001.01000000.00000004.sdmp	false		high
https://secure.eicar.org/eicar.com.txt	onestart.exe, 00000018.00000002.17575506737.000001DC40D9A000.00000004.10000000.00040000.00000000.sdmp	false		high
https://www.google.com/chrome/next-steps.html?brand=CHWL&statcb=0&installdataindex=empty&defaultbrow	onestart.exe, 00000018.00000002.17575506737.000001DC40D9A000.00000004.10000000.00040000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA12PNdd	explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gowI	explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT	explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/search?q=	onestart.exe, 0000000F.00000003.17561258244.00003BBC005A4000.00000004.00001000.00020000.00000000.sdmp	false		high
https://crashpad.chromium.org/bug/new	setup.exe, 00000008.00000000.17262676737.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 00000009.00000002.17536290510.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 00000009.00000000.17263931920.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 0000000C.00000002.17527361484.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 0000000C.00000000.17520130297.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 0000000D.00000002.17529835252.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, setup.exe, 0000000D.00000000.17521585969.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmp, onestart.exe, 0000000F.00000000.17529224837.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000010.00000000.17530866871.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000011.00000000.17532602492.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000012.00000000.17545701873.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000013.00000000.17550906960.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000015.00000000.17557027141.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000018.00000000.17565578072.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 0000001C.00000000.17579086367.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 0000001C.00000002.17606273532.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 0000001D.00000002.17602603849.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 0000001D.00000000.17580243797.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp, onestart.exe, 0000001F.00000000.17585188024.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmp	false	Avira URL Cloud: safe	unknown
http://www.unicode.org/copyright.html	onestart.exe, 00000025.00000002.17616734014.00000224A14D2000.00000002.00000001.00040000.00000015.sdmp	false		high
https://www.msn.com/en-us/feed	explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	false		high
https://api.onestart.ai/api/bb/updates.txt	onestart_installer.exe, 00000007.00000003.17201152609.0000759000114000.00000004.00001000.00020000.00000000.sdmp, onestart_installer.exe, 00000007.00000003.17201217581.0000759000114000.00000004.00001000.00020000.00000000.sdmp, onestart_installer.exe, 00000007.00000002.17538350328.00007590000D5000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000001C.00000003.17585871833.000035E800114000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000001C.00000002.17604203903.000035E8000D4000.00000004.00001000.00020000.00000000.sdmp	false		high
https://html.spec.whatwg.org/C/#the-details-and-summary-elements	onestart.exe, 00000022.00000003.17595367872.00000DD000578000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000022.00000003.17594063744.00000DD00059C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000022.00000003.17595977736.00000DD000678000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000022.00000003.17595107240.00000DD00066C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000023.00000003.17602899497.000036E00058C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000023.00000003.17603727265.000036E00066C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000023.00000003.17604326816.000036E000678000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000023.00000003.17603083891.000036E000568000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gowI-dark	explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/us/louisiana-s-ten-commandments-law-in-public-schools-is-blocked-by-f	explorer.exe, 00000021.00000000.17618670047.000000000DA12000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.micro	explorer.exe, 00000021.00000000.17611592583.000000000AA60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000021.00000000.17608342592.0000000009EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000021.00000000.17591931571.0000000003500000.00000002.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://anglebug.com/42266842	onestart.exe, 0000000F.00000003.17567081652.00003BBC00CA4000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 0000000F.00000003.17567027074.00003BBC00CB0000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000012.00000003.17565636149.000051740015C000.00000004.00001000.00020000.00000000.sdmp, onestart.exe, 00000012.00000003.17565717779.0000517400164000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/play/games/dominoes/cg-9p72cwq04mkt	explorer.exe, 00000021.00000000.17602606993.000000000981F000.00000004.00000001.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
9.9.9.9	unknown	United States	19281	QUAD9-AS-1US	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
34.104.35.123	unknown	United States	15169	GOOGLEUS	false
3.161.150.2	unknown	United States	16509	AMAZON-02US	false
74.125.21.103	unknown	United States	15169	GOOGLEUS	false
3.161.193.27	unknown	United States	16509	AMAZON-02US	false
173.194.219.95	unknown	United States	15169	GOOGLEUS	false
162.159.61.3	unknown	United States	13335	CLOUDFLARENETUS	false
3.161.150.45	unknown	United States	16509	AMAZON-02US	false
3.161.150.69	unknown	United States	16509	AMAZON-02US	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
13.32.230.22	unknown	United States	16509	AMAZON-02US	false
54.230.31.105	unknown	United States	16509	AMAZON-02US	false
108.177.122.84	unknown	United States	15169	GOOGLEUS	false
74.125.138.94	unknown	United States	15169	GOOGLEUS	false

Private

IP
192.168.11.20
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1554678
Start date and time:	2024-11-12 19:26:55 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 13m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Number of analysed new started processes analysed:	47
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	pdfguruhub.msi
Detection:	MAL
Classification:	mal52.spyw.evad.winMSI@82/312@0/17
EGA Information:	Successful, ratio: 83.3%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .msi

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, VSSVC.exe, WmiPrvSE.exe, svchost.exe
Execution Graph export aborted for target onestart_installer.exe, PID 8348 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.
Skipping network analysis since amount of network traffic is too extensive
VT rate limit hit for: pdfguruhub.msi

Simulations

Behavior and APIs

Time	Type	Description
13:30:00	API Interceptor	557x Sleep call for process: explorer.exe modified
19:29:58	Task Scheduler	Run new task: OneStartAutoLaunchTask-40f05e8e-ef61-4211-af81-78bf374c0ab8 path: cmd.exe s>/C "START /MIN /D "%LOCALAPPDATA%\OneStart.ai\OneStart\Application" onestart.exe --existing-window"
19:30:00	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run OneStartChromium "C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --existing-window
19:30:08	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run OneStartUpdate "C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --update
19:30:16	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run OneStartChromium "C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --existing-window
19:30:24	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run OneStartUpdate "C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --update

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
9.9.9.9	ACHAT DE 2 IMMEUBLES.pdf	Get hash	malicious	Unknown	Browse
	allpdfpro.msi	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer	Browse
	Setup.exe	Get hash	malicious	Unknown	Browse
	Setup.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, XWorm	Browse
	http://assets.website-files.com/65e885e17261602dcdc10dce/663166d899226eaa1af23d4b_kilexi.pdf	Get hash	malicious	Unknown	Browse
	All-in-one Calculation Tool.xlsm	Get hash	malicious	Unknown	Browse
	https://agent.fleetdeck.io/RJhGzP5jyL7Wdj5mXz3b8B?win	Get hash	malicious	Unknown	Browse
	https://agentinstall.fleetdeck.io/fleetdeck-agent-WP1buGiXuuz5gPKfbD5LmX.exe	Get hash	malicious	Unknown	Browse
1.1.1.1	PO-230821_pdf.exe	Get hash	malicious	FormBook, NSISDropper	Browse	www.974dp.com/sn26/?kJBLpb8=qaEGeuQorcUQurUZCuE8d9pas+Z0M0brqtX248JBolEfq8j8F1R9i1jKZexhxY54UlRG&ML0tl=NZlpi
	AFfv8HpACF.exe	Get hash	malicious	Unknown	Browse	1.1.1.1/
	INVOICE_90990_PDF.exe	Get hash	malicious	FormBook	Browse	www.quranvisor.com/usvr/?mN9d3vF=HHrW7cA9N4YJlebHFvlsdlDciSnnaQItEG8Ccfxp291VjnjcuwoPACt7EOqEq4SWjIf8&Pjf81=-Zdd-V5hqhM4p2S
	Go.exe	Get hash	malicious	Unknown	Browse	1.1.1.1/
3.161.150.2	ReimagePackage.exe	Get hash	malicious	Xmrig	Browse	cdnrep.reimage.com/protector/ilst.rei

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	172.64.41.3
	Yeni sipari#U015f _TR-59647-WJO-001.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	172.67.150.243
	http://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=N_pyUL0QJkeR_KiXHZsVlyTB1Qoy7S9IkE8Ogzl8coFUM1RXUzBHU1RDUjlQOFBPUUE4QVRaS0pPSC4u	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	original.eml	Get hash	malicious	Unknown	Browse	104.21.86.240
	FOTO#U011eRAFLAR.exe	Get hash	malicious	FormBook	Browse	104.21.41.74
	https://sites.google.com/lecollectivem.com/rfp/home	Get hash	malicious	Unknown	Browse	104.21.68.132
	https://alessiabelltravel.com	Get hash	malicious	Unknown	Browse	104.17.25.14
	Fizetes_12112024,jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	https://welsfargo.com-onlinebanking.com/Xb1ExYUR6VXl0bGxmVDdXaVpyTzlKZUtudEIxbGsxOGY1VzhSNFZvZVlFTDk5T0c2Q25PS3hwcEYrL1dZdG8vVzZIUS9mVHczWklvQ1R0U1ZXaVN0L2RuN0VIbklqdzFUWVROV3E4ZnVldDhWUmZ3RDRZWmFKY0ZJOUlTWWlqWHVxNDlVTUYxYVFDQ1dBWTd0bzVKbGIrL25HZVVOTHNSMnNBcGJuaVRrZW82VHY3RVlnYThxbUpLN2lBPT0tLTRmTmYwUzZkLzlIS1VWQ2otLVNXQlpnWjRKZDUxaGNXQmpCWksyN3c9PQ==?cid=2251351141	Get hash	malicious	KnowBe4	Browse	104.17.25.14
AMAZON-02US	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	18.245.113.73
	https://disq.us/?url=https%3A%2F%2Fntx.redblocks.io%2F&key=sKOAfZD3HOV0MD3CksmWcg	Get hash	malicious	Unknown	Browse	3.76.42.133
	.i.elf	Get hash	malicious	Unknown	Browse	54.171.230.55
	original.eml	Get hash	malicious	Unknown	Browse	18.239.94.68
	FOTO#U011eRAFLAR.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	https://alessiabelltravel.com	Get hash	malicious	Unknown	Browse	143.204.98.65
	wavjjT3sEq.exe	Get hash	malicious	FormBook	Browse	54.179.173.60
	http://jackelec.com.au/	Get hash	malicious	HTMLPhisher	Browse	52.77.158.64
	https://welsfargo.com-onlinebanking.com/Xb1ExYUR6VXl0bGxmVDdXaVpyTzlKZUtudEIxbGsxOGY1VzhSNFZvZVlFTDk5T0c2Q25PS3hwcEYrL1dZdG8vVzZIUS9mVHczWklvQ1R0U1ZXaVN0L2RuN0VIbklqdzFUWVROV3E4ZnVldDhWUmZ3RDRZWmFKY0ZJOUlTWWlqWHVxNDlVTUYxYVFDQ1dBWTd0bzVKbGIrL25HZVVOTHNSMnNBcGJuaVRrZW82VHY3RVlnYThxbUpLN2lBPT0tLTRmTmYwUzZkLzlIS1VWQ2otLVNXQlpnWjRKZDUxaGNXQmpCWksyN3c9PQ==?cid=2251351141	Get hash	malicious	KnowBe4	Browse	52.217.224.48
	http://iposeidonbussiness.com/img/event_egghunt2.zip	Get hash	malicious	Unknown	Browse	52.15.180.19
QUAD9-AS-1US	ACHAT DE 2 IMMEUBLES.pdf	Get hash	malicious	Unknown	Browse	9.9.9.9
	allpdfpro.msi	Get hash	malicious	Unknown	Browse	9.9.9.9
	rPO3799039985.exe	Get hash	malicious	Remcos, GuLoader	Browse	149.112.112.112
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer	Browse	9.9.9.9
	Setup.exe	Get hash	malicious	Unknown	Browse	9.9.9.9
	Setup.exe	Get hash	malicious	Unknown	Browse	9.9.9.9
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, XWorm	Browse	9.9.9.9
	http://assets.website-files.com/65e885e17261602dcdc10dce/663166d899226eaa1af23d4b_kilexi.pdf	Get hash	malicious	Unknown	Browse	9.9.9.9
	All-in-one Calculation Tool.xlsm	Get hash	malicious	Unknown	Browse	9.9.9.9
	https://agent.fleetdeck.io/RJhGzP5jyL7Wdj5mXz3b8B?win	Get hash	malicious	Unknown	Browse	9.9.9.9
AMAZON-02US	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	18.245.113.73
	https://disq.us/?url=https%3A%2F%2Fntx.redblocks.io%2F&key=sKOAfZD3HOV0MD3CksmWcg	Get hash	malicious	Unknown	Browse	3.76.42.133
	.i.elf	Get hash	malicious	Unknown	Browse	54.171.230.55
	original.eml	Get hash	malicious	Unknown	Browse	18.239.94.68
	FOTO#U011eRAFLAR.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	https://alessiabelltravel.com	Get hash	malicious	Unknown	Browse	143.204.98.65
	wavjjT3sEq.exe	Get hash	malicious	FormBook	Browse	54.179.173.60
	http://jackelec.com.au/	Get hash	malicious	HTMLPhisher	Browse	52.77.158.64
	https://welsfargo.com-onlinebanking.com/Xb1ExYUR6VXl0bGxmVDdXaVpyTzlKZUtudEIxbGsxOGY1VzhSNFZvZVlFTDk5T0c2Q25PS3hwcEYrL1dZdG8vVzZIUS9mVHczWklvQ1R0U1ZXaVN0L2RuN0VIbklqdzFUWVROV3E4ZnVldDhWUmZ3RDRZWmFKY0ZJOUlTWWlqWHVxNDlVTUYxYVFDQ1dBWTd0bzVKbGIrL25HZVVOTHNSMnNBcGJuaVRrZW82VHY3RVlnYThxbUpLN2lBPT0tLTRmTmYwUzZkLzlIS1VWQ2otLVNXQlpnWjRKZDUxaGNXQmpCWksyN3c9PQ==?cid=2251351141	Get hash	malicious	KnowBe4	Browse	52.217.224.48
	http://iposeidonbussiness.com/img/event_egghunt2.zip	Get hash	malicious	Unknown	Browse	52.15.180.19

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files\chrome_Unpacker_BeginUnzipping8756_1450361068\_platform_specific\win_x64\widevinecdm.dll	allpdfpro.msi	Get hash	malicious	Unknown	Browse
	Complete_with_DocuSign_49584.pdf	Get hash	malicious	HTMLPhisher	Browse
	https://averellharriman.sharefile.com/public/share/web-sab7e0a816d3e4e0ca3a0899254901a6d	Get hash	malicious	Unknown	Browse
	DRL-272112.htm	Get hash	malicious	Unknown	Browse
	View alert details #20GBQ4J.html	Get hash	malicious	HTMLPhisher	Browse
	shelbycountytn.gov.pdf	Get hash	malicious	Unknown	Browse
	EPAYMENT_Receipt.html	Get hash	malicious	Unknown	Browse
	Capelleaandenijssel.nl_reff_9918205228_HelNc2Zf7n.html	Get hash	malicious	HTMLPhisher	Browse
	https://qrco.de/bfQgn5	Get hash	malicious	Unknown	Browse
	Inv_Doc_18#908.pdf	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Config.Msi\79f3f9.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	796921
Entropy (8bit):	6.727060293474562
Encrypted:	false
SSDEEP:	12288:DBhvCCzRj0XiKelqEcWYewoqTNjph0lhSMXleyqMGPE:NJCNKqEbCTNVh0lhSMXlFGPE
MD5:	C9A0E122E558368813105D9A34C4F0E2
SHA1:	4BCC5654C81AA32D7F8FDAE16DAB609EB28CD818
SHA-256:	DF28C34941FFB6B27297322BCC7338554F4418B37276A67D20BD52F9DF70AF99
SHA-512:	440489ADDB67F7F94B94379C384D333DDDD391DC7445760976A684D951C59143D4D1947EAC7A390FB91CE47A8D34C5FEB181CC03767A5BB0761A89C2D03142A3
Malicious:	false
Preview:	...@IXOS.@.....@.klY.@.....@.....@.....@.....@.....@......&.{4338DD3D-C6E7-44F1-8FDD-8394E9076A9A}..OneStart PDF..pdfguruhub.msi.@.....@.....@.....@........&.{4CEC43B9-B497-4A5C-A703-63AB7ADA95E6}.....@.....@.....@.....@.......@.....@.....@.......@......OneStart PDF......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{FEE34822-BEE6-46CA-8BC7-812252175977}&.{4338DD3D-C6E7-44F1-8FDD-8394E9076A9A}.@......&.{D8511B6D-3FAD-4D18-929C-23F5ACD99D44}&.{4338DD3D-C6E7-44F1-8FDD-8394E9076A9A}.@........CreateFolders..Creating folders..Folder: [1]#.*.C:\Users\user\AppData\Local\OneStart.ai\.@....#.=.C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\.@........AI_FdRollback..Rolling back downloaded files#.Rolling back downloaded file: "[1]"L...AI_FdRollback.@.-....h$..MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#.

C:\Program Files\chrome_Unpacker_BeginUnzipping8756_1450361068\LICENSE

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	473
Entropy (8bit):	4.388167319950301
Encrypted:	false
SSDEEP:	6:LOT6w+DmsDZrkrDxBYRgELGNB+cIMLohXOl0t1iKR/UFioWd9+iAt4jZMeLhJoUs:iwDtVEDsCDLeelyigqBjt4eK2f55
MD5:	F6719687BED7403612EAED0B191EB4A9
SHA1:	DD03919750E45507743BD089A659E8EFCEFA7AF1
SHA-256:	AFB514E4269594234B32C873BA2CD3CC8892E836861137B531A40A1232820C59
SHA-512:	DD14A7EAE05D90F35A055A5098D09CD2233D784F6AC228B5927925241689BFF828E573B7A90A5196BFDD7AAEECF00F5C94486AD9E3910CFB07475FCFBB7F0D56
Malicious:	false
Preview:	Google LLC and its affiliates ("Google") own all legal right, title and.interest in and to the content decryption module software ("Software") and.related documentation, including any intellectual property rights in the.Software. You may not use, modify, sell, or otherwise distribute the Software.without a separate license agreement with Google. The Software is not open.source software...If you are interested in licensing the Software, please contact.www.widevine.com.

C:\Program Files\chrome_Unpacker_BeginUnzipping8756_1450361068\_metadata\verified_contents.json

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1550
Entropy (8bit):	5.9461543350675905
Encrypted:	false
SSDEEP:	48:p/hFkmoyMTI1jglp6NjkakKwk+R2VJAz5s:RhMka5adwTYQz5s
MD5:	98B310FC33843D771DA0089FA155EDB2
SHA1:	5690A43F43673B947EB4C433CB4F5488A287E29C
SHA-256:	28F09A4AF935D2894689CC00658D597257422CAFF20A01055EFD8E78AD5E829F
SHA-512:	E76830974EA54C94E857179CA0DA893E088034367CA5C33E71C1016B788E737D65AB49AD9A9E6FEB85385B963AF5C13DB0A91E3F3072AC91600E91A1CEA0AB6F
Malicious:	false
Preview:	[{"description":"treehash per file","signed_content":{"payload":"eyJjb250ZW50X2hhc2hlcyI6W3siYmxvY2tfc2l6ZSI6NDA5NiwiZGlnZXN0Ijoic2hhMjU2IiwiZmlsZXMiOlt7InBhdGgiOiJMSUNFTlNFIiwicm9vdF9oYXNoIjoicjdVVTVDYVZsQ05MTXNoenVpelR6SWlTNkRhR0VUZTFNYVFLRWpLQ0RGayJ9LHsicGF0aCI6Il9wbGF0Zm9ybV9zcGVjaWZpYy93aW5feDY0L3dpZGV2aW5lY2RtLmRsbCIsInJvb3RfaGFzaCI6IjIyaDRkdGc4WEx5b2pnb3h3STdVUWppQTRXZ1ZMSFg1YV9oWVZaTFpBNUEifSx7InBhdGgiOiJfcGxhdGZvcm1fc3BlY2lmaWMvd2luX3g2NC93aWRldmluZWNkbS5kbGwuc2lnIiwicm9vdF9oYXNoIjoiMDJOMUd3N2toUmZhRzFiQmZfelhqZFZfSmJDU3NKaDVabjJ4QXpnSGRpRSJ9LHsicGF0aCI6Im1hbmlmZXN0Lmpzb24iLCJyb290X2hhc2giOiJKYWNDM1ZPSnpIc0hmR3RPQnNINjJiM3FkS25EZEZNNGlZYlFrOEozMkNjIn1dLCJmb3JtYXQiOiJ0cmVlaGFzaCIsImhhc2hfYmxvY2tfc2l6ZSI6NDA5Nn1dLCJpdGVtX2lkIjoib2ltb21wZWNhZ25hamRlamdubmppam9iZWJhZWlnZWsiLCJpdGVtX3ZlcnNpb24iOiI0LjEwLjI4MzAuMCIsInByb3RvY29sX3ZlcnNpb24iOjF9","signatures":[{"header":{"kid":"publisher"},"protected":"eyJhbGciOiJSUzI1NiJ9","signature":"KnESAO6ts6E14P0aoVwC_yghkUn7_i9PCMh0NvK44eLJL04dv

C:\Program Files\chrome_Unpacker_BeginUnzipping8756_1450361068\_platform_specific\win_x64\widevinecdm.dll

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	19236784
Entropy (8bit):	7.70214269860876
Encrypted:	false
SSDEEP:	393216:FPRzXYeXFyjsrZuvpYl5SJIhw7PJeP9TZHZMaMq0Vrq8P:DFyjs0pYl1hwDJeVT7erq8P
MD5:	9D76604A452D6FDAD3CDAD64DBDD68A1
SHA1:	DC7E98AD3CF8D7BE84F6B3074158B7196356675B
SHA-256:	EB98FA2CFE142976B33FC3E15CF38A391F079E01CF61A82577B15107A98DEA02
SHA-512:	EDD0C26C0B1323344EB89F315876E9DEB460817FC7C52FAEDADAD34732797DAD0D73906F63F832E7C877A37DB4B2907C071748EDFAD81EA4009685385E9E9137
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: allpdfpro.msi, Detection: malicious, Browse Filename: Complete_with_DocuSign_49584.pdf, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: DRL-272112.htm, Detection: malicious, Browse Filename: View alert details #20GBQ4J.html, Detection: malicious, Browse Filename: shelbycountytn.gov.pdf, Detection: malicious, Browse Filename: EPAYMENT_Receipt.html, Detection: malicious, Browse Filename: Capelleaandenijssel.nl_reff_9918205228_HelNc2Zf7n.html, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: Inv_Doc_18#908.pdf, Detection: malicious, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d.....Gf.........." ......o.........P.l......................................p].....c.%...`A..........................................!.......!...... ]......`[..$...f%..!...0].0:....!.8.....................!.(...`cp.@...........p.!..............................text.....o.......o................. ..`.rdata..x.....o.......o.............@..@.data...pv8...".......".............@....pdata...$...`[..&....#.............@..@.00cfg..0.....\.......$.............@..@.gxfg... (....\......$.............@..@.retplne......\.......%..................rodata.......\.......%............. ..`.tls..........\.......%.............@..._RDATA..\.....]...... %.............@..@malloc_h......]......"%............. ..`.rsrc........ ]......$%.............@..@.reloc..0:...0]..<...%.............@..B................................................................................................

C:\Program Files\chrome_Unpacker_BeginUnzipping8756_1450361068\_platform_specific\win_x64\widevinecdm.dll.sig

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	data
Category:	dropped
Size (bytes):	1427
Entropy (8bit):	7.572464059652219
Encrypted:	false
SSDEEP:	24:38H/VZn47VBRxgCUQuODHBJeriJ8yojUdnkLvXWgl0oHLrUXAokYH/o8j/bmspTh:38HdurRxHSOlAiqYoXWVDXJ/o8zbmsFh
MD5:	A19EC48B4B28F3AA9C32150DCA8C0E39
SHA1:	02981E40B643C2A987D47BF58F42B7F3CA5AAF07
SHA-256:	D363751B0EE48517DA1B56C17FFCD78DD57F25B092B09879667DB10338077621
SHA-512:	718A24E1FB45AB0FD3DB5A5C45B0E0061D9061D8615E2A8D6DB2150BF72267E96774094A6FC07A250D5BBBC5133A1CB635D8F7ADC5B1751FA99327FCE9555941
Malicious:	false
Preview:	....0...0...........6cd/+J.v{..B...0....H........0}1.0...U....US1.0...U....Washington1.0...U....Kirkland1.0...U....Google1.0...U....Widevine1"0 ..U....widevine-codesign-root-ca0...171013173909Z..271011173909Z0y1.0...U....US1.0...U....Washington1.0...U....Kirkland1.0...U....Google1.0...U....Widevine1.0...U....widevine-vmp-codesign0.."0....H.............0.........2F..8.e..-....$r...{^........0.%.HA...sA"D.q.=6...#.J.N.......&..k;.+...<xF.......B8.)S....o..\|Ci.F.A6....J.......Y..4..{.5u.9N...=...#.M..s.F!j.f%&ld.R...?!Ot@......#.f..O..[.V.p0y....+...S.].....M.=.9...>.. ........>.:....1tl.....`D/c..j..........0..0...U......L...cC.E..R.n...$.0...U.#..0....=..tW....!.B.#U).0...U....0.0...U........0...U.%..0...+.......0...+.....y........0....H.............g.."..[..t{.4~.,.G....4K.....(x$...} ....N..b\|d......h..u6?.L.(&.Oup...$!...4R. 5.-...s...K/..U[..[.+.sAX*.~...^0..ba>;.#....x...b.-1...E..l....S.n.a....)U .q..C>d:...<[..F5...7...[.-.l}.T Lc.X..Qf...z..:.Q..e.m

C:\Program Files\chrome_Unpacker_BeginUnzipping8756_1450361068\manifest.fingerprint

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	66
Entropy (8bit):	3.9232676497295262
Encrypted:	false
SSDEEP:	3:SQTWAEVtGbSHaqHGDTzoARPkBDF:SQyANeayyTzTP6
MD5:	5BFBCC6E7AA3E9C1570C5C73F38FA8EA
SHA1:	497BAFA5658C6CE8C8010D12F104EEBEC7A1BAE2
SHA-256:	84470096167EA43C0880B39FE44B42F552014E4F85B66805C2935C542BA3CB8E
SHA-512:	41BBED6CC317FF190189D63D6D5910D30E23A5160E5FF5F635FF408AAB13452DA8174556D7120DB176701435A3329A93A7450583404D56C34A37B67F1A332EDC
Malicious:	false
Preview:	1.567f5df81ea0c9bdcfb7221f0ea091893150f8c16e3012e4f0314ba3d43f1632

C:\Program Files\chrome_Unpacker_BeginUnzipping8756_1450361068\manifest.json

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1001
Entropy (8bit):	4.774546324439748
Encrypted:	false
SSDEEP:	24:ulaihI11X1TRuRckckH3WoA0UNqLQxUNqmTxyNq+TA:C1hYl1uRfckHkseDA
MD5:	2FF237ADBC218A4934A8B361BCD3428E
SHA1:	EFAD279269D9372DCF9C65B8527792E2E9E6CA7D
SHA-256:	25A702DD5389CC7B077C6B4E06C1FAD9BDEA74A9C37453388986D093C277D827
SHA-512:	BAFD91699019AB756ADF13633B825D9D9BAE374CA146E8C05ABC70C931D491D421268A6E6549A8D284782898BC6EB99E3017FBE3A98E09CD3DFECAD19F95E542
Malicious:	false
Preview:	{. "manifest_version": 2,. "update_url": "https://clients2.google.com/service/update2/crx",. "name": "WidevineCdm",. "description": "Widevine Content Decryption Module",. "version": "4.10.2830.0",. "minimum_chrome_version": "68.0.3430.0",. "x-cdm-module-versions": "4",. "x-cdm-interface-versions": "10",. "x-cdm-host-versions": "10",. "x-cdm-codecs": "vp8,vp09,avc1,av01",. "x-cdm-persistent-license-support": true,. "x-cdm-supported-encryption-schemes": [. "cenc",. "cbcs". ],. "icons": {. "16": "imgs/icon-128x128.png",. "128": "imgs/icon-128x128.png". },. "platforms": [. {. "os": "win",. "arch": "x64",. "sub_package_path": "_platform_specific/win_x64/". },. {. "os": "win",. "arch": "x86",. "sub_package_path": "_platform_specific/win_x86/". },. {. "os": "win",. "arch": "arm64",. "sub_package_path": "_platform_specific/win_arm64/". }. ],. "accept_arch": [. "x64",. "x86_64",. "x86_64h". ].

C:\Program Files\chrome_url_fetcher_8756_811520105\oimompecagnajdejgnnjijobebaeigek_4.10.2830.0_win64_dldxogwi36sxwpr57ta4lg57z4.crx3

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	Google Chrome extension, version 3
Category:	dropped
Size (bytes):	14507539
Entropy (8bit):	7.999857010958995
Encrypted:	true
SSDEEP:	196608:xtNkRLBghAdmkjek3vps8oUarofQnLJJaTLj6llFwyrvQCGDZjaPRwFJs1:YLKhh6vpsZUaBJJaTfazrvQRDJIRwF21
MD5:	3DB950B4014A955D2142621AAEECD826
SHA1:	C2B728B05BC34B43D82379AC4CE6BDAE77D27C51
SHA-256:	567F5DF81EA0C9BDCFB7221F0EA091893150F8C16E3012E4F0314BA3D43F1632
SHA-512:	03105DCF804E4713B6ED7C281AD0343AC6D6EB2AED57A897C6A09515A8C7F3E06B344563E224365DC9159CFD8ED3EF665D6AEC18CC07AAAD66EED0DC4957DDE3
Malicious:	false
Preview:	Cr24..............0.."0....H.............0...........\7c.<........Fto.8.2'5..qk...%....2...C.F.9.#..e.xQ.......[...L\|....3>/....u.:T.7...(.yM...?V.<?........1.a...O?d.....A.H..'.MpB..T.m..Vn Ip..>k.\|1..n.<Fb..f..Q1.....s..2..{.6....Pp....obM..1.......b1.......(.u^.'z......v.F.W.X4."-eu...b.........d.x.,.......o.6.......\|..gn{F..d.."....L.....!_qC/..#......E.Z..tA....s..=...6.%@..K(.v...D.v.z..ZO$...v.,....m.V?;'...e.ajM.@1.`..Fa.}......g.C.5...+.9...F\|.b.nY.K....p..z...E.....\|...Q..Gt.<....[.")nt+.....sw.i.`c.m}.....p.p..2:. .{..N.......0..0....H............0............<.bi.......'o..h...ZD..".^.`...........zG(.....d..,.t<...ZD..g._wI.5.-..g.).._......:.P.......B..4S....$..d...............E^.A...L.>F...E.A./VpY<.O3.....!.+Pv....6.a.r..?n.L .....s...V.^..x\.T.J...5...%aGe.0"}.QGc......T.Ljh.2..k.t.ym.....H..?.y....[0Y0....H.=....*.H.=....B..............r...2..+Y.I...k..bR.j5Sl..8.......H"i.-l..`.Q.{...G0E.!.......t.>g'=>.o.k....{..

C:\Program Files\chromium_installer.log

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1025
Entropy (8bit):	5.303901398206375
Encrypted:	false
SSDEEP:	12:wLowdpqSpBTXHHiTvwdMFT8+X144DObCQNQteYpMgNQYxYpMWNQbdYpr:wEpSbniDFL1ZDOJYZYmYF
MD5:	7D48637ACCC0F5EF7D5CD7EA157E02C6
SHA1:	05427F2E7E2420AED6FD35C91CE1BE9CC0C05640
SHA-256:	F8A903A5903C72A166C01C20F7AEC7852D48BBCB4A54AFEFC24DAB6FE3778C6E
SHA-512:	B1C28064F0B65B78FCEA2E2B6462354E8F68BB2A7CD2C2FFC3BE3B601E13297B4D5D410E5E395EE235981CF481181CFED24BFF959248C558DC7B6D19894BB9CB
Malicious:	false
Preview:	[1112/132952.953:ERROR:install_worker.cc(192)] Unexpected result creating NotificationActivator; hr=0x0.[1112/132953.134:VERBOSE1:setup_main.cc(1490)] Command Line: "C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe" --verbose-logging --create-shortcuts=0 --install-level=0.[1112/132953.134:VERBOSE1:setup_main.cc(1496)] system install is 0.[1112/132953.134:VERBOSE1:installer_state.cc(87)] Install Chrome.[1112/132953.306:VERBOSE1:install_util.cc(247)] Windows NT 10.0.19042.[1112/132953.321:VERBOSE1:install.cc(122)] Creating per-user Desktop "OneStart" shortcut to C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe..[1112/132953.446:VERBOSE1:install.cc(122)] Creating per-user Quick Launch "OneStart" shortcut to C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe..[1112/132953.509:VERBOSE1:install.cc(122)] Creating per-user Start menu "OneStart" shortcut to C:\Users\user\AppData\Local\OneStart.ai\OneStart\A

C:\Program Files\scoped_dir3236_1079717512\Favicons

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	SQLite 3.x database, last written using SQLite version 3045002, page size 2048, file counter 18, database pages 39, 1st free page 13, free pages 24, cookie 0x8, schema 4, UTF-8, version-valid-for 18
Category:	dropped
Size (bytes):	81920
Entropy (8bit):	1.5749364057089108
Encrypted:	false
SSDEEP:	192:scw2ALUAw2AuuMsHXzCFPo1AwlwALum4TfWyYOnW3LEQVc4mhxYvL:JAoMAbHXeiYXqyxnkEIaxYj
MD5:	E031C97C587586B176498FFCFA1736B0
SHA1:	CF76750D3F5F264CEAA1DAE104E0901CECBB35C5
SHA-256:	2562D003CF42EEA5AFE2FABCE4B1D1D0243A5398BA1A260A09B5783BD0103F89
SHA-512:	C0A54BF23B0F11111A86218175EF15F730B0176BA2E83B609D54003CA60E5DA76415912A17BB0D2E2DD9805374264F9A6686CA15435020E8434C31B9A79FAD4E
Malicious:	false
Preview:	SQLite format 3......@ .......'..................................................................v..........g....._.c...~.2.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................s...;+...indexfavicon_bitmaps_icon_idfavico

C:\Program Files\scoped_dir3236_1079717512\History

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	SQLite 3.x database, last written using SQLite version 3045002, file counter 21, database pages 54, 1st free page 10, free pages 14, cookie 0x50, schema 4, UTF-8, version-valid-for 21
Category:	dropped
Size (bytes):	229376
Entropy (8bit):	0.8702785449902919
Encrypted:	false
SSDEEP:	384:u0ATqjAfepy42PWoo/oftTBBE3utC7UqrDvQoJMAa:rATq8feA42PWoo/oftTBBjuUVAa
MD5:	E782D8B6164B8CF64500A01B85E5FD38
SHA1:	C9D4CEAAE1A4FA6E8E74281520262B9ABCA02E18
SHA-256:	E42275C994991D8927C6FAAF7F38E394FFC080CAB5AE61136343DA5686C9B99F
SHA-512:	1C0D174F9CF3B0AC3331013C7E9E45B5646BECF11617E635E20370E4C9289D529CE922DF9719BC3354D0B78DD2AB990AC9DE81908E5D8F799386CF3936DE340A
Malicious:	false
Preview:	SQLite format 3......@ .......6...........P......................................................v.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Intel\ShaderCache\d8c6ae4c33664fdd6a6a6fd7a4b90579babd05307e64a853668c87454a58f5e8

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	data
Category:	dropped
Size (bytes):	51499
Entropy (8bit):	7.925033466461135
Encrypted:	false
SSDEEP:	768:bIUvCuVzHf6fzJhcIIoLDBajViw1nZTB+0BisPOJCxQKmIvk+aRzO7eNqNyiXW:bBxf4hER8wz1zEsPOJMtaOsqNyim
MD5:	21C3B59BDB5AE3AA082DDDDA51D4056E
SHA1:	38A60C63EB915942268E374878FFE4F4669790DF
SHA-256:	FD3EF0557DC426B3E39BF22EF61F39014F2A7AF089AACC6A68F5FA2EDC80B206
SHA-512:	FC88A2CAC922D8C431B6FFAF506CF77B345161E8DAC018CEDEE479D769BD3224AE94725E991B07E81895500E87412C75914415E98B9030EDCB1EE1338457E624
Malicious:	false
Preview:	INSC.>.....Mar222021151921.J...P..i$;..?f.....1\|..6...Wo....D~..j......................=I..p.Ex..=KC1..O"M....?PR..`._."..E.A......"~.Z/........vu......kNN...Q...O.......=...81...y.-.M..{?...........6...5.....30;m>.........@%..N......jn..8......"i....$\|.M"............\|...vW...U..f.s.U......PK\...u.......N..+y.`m....?...(nH..........3...0.y..P@.......Y....O]..$...`.2..X.)y~...9.u.x.$^.... ..;...........%a`......O.o..YfD.^;..[=).../...L.q.<....)....o.........(................6..pHLY&x...k.U....I7Y..../...Y..EW..".."....%aC.eE.4..m..=h.#.C)..T...%U..[..!...............ZQ.n.....{.....G..z...._.o'......o.....G.{..[.1.G.6..j.R.]..2EK.......T.."I.......R....B.m...:..%.2.$.B.u7.........t{Y.....n..)........Iq.vZ..b...<...^.o.k.m..w.....G..-O].......W........M/C.m.g..uckkL..._f.Y.....(.#..x.<.....O^..y....j.f..i....F....`J...~......./....../.2._.R.K=!*.K=.zKTF.V.9QyF..~..p......n.=:...5d...v...e.q0nY>...G.....{.rz...guy..ie...

C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Download File

Process:	C:\Program Files\Google\Chrome\Application\128.0.6613.120\notification_helper.exe
File Type:	data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	3.254162526001658
Encrypted:	false
SSDEEP:	3:FkXzcrK4sGe:+zcxne
MD5:	1FFC8D842569A9307FC85E7587770C05
SHA1:	E4A8E698E8A20F3BC0AE027C7DE553C0691C66F4
SHA-256:	448E44A1487C1EFA839B3DE46C71EB52D6B163E01274A9F8482E056B3AC9E1CC
SHA-512:	3F0261C27609BF5C87B325F4C2D18060D74D85C747ABAD9A24E3D6403B724B760E1E0BEE94EC93402D4C3AA0720000DFC9F96012F46E9923F83B01D1E63465B1
Malicious:	false
Preview:	sdPC....................{...UN..Fe\.c{

C:\Users\user\AppData\Local\Google\Chrome\User Data\NotificationHelperMetrics\56821d5b-dd6d-4e3d-b815-b8a2785eaa05.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\128.0.6613.120\notification_helper.exe
File Type:	data
Category:	modified
Size (bytes):	1136
Entropy (8bit):	4.193402025622679
Encrypted:	false
SSDEEP:	24:bi4xPEMbMkb1s1DSVQrdYWoIU2lWMwHbaAgI6:bi2PXMM3WNW7b6I6
MD5:	8CF31B5ABF6F612933EB6E0FA0DF98AE
SHA1:	58365F82B5BD35A69941258DDC0A9F3D15EA6CEB
SHA-256:	32E4219E253D4BA5BE65E657EB1F205265640C2E105A6E90908A0A91CF0A81A6
SHA-512:	664BDE741CC197CCB35BEFFBD7341A8481FDC128F71105EAC44ECF046649797961443AE7E6A242554F4F34E3BE29C502C5B869B8C273BD8CA7AB87FCD761E04F
Malicious:	false
Preview:	...@....................@...............p...................p...0...i.y.........NotificationHelperMetrics...........i.y..Yd.x.......A.......e............,..........=[L....................=[L................UMA.PersistentAllocator.NotificationHelperMetrics.UsedPct.......h...i.y.[".................................!...&...+...0...6...;...@...E...K...P...U...Z...`...e...........i.y..Yd.8.......A...................V..>......m.&Y@..................m.&Y@................UMA.PersistentAllocator.NotificationHelperMetrics.Errors........ ...i.y.[".........................i.y..Yd.........A.............................(%.+g..................(%.+g................Notifications.NotificationHelper.ComServerModuleStatus..0...i.y.[".........................................i.y..Yd.0.......A....... ...2................%[:.....................%[:....................Notifications.NotificationHelper.ServerRuntime......i.y.["......................................................... ...)...4...B...T...

C:\Users\user\AppData\Local\Google\Chrome\User Data\NotificationHelperMetrics\8552_13375909792972402.pma (copy)

Download File

Process:	C:\Program Files\Google\Chrome\Application\128.0.6613.120\notification_helper.exe
File Type:	data
Category:	dropped
Size (bytes):	1136
Entropy (8bit):	4.193402025622679
Encrypted:	false
SSDEEP:	24:bi4xPEMbMkb1s1DSVQrdYWoIU2lWMwHbaAgI6:bi2PXMM3WNW7b6I6
MD5:	8CF31B5ABF6F612933EB6E0FA0DF98AE
SHA1:	58365F82B5BD35A69941258DDC0A9F3D15EA6CEB
SHA-256:	32E4219E253D4BA5BE65E657EB1F205265640C2E105A6E90908A0A91CF0A81A6
SHA-512:	664BDE741CC197CCB35BEFFBD7341A8481FDC128F71105EAC44ECF046649797961443AE7E6A242554F4F34E3BE29C502C5B869B8C273BD8CA7AB87FCD761E04F
Malicious:	false
Preview:	...@....................@...............p...................p...0...i.y.........NotificationHelperMetrics...........i.y..Yd.x.......A.......e............,..........=[L....................=[L................UMA.PersistentAllocator.NotificationHelperMetrics.UsedPct.......h...i.y.[".................................!...&...+...0...6...;...@...E...K...P...U...Z...`...e...........i.y..Yd.8.......A...................V..>......m.&Y@..................m.&Y@................UMA.PersistentAllocator.NotificationHelperMetrics.Errors........ ...i.y.[".........................i.y..Yd.........A.............................(%.+g..................(%.+g................Notifications.NotificationHelper.ComServerModuleStatus..0...i.y.[".........................................i.y..Yd.0.......A....... ...2................%[:.....................%[:....................Notifications.NotificationHelper.ServerRuntime......i.y.["......................................................... ...)...4...B...T...

C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\ONESTART.PACKED.7Z

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe
File Type:	7-zip archive data, version 0.4
Category:	dropped
Size (bytes):	97589271
Entropy (8bit):	7.999997971451705
Encrypted:	true
SSDEEP:	1572864:C+q5eP+kLYicWrYfPhfEIjIWhlb5Nz5sNVJc7ccX4FA/0fynfgsGHEusNyYJqsxS:CYxLYicU2JJjI09NzeVGccX4m/Xs3s58
MD5:	2D2ABEEED4D09B3A6EF156BC960605E7
SHA1:	46FFEFB61BBE6BAB569C65623A257E2F4153F639
SHA-256:	8C24DA149B6617CA134BB31B1DFA992D0A8E1E2C5EAE68C52F6D8B3F54E7D048
SHA-512:	3DC986CF50F1383FB43A1E5A92C1655C6E6FE264C855EA6E485F2B24D84CA5416418314AF3ADB6ABE5F940C5B5EB4412A06AA7807D9F411B77C3162109172835
Malicious:	false
Preview:	7z..'.....'4e.................,.......8%D..K....S].Q>C.<...m....]^....4.C.H.....o/A..D-N5N.P..O..o...I.I~...p......T.~......?.f:...i~g`R..#4......d..A$3U....6.q..7>.bJ.\ ......[....1.......Beo...4........S.S.f.:.w8U..r.....T..R .#.5V7h~....a.g.N.b>.{.....}1d6..Z.].^.kM.%..... "($%...,]..........FH.\B3-.(P}R.<.u..\..]..kh...;.....W....v8...X.-%....t..%..B_u.....y...1..e.G.o..c.=]. ._3....... 7K5....icCl..?s...A.......T...X\|.z&.zb.l.:.R..>e{I...']..ctJ....9v.R.8....u.k.._....hl...w/g:...i.BA..7..".i"x.]4.Q]U...o..a.M8...y...bO.-....S_.iF9.2...g>(....n..0.{)yY.5@N...E02..3%.Sa.}m.`.n.~."S'...-.@m.....Y.W.....j..AM.}..N.D....A..V0..^.F.$..?e=.,...1I..[..M....&.\....[9.<.JUSX$@...oO....:,.....iQ....wf.....A......%.....<d=C.........1..ov6..c..+.-.yN.#W....r..~....7),X....l...W.fxi.+heH..x.J_.......$...Z`..7-....L..wJ....R...4Q.^Q....i.......O.....]...n.=g..%...w}...?...~.r..>=K4.....N...,C.W.....VM...2...Q..:.V.w.M..}..}..pL..F...~.=0..1..2...{..%YE.

C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\SETUP.EX_

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 1601999 bytes, 1 file, at 0x2c "setup.exe", number 1, 102 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	1601999
Entropy (8bit):	7.998103054393423
Encrypted:	true
SSDEEP:	24576:t2GEFLRI9mwh5XqLX2jDR3H1ek6pDXsur8mMXTyxsZ7lCwMWSsxxWRFL:t29slRH1t6xXTr8T/Z7T4sxx8
MD5:	6BEA644AF8C130CB6B3EB7A4C73130B7
SHA1:	CBE9AC23AFE6A9F0B15BDCB35B40D6AF93178810
SHA-256:	B6D16C00E9CE084F3003068812F4159E729B3B098735782F50556D2FEE942EFC
SHA-512:	6B10B28B8C53F1BBCE224CCF38FBB586117925AF51B10B45410E73812CFEAE41248EBE9C58857F1ECF9311218B158A7C81E8A515DAB1B99E9AE806680B4F26E2
Malicious:	false
Preview:	MSCF.....q......,...................F...f...@.2.......\Y.P..setup.exe......,..CK.}.xT....`@... X.;.D.&....Wg$.s......."b....(.JM.$...y7....k{[^......~..E}.;...DI..@ ...3.4..$....>g.._~....W./.....o......3x....p.....sq#....So{{..I...a..U...lU..\|.....y7.V?m[..u.g......=.]..<;...r...p.].....n..7....q+.0:...q..".T..q..1....KL../...Fc.qI.g.99s.%p..._"..\|........A...p....}......:x.73.,....[...:.._.1...,m.yNJ......p=...B..&..q...yr..w.y< .>...w....\|.<......\...s....U...#..9.zqn2.....(./!!.I.......zc..uO.....4G...~.....eT..[../...]...o>6......O...]P..............C..z..]..K.w..o]>6...oP.P..d..R....Q'P78..{..=.$..d.x!...........e.K......h.B....D".x......_+.u.\..l0...^Wx.#..4.3yA..._...n..-6q.C........0..-6.!.o.%...ex.n..>>.s..p`..~.1.._.....4.K..Y..d>.....'2s...GX...7J.1.>J.......1.....R.L....B.X....M.gWJy..%...m...I`.+.F4X$.44AHX$.....{..v....^...:.........[`...F../`qy8.bA..uV.5.hup.....91...&....u......T..B....7AX.......j.@0.)..}b.1f.3.Fn...,.

C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3330112
Entropy (8bit):	6.520195981632251
Encrypted:	false
SSDEEP:	49152:l32tjU3Km3ORjnkrIfIfea5Ek5N6rWWYQpSlIaTXZYHAZS:VWYrneaJWYhjYHP
MD5:	40645767C9F2306C3CB537E558C38229
SHA1:	207EA7356610F662F4A31650D0198901157E119B
SHA-256:	3BDD227CB6071E40D340E93F822557F3CC3530737D0CEBC37A70473E2F360223
SHA-512:	020F0169BA60E9EF351E6B4FECB92DD5B63FCD1FB279EDB5041DF4D1DF77B12027F5B5E99B33B426F5D8E095688F1749C21F3E13F0FFA1DBE9DB74394305AB28
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......f.........."......2&..^......@..........@..............................4......+3...`.........................................+.+.N...\|.+......./.......-.p.....2.@(....3.4............................(...Pb&.@............(+.......+.@....................text....0&......2&................. ..`.rdata.......P&......6&.............@..@.data...$.... ,.......+.............@....pdata..p.....-..0....,.............@..@.gxfg....3... /..4..."..............@..@.retplne.....`/......V...................tls.........p/......X..............@...CPADinfo8...../......Z..............@...LZMADEC......./......\.............. ..`_RDATA......../......n..............@..@.rsrc........./......p..............@..@.reloc..4....3..,...\|2.............@..B........................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe (copy)

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	100687936
Entropy (8bit):	7.998806929000577
Encrypted:	true
SSDEEP:	3145728:HeYxLYicU2JJjI09NzeVGccX4m/Xs3s5OFqeMDOUVp6:zxkit2JJdteVK4hswrrk6
MD5:	D8B0C9FE7DC26581D1E8DA64D648E0AC
SHA1:	E8ABF2C160A5FA6B5CA0C367B72C3618A7890BB5
SHA-256:	A55E9C8D220C848B9EF0188FAB0851C5C3E766EF9BE140956C69BB9EE24D79A1
SHA-512:	8963113CCB40C746FBCC7B7D775BE6218EB983252861115C40C9CF1BF4BBB28C00EB107D0951C3866AFB2503F59150C13592EF7F83E8A1D85C4AF2F9AC8C5907
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......f.........."......d...........`.........@.............................@......`#....`..........................................H..W...(I......................8..@(... ......,:.......................9..(.......@............Q...............................text....c.......d.................. ..`.rdata..<x.......z...h..............@..@.data...............................@....pdata.............................@..@.gxfg...@.... ...0...R..............@..@.retplne.....P...........................tls....I....`......................@..._RDATA.......p......................@..@.rsrc...............................@..@.reloc....... ....... ..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe.part

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	100687936
Entropy (8bit):	7.998806929000577
Encrypted:	true
SSDEEP:	3145728:HeYxLYicU2JJjI09NzeVGccX4m/Xs3s5OFqeMDOUVp6:zxkit2JJdteVK4hswrrk6
MD5:	D8B0C9FE7DC26581D1E8DA64D648E0AC
SHA1:	E8ABF2C160A5FA6B5CA0C367B72C3618A7890BB5
SHA-256:	A55E9C8D220C848B9EF0188FAB0851C5C3E766EF9BE140956C69BB9EE24D79A1
SHA-512:	8963113CCB40C746FBCC7B7D775BE6218EB983252861115C40C9CF1BF4BBB28C00EB107D0951C3866AFB2503F59150C13592EF7F83E8A1D85C4AF2F9AC8C5907
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......f.........."......d...........`.........@.............................@......`#....`..........................................H..W...(I......................8..@(... ......,:.......................9..(.......@............Q...............................text....c.......d.................. ..`.rdata..<x.......z...h..............@..@.data...............................@....pdata.............................@..@.gxfg...@.... ...0...R..............@..@.retplne.....P...........................tls....I....`......................@..._RDATA.......p......................@..@.rsrc...............................@..@.reloc....... ....... ..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\.data\OneStart.json

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	242
Entropy (8bit):	4.4188006504930115
Encrypted:	false
SSDEEP:	6:YEqJHHrlfLHRU3TalrXDRii6DxGRKc8KHY:YRdHCMZH6DsRPY
MD5:	486A208FFA5DACBCBE1EB68F2406311A
SHA1:	5546927DE14C0ED7249EDFBBF15E728E2A3644B6
SHA-256:	90A18CD27BED6C5CD8ECBEEDC58CC75C17B522B0C350B51ADDF7C1E31A44FBED
SHA-512:	AA4E7C8A43257A676DA0155BBD1A9ED6A3E1E8EAE99715403CCB7D80D6ABE925EEB5E3CCC585863F858367C011ECDFEAEC0FDBA162200E980A066D355F7DEDF0
Malicious:	false
Preview:	{"ai":"15","bb_mode":"0","cid":"","date":"1731436162","db_mode":"1","fhkey":"","iid":"40f05e8e-ef61-4211-af81-78bf374c0ab8","init_background":"1","init_startup":"1","p_index":"0","uac":"","uac_attempt":"","uac_last":"","wake":"24","wciid":""}

C:\Users\user\AppData\Local\OneStart.ai\OneStart\.data\updates.dat

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	Generic INItialization configuration [OneStart]
Category:	dropped
Size (bytes):	1018
Entropy (8bit):	5.339066121307136
Encrypted:	false
SSDEEP:	24:1VWj0cTPYJimQZ6ETdgN2WrhVngNJh6/NA:OQcTQJdQZ62dgOJh61A
MD5:	B9385DFD7D70750BD5980EB584CCD432
SHA1:	E06F0D2CED19B6CA05D77199D46C578AA7E388A7
SHA-256:	349E960D72012A89A6A7C332B5DBC43A6556522C2C35720A521F1778EAB7011D
SHA-512:	5C5D4177A618E551AD7F41124C52929F1FB036094BBB30E4C347E7EE756126D54AC7881D3C4884F6E0A9CD29E0F9A773425F5B0054B764C498C3D2BF39296CD6
Malicious:	false
Preview:	;aiu;......[Update]...Name = OneStart Software...ProductVersion = 10.116.180.0...URL = https://d1cvahyfkfdxyq.cloudfront.net/OneStartSetup-v10.116.180.0.msi...URL1 = https://atlasox.s3.amazonaws.com/bb/OneStartSetup-v10.116.180.0.msi...Size = 90251776...MD5 = a6bcc328c50138792caf8c546081b750...CommandLine = /qn...ServerFileName = OneStartSetup-v10.116.180.0.msi...Flags = SilentInstall...RegistryKey = HKCU\SOFTWARE\OneStart.ai\OneStart Software\Version...Version = 10.116.180.0...UpdatedApplications = OneStart Software(1.0-1.1.102.18136]......[OneStart]...Name = OneStart...ProductVersion = 128.0.6613.125...URL = https://resources.onestart.ai/onestart_installer_128.0.6613.125.exe...Size = 100703296...MD5 = 6e916c44a4b1da39536ee07f1b4b234b...CommandLine = /qn...ServerFileName = onestart_installer_128.0.6613.125.exe...Flags = SilentInstall...RegistryKey = HKUD\Software\OneStart.ai\OneStart Software\Version...Version = 128.0.6613.125...UpdatedApplications = OneStart[125.0.6422.142];OneStart[

C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\128.0.6613.124\Installer\onestart.7z (copy)

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe
File Type:	7-zip archive data, version 0.4
Category:	dropped
Size (bytes):	347967262
Entropy (8bit):	6.910275712488894
Encrypted:	false
SSDEEP:	3145728:TKRr9hiPSRrsCTWZjqZG02D3SqByupAPGVpY:TKtP1RQgWWJN
MD5:	FAC1C17300C7438BCF8C0F6D343C688B
SHA1:	F99A2F3F985EF968302DACD029BA43EC72E2AFAE
SHA-256:	CAA4AEFE89EA50A78A64A21C347E2018B5ADD95618C2E4E86E3662BB2488F99D
SHA-512:	7599010784294EF06A5D7F68E458B2D48DC2BCCE3759AF8BCE08A47FB214AA295242EEB0DF1298B35EC348CCD3757CD85D0BD71200CD071099A1F11C1046B28E
Malicious:	false
Preview:	7z..'....:L........&.........6l<assembly.. xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>.. <assemblyIdentity.. name='128.0.6613.124'.. version='128.0.6613.124'.. type='win32'/>.. <file name='chrome_elf.dll'/>..</assembly>..MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......f.........." .........<........[......................................@3.....+D....`A........................................\|......................0..8.\.....@(...0.......w.8.....................w.(....S..@...................X........................text............................... ..`.rdata.......0......."..............@..@.data...(....P.......<..............@....pdata..8.\..0....\.................@..@.gxfg....C... ...D..................@..@.retplne.....p.......&...................rodata..............(.............. ..`.tls.................:..............@...CPADinfo8............J..............

C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\SetupMetrics\8628_13375909793540547.pma (copy)

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	520
Entropy (8bit):	3.761109325737151
Encrypted:	false
SSDEEP:
MD5:	D7BDECBDDAC6262E516E22A4D6F24F0B
SHA1:	1A633EE43641FA78FBE959D13FA18654FD4A90BE
SHA-256:	DB3BE7C6D81B2387C39B32D15C096173022CCCEE1015571DD3E09F2A69B508A9
SHA-512:	1E72DB18DE776FE264DB3052CE9A842C9766A720A9119FC6605F795C36D4C7BF8F77680C5564F36E591368CCD354104A7412F267C4157F04C4926BCE51AEEAA1
Malicious:	false
Preview:	...@....................@...................X...............`... ...i.y.........SetupMetrics........i.y..Yd.X.......A.......e............,.........C.3...................C.3................UMA.PersistentAllocator.SetupMetrics.UsedPct....h...i.y.[".................................!...&...+...0...6...;...@...E...K...P...U...Z...`...e...........i.y..Yd.0.......A...................V..>.....T.A.^.#.................T.A.^.#................UMA.PersistentAllocator.SetupMetrics.Errors..... ...i.y.[".....................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\SetupMetrics\be1b0a1a-5b4e-4511-8646-eee0bc4e19d4.tmp

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe
File Type:	data
Category:	modified
Size (bytes):	520
Entropy (8bit):	3.761109325737151
Encrypted:	false
SSDEEP:
MD5:	D7BDECBDDAC6262E516E22A4D6F24F0B
SHA1:	1A633EE43641FA78FBE959D13FA18654FD4A90BE
SHA-256:	DB3BE7C6D81B2387C39B32D15C096173022CCCEE1015571DD3E09F2A69B508A9
SHA-512:	1E72DB18DE776FE264DB3052CE9A842C9766A720A9119FC6605F795C36D4C7BF8F77680C5564F36E591368CCD354104A7412F267C4157F04C4926BCE51AEEAA1
Malicious:	false
Preview:	...@....................@...................X...............`... ...i.y.........SetupMetrics........i.y..Yd.X.......A.......e............,.........C.3...................C.3................UMA.PersistentAllocator.SetupMetrics.UsedPct....h...i.y.[".................................!...&...+...0...6...;...@...E...K...P...U...Z...`...e...........i.y..Yd.0.......A...................V..>.....T.A.^.#.................T.A.^.#................UMA.PersistentAllocator.SetupMetrics.Errors..... ...i.y.[".....................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\chrome_proxy.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3330112
Entropy (8bit):	6.520195981632251
Encrypted:	false
SSDEEP:
MD5:	40645767C9F2306C3CB537E558C38229
SHA1:	207EA7356610F662F4A31650D0198901157E119B
SHA-256:	3BDD227CB6071E40D340E93F822557F3CC3530737D0CEBC37A70473E2F360223
SHA-512:	020F0169BA60E9EF351E6B4FECB92DD5B63FCD1FB279EDB5041DF4D1DF77B12027F5B5E99B33B426F5D8E095688F1749C21F3E13F0FFA1DBE9DB74394305AB28
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......f.........."......2&..^......@..........@..............................4......+3...`.........................................+.+.N...\|.+......./.......-.p.....2.@(....3.4............................(...Pb&.@............(+.......+.@....................text....0&......2&................. ..`.rdata.......P&......6&.............@..@.data...$.... ,.......+.............@....pdata..p.....-..0....,.............@..@.gxfg....3... /..4..."..............@..@.retplne.....`/......V...................tls.........p/......X..............@...CPADinfo8...../......Z..............@...LZMADEC......./......\.............. ..`_RDATA......../......n..............@..@.rsrc........./......p..............@..@.reloc..4....3..,...\|2.............@..B........................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\master_preferences

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	159
Entropy (8bit):	4.286966456484247
Encrypted:	false
SSDEEP:
MD5:	746E45D4BE2D95012AFF9A0716E811F6
SHA1:	3AF1BEF7086D7512F800084FC7C95FE994C6A459
SHA-256:	5269F6E042E298253D298CBE4A10EFECE8276BF8058A679DD81A9FA6FE91C060
SHA-512:	33A491D07D6360655D2DF4191458CBB57E6FEF8C583B7B049EC016CA43E5436711DCEEFDAF10335A90DF5FE1C7328A51530BCC87FD1268352B385532D11C2412
Malicious:	false
Preview:	{"distribution":{"import_bookmarks":"true","import_history":"true","verbose_logging":"true","log_file":"onestartsetup.log"},"session":{"restore_on_startup":1}}

C:\Users\user\AppData\Local\OneStart.ai\OneStart\Temp\source8412_1839449235\onestart-bin\128.0.6613.124\128.0.6613.124.manifest

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	228
Entropy (8bit):	4.929187089155931
Encrypted:	false
SSDEEP:
MD5:	EBDCD8B022B4624A744B2C80D2049E8F
SHA1:	E8A0DE9B8214D5473FFD5A5B0C4E71813AF1DD5F
SHA-256:	E6C09FA1F533A0B7EE29DD3E6BFE07CF20040087ED46F5895FB529C39727BF10
SHA-512:	22FFEA6A3E0D61F66A2D1B239D2DEDB18CFDF24D156179AE444D41DEC478A9345B124F8775DC287E9F31CB77DF04EB4743C398B66C5E7547391086EE4D57D1E2
Malicious:	false
Preview:	<assembly.. xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>.. <assemblyIdentity.. name='128.0.6613.124'.. version='128.0.6613.124'.. type='win32'/>.. <file name='chrome_elf.dll'/>..</assembly>..

C:\Users\user\AppData\Local\OneStart.ai\OneStart\Temp\source8412_1839449235\onestart-bin\128.0.6613.124\chrome.dll

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	235909696
Entropy (8bit):	6.706514839318994
Encrypted:	false
SSDEEP:
MD5:	77729D5F19AD1581CD30424E160C137B
SHA1:	00568FA1E9BD1251C9615B6F9B30F923E390A5DE
SHA-256:	F8EF4CE4F40A6E8F8DAAFBB4D148D3005E82F11E7AB4348ABA1DA7E8DDC28BF2
SHA-512:	7AE2FF919D9F554AF9334D8C1E1A3FEFD8CC1566830A0466196924B36E50F37F783E0D3319D90D5D244B51B199F0E17D27E214D102869D0C593C4E749D8225BB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......f.........." .........<........[......................................@3.....+D....`A........................................\|......................0..8.\.....@(...0.......w.8.....................w.(....S..@...................X........................text............................... ..`.rdata.......0......."..............@..@.data...(....P.......<..............@....pdata..8.\..0....\.................@..@.gxfg....C... ...D..................@..@.retplne.....p.......&...................rodata..............(.............. ..`.tls.................:..............@...CPADinfo8............J..............@...LZMADEC..............L.............. ..`_RDATA...............^..............@..@malloc_h.............`.............. ..`prot.................f..............@..@.rsrc............ ...h..............@..@.reloc.......0......................@..B................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\Temp\source8412_1839449235\onestart.7z

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe
File Type:	7-zip archive data, version 0.4
Category:	dropped
Size (bytes):	347967262
Entropy (8bit):	6.910275712488894
Encrypted:	false
SSDEEP:
MD5:	FAC1C17300C7438BCF8C0F6D343C688B
SHA1:	F99A2F3F985EF968302DACD029BA43EC72E2AFAE
SHA-256:	CAA4AEFE89EA50A78A64A21C347E2018B5ADD95618C2E4E86E3662BB2488F99D
SHA-512:	7599010784294EF06A5D7F68E458B2D48DC2BCCE3759AF8BCE08A47FB214AA295242EEB0DF1298B35EC348CCD3757CD85D0BD71200CD071099A1F11C1046B28E
Malicious:	false
Preview:	7z..'....:L........&.........6l<assembly.. xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>.. <assemblyIdentity.. name='128.0.6613.124'.. version='128.0.6613.124'.. type='win32'/>.. <file name='chrome_elf.dll'/>..</assembly>..MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......f.........." .........<........[......................................@3.....+D....`A........................................\|......................0..8.\.....@(...0.......w.8.....................w.(....S..@...................X........................text............................... ..`.rdata.......0......."..............@..@.data...(....P.......<..............@....pdata..8.\..0....\.................@..@.gxfg....C... ...D..................@..@.retplne.....p.......&...................rodata..............(.............. ..`.tls.................:..............@...CPADinfo8............J..............

C:\Users\user\AppData\Local\OneStart.ai\OneStart\Update\transfer.dat

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:
MD5:	9BF31C7FF062936A96D3C8BD1F8F2FF3
SHA1:	F1ABD670358E036C31296E66B3B66C382AC00812
SHA-256:	E629FA6598D732768F7C726B4B621285F9C3B85303900AA912017DB7617D8BDB
SHA-512:	9A6398CFFC55ADE35B39F1E41CF46C7C491744961853FF9571D09ABB55A78976F72C34CD7A8787674EFA1C226EAA2494DBD0A133169C9E4E2369A7D2D02DE31A
Malicious:	false
Preview:	15

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\41e2a9f2-c834-4373-80e3-2ff65c869d26.tmp

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.66140215321506
Encrypted:	false
SSDEEP:
MD5:	EC10E54723ABD97A68976E788CDEC3C4
SHA1:	4EE255BB8182EB90396980D4E8FEB674AEF8063A
SHA-256:	94E235EB94F2CD1527C8512EB02FE98284B12359174EEACC01CD6E1CC3AD39B2
SHA-512:	1DF12BBC334854B7001348B2FCF846E417FFF79B5351C4E01755B30A555E179993D695A217FDF11E670062AC2EC351A794D0AA589C7463EE6DBAF4DE495B1C83
Malicious:	false
Preview:	{"background_tracing":{"session_state":{"privacy_filter":true,"state":0}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAA6vxecm76BQJWKOsxqFV2AEAAAABIAAABPAG4AZQBTAHQAYQByAHQAAAAQZgAAAAEAACAAAAAWx9yjBoYOqSygDGsaITTZQunZedqU0HzyKkjvBQUQHAAAAAAOgAAAAAIAACAAAADlsblOoGehQSJgBx2IMu0SmjROOsRghHcaznydx24tDjAAAADnETdKKL4VzmAOxmNJtXHxQlRQsjbmMIGGR1JBMZXxCSfklja4rQ0ABk0FnqfBOxxAAAAAjp4rCHCcdoEKNeSWQO3QtcXVU2pOGRZjJXBps464SqFgtO+cjOOrfdb7DSOgA/hsvpEY29Hae4iqIfoVaOgrOg=="},"uninstall_metrics":{"installation_date2":"1731436195"},"user_experience_metrics":{"limited_entropy_randomization_source":"DBC6BFE2ECE69C7E01D6283A97F1D763","low_entropy_source3":6974,"pseudo_low_entropy_source":3767,"stability":{"browser_last_live_timestamp":"13375909795081666"}},"variations_limited_entropy_synthetic_trial_seed_v2":"84"}

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\495b334a-2c1b-480f-af95-dd8bda60a783.tmp

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3607
Entropy (8bit):	5.386423464516443
Encrypted:	false
SSDEEP:
MD5:	D14B680D269232A3D611560B09E24DA7
SHA1:	53DB3F27F64765BDDFE97D07BAC8F5E29BA4A529
SHA-256:	AA7EAE61ACFC57BCD9602E7DC7678B7AEB9FCE40934ABCA3B316744F9B96C8D6
SHA-512:	B63358FB71F7EAEEE0155F844B04FBFE496ECDAFE127C982D3F848B864BE81ADFC04981803B86BBDDB4FC4F06C78DA05083F1688FC10EA1C9B96979DAB8B5578
Malicious:	false
Preview:	{"autofill":{"ablation_seed":"Y2zO35uayqM="},"background_mode":{"enabled":true},"background_tracing":{"session_state":{"privacy_filter":true,"state":0}},"breadcrumbs":{"enabled":false,"enabled_time":"13375909795512130"},"browser":{"first_run_finished":true,"shortcut_migration_version":"128.0.6613.124"},"check_updates_on_startup":{"enabled":true},"hardware_acceleration_mode_previous":true,"keep_app_up_to_date":{"enabled":true},"launch_browser_on_startup":{"enabled":true},"launch_browser_on_wake":{"enabled":true},"launch_dock_on_startup":{"enabled":true},"legacy":{"profile":{"name":{"migrated":true}}},"local":{"password_hash_data_list":[]},"management":{"platform":{"azure_active_directory":0,"enterprise_mdm_win":0}},"optimization_guide":{"model_store_metadata":{}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAA6vxecm76BQJWKOsxqFV2AEAAAABIAAABPAG4AZQBTAHQAYQByAHQAAAAQZgAAAAEAACAAAAAWx9yjBoYOqSygDGsaITTZQunZedqU0HzyKkjvBQUQHAAAAAAOgAAAAAIAACAAAADls

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\4e67d7bb-9ee0-49b1-9232-a59d385f7d04.tmp

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3719
Entropy (8bit):	5.3977061773646575
Encrypted:	false
SSDEEP:
MD5:	6884D99B4F2F099530FF683460AF3C51
SHA1:	9C22CEB86778DA3F94F9B3E84AAAA24F2354FE04
SHA-256:	2FDA288E915CFFDDA1F36F38B80248D550966AC5A603CFAAF4A44D6ED1144CD9
SHA-512:	FA0B6B89050409CFD71305741CF4D2DBB146194918B0CE06967BA23799AF294BDC1D4DB53B3F5E2A6B000B8ED90D3EB0B983E20B05A5B336C2346BBE4B084B93
Malicious:	false
Preview:	{"autofill":{"ablation_seed":"Y2zO35uayqM="},"background_mode":{"enabled":true},"background_tracing":{"session_state":{"privacy_filter":true,"state":0}},"breadcrumbs":{"enabled":false,"enabled_time":"13375909795512130"},"browser":{"first_run_finished":true,"shortcut_migration_version":"128.0.6613.124"},"check_updates_on_startup":{"enabled":true},"hardware_acceleration_mode_previous":true,"keep_app_up_to_date":{"enabled":true},"launch_browser_on_startup":{"enabled":true},"launch_browser_on_wake":{"enabled":true},"launch_dock_on_startup":{"enabled":true},"legacy":{"profile":{"name":{"migrated":true}}},"local":{"password_hash_data_list":[]},"management":{"platform":{"azure_active_directory":0,"enterprise_mdm_win":0}},"optimization_guide":{"model_store_metadata":{}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAA6vxecm76BQJWKOsxqFV2AEAAAABIAAABPAG4AZQBTAHQAYQByAHQAAAAQZgAAAAEAACAAAAAWx9yjBoYOqSygDGsaITTZQunZedqU0HzyKkjvBQUQHAAAAAAOgAAAAAIAACAAAADls

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\BrowserMetrics\BrowserMetrics-67339EA2-2234.pma

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.5160948588185903
Encrypted:	false
SSDEEP:
MD5:	56EDD891F990224DE4D724ABC03B593A
SHA1:	7C904BE9270A9C8B387976998AC57FAE3A1426C6
SHA-256:	7FA48D5A2B65ED1CDB697B6813C385191F3C8C59D8B8F53FFE68B7B4C1EE19CA
SHA-512:	7C4AD9D0D13072EAEC23BC7973ACC5AD41B6A0BEB54410E640F5AEDECF977C9D7398E5661F3CA2272219CAE71ED0262C53647C7ED62EC5F8D2767EDD57115934
Malicious:	false
Preview:	...@..@...@.....C.].....@................W...W..............`... ...i.y.........BrowserMetrics......i.y..Yd.........A.......d...2......._.z.....Gy.7....................Gy.7....................UMA.PersistentAllocator.EarlyHistograms.BrowserMetrics......i.y.["......................................................................................................................... ..."...$...&...(......-...0...3...6...9...<...@...D...H...L...P...U...Z..._...d...............i.y..Yd........A...............`...v.0.....UV&K.k<................UV&K.k<................UMA.PersistentHistograms.InitResult.....8...i.y.[".................................................i.y.Pq.3................128.0.6613.124-64-devel".en-US...Windows NT..10.0.1904224..x86_64..\|.......".To Be Filled By O.E.M....x86_64J..m#:^...YP....6..................v..p.s."...<..8...(...SyntheticOptimizationGuideRemoteFetching....Disabled.@..<...+...SyntheticModelExecutionFeatureHistorySearch.....Disabled.<..8...$...Segmenta

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\BrowserMetrics\BrowserMetrics-67339EA7-1914.pma

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.006074957759105921
Encrypted:	false
SSDEEP:
MD5:	F21C12F1F6485227DEC6F98A7F6A2DB1
SHA1:	4E23D45FFA53741E1C2A5A9202714349806A828A
SHA-256:	66DBFFDF54240971C86C9AB8B3D6555E193CB8FE5D5D75869D809D79AD78B210
SHA-512:	FA8E29702E5D822771D059CBA3DC7C99149C79A6FFBC8091F620504B9AB3680F722F0FC2FE0B912F44A116C9DEBE1549F105794B82D20824EA3CC9A0829C489B
Malicious:	false
Preview:	...@..@...@.....C.].....@...............`...................`... ...i.y.........BrowserMetrics......i.y..Yd.........A.......d...2......._.z.....Gy.7....................Gy.7....................UMA.PersistentAllocator.EarlyHistograms.BrowserMetrics......i.y.["......................................................................................................................... ..."...$...&...(...*...-...0...3...6...9...<...@...D...H...L...P...U...Z..._...d...............i.y..Yd........A...............`...v.0.....UV&K.k<................UV&K.k<................UMA.PersistentHistograms.InitResult.....8...i.y.[".................................................i.y.Pq.3....................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Crashpad\settings.dat

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe
File Type:	data
Category:	modified
Size (bytes):	40
Entropy (8bit):	3.3041625260016576
Encrypted:	false
SSDEEP:
MD5:	16875A55738A65F55F3573DDF0EB5AF7
SHA1:	A4E28410C188B8CDADFB358F2B7F0FE084C3F1EC
SHA-256:	60AFFA4182AD5844E780CA1BDE2029A4DAF352BED790BDFEDEA0EE66F98E28DA
SHA-512:	C2681915DA7A1D274A700F89EEF0EEDD255FAFB88A16922007708552B2C674266FEBA3037BF0F24D73B9DD2368E4869CE8DBDEB3D0D1EB039C337F1B4BF4D13F
Malicious:	false
Preview:	sdPC....................:J.....F..5B%L.1

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\0cbf2833-9d7c-48b6-adaa-2462c05bfa18.tmp

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	9793
Entropy (8bit):	5.1782060109445345
Encrypted:	false
SSDEEP:
MD5:	073286B7FA51FCCE50A4EBB1C3721C02
SHA1:	54D00B4C1AD88CB8AA8A477DC6C6A523CABA8F20
SHA-256:	699D16394DC0AB74C02CC3E613907A5096FA95D74EB24BD8D0E8F5B073C4F234
SHA-512:	428EB3E27F04E0FFCAE7C1C58184C06F05D8C6C44B434768BB7994C0282C67A684DE329BB3FE3C473DFDA88803AFC962F81E4EF0EFD516028299A769D05AA6CC
Malicious:	false
Preview:	{"NewTabPage":{"PrevNavigationTime":"13375909799623327"},"account_tracker_service_last_update":"13375909797168740","alternate_error_pages":{"backup":true},"announcement_notification_service_first_run_time":"13375909796445850","apps":{"shortcuts_arch":"","shortcuts_version":0},"autocomplete":{"retention_policy_last_version":128},"autofill":{"last_version_deduped":128},"browser":{"has_seen_welcome_page":false,"window_placement":{"bottom":1030,"left":10,"maximized":false,"right":955,"top":10,"work_area_bottom":1040,"work_area_left":0,"work_area_right":1920,"work_area_top":0}},"countryid_at_install":18242,"default_apps_install_state":3,"default_search_provider":{"guid":"04e7a9fa-708c-43d3-93ee-3a398fe03efc","synced_guid":"04e7a9fa-708c-43d3-93ee-3a398fe03efc"},"domain_diversity":{"last_reporting_timestamp":"13375909797160618"},"enterprise_profile_guid":"0d947a32-d677-46ae-8194-3b072e0e792a","extensions":{"alerts":{"initialized":true},"chrome_url_overrides":{},"last_chrome_version":"128.0.6

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\14342415-489e-4872-89b8-ee9d43bac624.tmp

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	10619
Entropy (8bit):	5.548453037038985
Encrypted:	false
SSDEEP:
MD5:	B6502F7C9754BD8D34E1063E034B41B9
SHA1:	76092D42F5E7C571F1A579317BD5D60300223293
SHA-256:	C886DDA19E7BE038265ABAFC202DFC9F75EE9D96EAEAE6C3B5C7E9A814436118
SHA-512:	7F9EC2BC60CC3601BB73147F399300EBD21EABD4C7CA7D674DAF49AF108B63BED114B869D3D9B29FCDED56DECE88EE2D0960C735329D7B8AAB9A2C469DAD32FD
Malicious:	false
Preview:	{"default_search_provider_data":{"template_url_data":{"alternate_urls":["https://onestart.ai/chr/search?iid=40f05e8e-ef61-4211-af81-78bf374c0ab8&q={searchTerms}"],"contextual_search_url":"","created_by_policy":1,"created_from_play_api":false,"date_created":"13375909799032521","doodle_url":"","enforced_by_policy":true,"favicon_url":"","featured_by_policy":false,"id":"11","image_search_branding_label":"","image_translate_source_language_param_key":"","image_translate_target_language_param_key":"","image_translate_url":"","image_url":"","image_url_post_params":"","input_encodings":[],"is_active":1,"keyword":"onestart.ai","last_modified":"13375909799032521","last_visited":"0","logo_url":"","new_tab_url":"","originating_url":"","preconnect_to_search_url":false,"prefetch_likely_navigations":false,"prepopulate_id":0,"safe_for_autoreplace":false,"search_intent_params":[],"search_url_post_params":"","short_name":"OneStart","side_image_search_param":"","side_search_param":"","starter_pack_id":0,

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\17818494-59c6-4534-add8-80a2bcac13a7.tmp

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1475
Entropy (8bit):	4.380824776919669
Encrypted:	false
SSDEEP:
MD5:	1221E75715EDEDB167E9B067708BB207
SHA1:	AC468CBED7D1A5350D9159CAEDA83DBF690892BE
SHA-256:	05F1406896A86E28A8128A590EBD372287F7DF07669A948E04E3DD37330A5F60
SHA-512:	96770C59AA36CDF86EC7E2572FD01ED63D25F508622D3646D931F28FC8914DB54F8EDD7F216618D66273CF30D06579FBC76986131C2254AD58EAD2C2D772B3AB
Malicious:	false
Preview:	{.. "checksum": "062d944254f76e5d8c2f92b0bbf02884",.. "roots": {.. "bookmark_bar": {.. "children": [ ],.. "date_added": "13375909796355253",.. "date_last_used": "0",.. "date_modified": "0",.. "guid": "0bc5d13f-2cba-5d74-951f-3f233fe6c908",.. "id": "1",.. "name": "Bookmarks bar",.. "type": "folder".. },.. "other": {.. "children": [ {.. "date_added": "13375909796475537",.. "date_last_used": "0",.. "guid": "58683416-3df0-41f9-b71f-074e8b0df376",.. "id": "5",.. "meta_info": {.. "power_bookmark_meta": "".. },.. "name": "New Tab Search",.. "type": "url",.. "url": "https://onestart.ai/chr/newtab?iid=40f05e8e-ef61-4211-af81-78bf374c0ab8".. } ],.. "date_added": "13375909796355257",.. "date_last_used": "0",.. "date_modified": "13375909796475537",.. "guid"

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\1c7a4efd-aa4b-4256-bed7-89d3f9f0c6ef.tmp

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	10245
Entropy (8bit):	5.180847154489153
Encrypted:	false
SSDEEP:
MD5:	A23623C52B6E808440327EA6F95DD643
SHA1:	F8D23BEBD38E89B8B59BC202F1879144C13CEB56
SHA-256:	9A2F9F20F0AAD4EC61D5AA94C73B4EDD4593B7E9307A76EE5BE326DBA80FB91B
SHA-512:	F935FC4DF091397C711F23032EDF00374E9F3E9CDF9F6A54C9F7A949EE61F9A86952106671E3F97CCADAA746AEEA124F7714BC1446A95B0E3917323B00A0DF57
Malicious:	false
Preview:	{"NewTabPage":{"PrevNavigationTime":"13375909799623327"},"account_tracker_service_last_update":"13375909797168740","alternate_error_pages":{"backup":true},"announcement_notification_service_first_run_time":"13375909796445850","apps":{"shortcuts_arch":"","shortcuts_version":0},"autocomplete":{"retention_policy_last_version":128},"autofill":{"last_version_deduped":128},"browser":{"has_seen_welcome_page":false,"window_placement":{"bottom":1030,"left":10,"maximized":false,"right":955,"top":10,"work_area_bottom":1040,"work_area_left":0,"work_area_right":1920,"work_area_top":0}},"countryid_at_install":18242,"default_apps_install_state":3,"default_search_provider":{"guid":"04e7a9fa-708c-43d3-93ee-3a398fe03efc","synced_guid":"04e7a9fa-708c-43d3-93ee-3a398fe03efc"},"domain_diversity":{"last_reporting_timestamp":"13375909797160618"},"enterprise_profile_guid":"0d947a32-d677-46ae-8194-3b072e0e792a","extensions":{"alerts":{"initialized":true},"chrome_url_overrides":{},"last_chrome_version":"128.0.6

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\29316526-dfa0-4bef-9be4-b812fbfdda0b.tmp

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	MS Windows icon resource - 13 icons, 8x8, 32 bits/pixel, 10x10, 32 bits/pixel
Category:	dropped
Size (bytes):	167109
Entropy (8bit):	5.081780452241832
Encrypted:	false
SSDEEP:
MD5:	70E5D4E286C45331931C22DBF5B15A9B
SHA1:	BB4DBEE62F4410666033D8BBF658227C80A3AD9A
SHA-256:	6FD93AA2E71AE66DF17C2E84E719D27DF69762375894522D80C95D7C82393793
SHA-512:	BB3931D23042265B7F9C0E4F35470FED8E3279CF677AA7B98DDCF19E110E1EA61B36778890B322BD0FA111023F6097CF4DFE185CF54C89A8E5B2AC3FF5283913
Malicious:	false
Preview:	............ .H............. ............... .p............. .h...n......... ............... ......... .... .....n...((.... .h.......00.... ..%..~H..@@.... .(B..&n..``.... .....N......... .(....D........ ..?...M..(............. ..............................-.-./...TI..}...v..#,......+./..2 ..+...I:..........,....5!..0.../ g.!.\|._`...<.....&...0.....B.........gc.../......F...O...D).........:w.........H...Q...G..'O..`............E0..H...O...E...2...4...<...K,......D1..J...K...M...P...U-....................................(............. ....................................Y.8'..f\...~...\|..TX.............-...1.......,...SE.......Y.........-.U.1.../...0.../..&...]X...p......U./..2...2...-.x.3"..#...A:..j.......$...0.o."...............D...Q.........@k..R...G}......U......h............I...N...L...Bi.....................F_..L...I...I..1...........,...3U......F...L...J...K...C...@...H...L...............G^..I...H...J...M...JY..........................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\39ef50bc-f8fe-4f5b-adb3-9ec0794bcb0b.tmp

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	MS Windows icon resource - 13 icons, 8x8, 32 bits/pixel, 10x10, 32 bits/pixel
Category:	dropped
Size (bytes):	167109
Entropy (8bit):	5.081780452241832
Encrypted:	false
SSDEEP:
MD5:	70E5D4E286C45331931C22DBF5B15A9B
SHA1:	BB4DBEE62F4410666033D8BBF658227C80A3AD9A
SHA-256:	6FD93AA2E71AE66DF17C2E84E719D27DF69762375894522D80C95D7C82393793
SHA-512:	BB3931D23042265B7F9C0E4F35470FED8E3279CF677AA7B98DDCF19E110E1EA61B36778890B322BD0FA111023F6097CF4DFE185CF54C89A8E5B2AC3FF5283913
Malicious:	false
Preview:	............ .H............. ............... .p............. .h...n......... ............... ......... .... .....n...((.... .h.......00.... ..%..~H..@@.... .(B..&n..``.... .....N......... .(....D........ ..?...M..(............. ..............................-.-./...TI..}...v..#,......+./..2 ..+...I:..........,....5!..0.../ g.!.\|._`...<.....&...0.....B.........gc.../......F...O...D).........:w.........H...Q...G..'O..`............E0..H...O...E...2...4...<...K,......D1..J...K...M...P...U-....................................(............. ....................................Y.8'..f\...~...\|..TX.............-...1.......,...SE.......Y.........-.U.1.../...0.../..&...]X...p......U./..2...2...-.x.3"..#...A:..j.......$...0.o."...............D...Q.........@k..R...G}......U......h............I...N...L...Bi.....................F_..L...I...I..1...........,...3U......F...L...J...K...C...@...H...L...............G^..I...H...J...M...JY..........................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\6b997875-4e56-46b3-bf93-9b7d5213f9f9.tmp

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	MS Windows icon resource - 13 icons, 8x8, 32 bits/pixel, 10x10, 32 bits/pixel
Category:	dropped
Size (bytes):	167109
Entropy (8bit):	5.081780452241832
Encrypted:	false
SSDEEP:
MD5:	70E5D4E286C45331931C22DBF5B15A9B
SHA1:	BB4DBEE62F4410666033D8BBF658227C80A3AD9A
SHA-256:	6FD93AA2E71AE66DF17C2E84E719D27DF69762375894522D80C95D7C82393793
SHA-512:	BB3931D23042265B7F9C0E4F35470FED8E3279CF677AA7B98DDCF19E110E1EA61B36778890B322BD0FA111023F6097CF4DFE185CF54C89A8E5B2AC3FF5283913
Malicious:	false
Preview:	............ .H............. ............... .p............. .h...n......... ............... ......... .... .....n...((.... .h.......00.... ..%..~H..@@.... .(B..&n..``.... .....N......... .(....D........ ..?...M..(............. ..............................-.-./...TI..}...v..#,......+./..2 ..+...I:..........,....5!..0.../ g.!.\|._`...<.....&...0.....B.........gc.../......F...O...D).........:w.........H...Q...G..'O..`............E0..H...O...E...2...4...<...K,......D1..J...K...M...P...U-....................................(............. ....................................Y.8'..f\...~...\|..TX.............-...1.......,...SE.......Y.........-.U.1.../...0.../..&...]X...p......U./..2...2...-.x.3"..#...A:..j.......$...0.o."...............D...Q.........@k..R...G}......U......h............I...N...L...Bi.....................F_..L...I...I..1...........,...3U......F...L...J...K...C...@...H...L...............G^..I...H...J...M...JY..........................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\6cb0f70a-5ab7-41c4-ac4c-5e65d197c555.tmp

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	data
Category:	dropped
Size (bytes):	38
Entropy (8bit):	4.023471592049354
Encrypted:	false
SSDEEP:
MD5:	3433CCF3E03FC35B634CD0627833B0AD
SHA1:	789A43382E88905D6EB739ADA3A8BA8C479EDE02
SHA-256:	F7D5893372EDAA08377CB270A99842A9C758B447B7B57C52A7B1158C0C202E6D
SHA-512:	21A29F0EF89FEC310701DCAD191EA4AB670EDC0FC161496F7542F707B5B9CE619EB8B709A52073052B0F705D657E03A45BE7560C80909E92AE7D5939CE688E9C
Malicious:	false
Preview:	..... 2a68348c2ca0c50ad315d43d90f5a986

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\7baf36ba-94cd-4c14-aeff-9c4c6515e6f5.tmp

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6298
Entropy (8bit):	5.520041538337388
Encrypted:	false
SSDEEP:
MD5:	B2D9E83B10CC5E9923700579F1FFE3BB
SHA1:	062F260CD8A33943AFAE12CA60F8FB9FCBEC182D
SHA-256:	7519E09DE0C7D122FF8C27E53432DB48BC1356AA9AF2C5E25F02A539D6499818
SHA-512:	D54D3EC5C41D1A4D4AA055C38694CE5E6F82A215BBB626F3527E1F13321F57D74F349EF127D9586D7B1267F807F0206D2491ACF8DC4EBA29D27C79BB5583A5AA
Malicious:	false
Preview:	{"default_search_provider_data":{"template_url_data":{"alternate_urls":["https://onestart.ai/chr/search?iid=40f05e8e-ef61-4211-af81-78bf374c0ab8&q={searchTerms}"],"contextual_search_url":"","created_by_policy":1,"created_from_play_api":false,"date_created":"13375909799032521","doodle_url":"","enforced_by_policy":true,"favicon_url":"","featured_by_policy":false,"id":"11","image_search_branding_label":"","image_translate_source_language_param_key":"","image_translate_target_language_param_key":"","image_translate_url":"","image_url":"","image_url_post_params":"","input_encodings":[],"is_active":1,"keyword":"onestart.ai","last_modified":"13375909799032521","last_visited":"0","logo_url":"","new_tab_url":"","originating_url":"","preconnect_to_search_url":false,"prefetch_likely_navigations":false,"prepopulate_id":0,"safe_for_autoreplace":false,"search_intent_params":[],"search_url_post_params":"","short_name":"OneStart","side_image_search_param":"","side_search_param":"","starter_pack_id":0,

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\990d3bbb-5012-4e7b-b667-270652a6b685.tmp

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Affiliation Database

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	SQLite 3.x database, last written using SQLite version 3045002, file counter 5, database pages 13, cookie 0x8, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	53248
Entropy (8bit):	0.3988860319126424
Encrypted:	false
SSDEEP:
MD5:	3A5A1B5681601D04C79F16F740244039
SHA1:	C7C2F00345AD16077DFA5908C2D00A37025DEE30
SHA-256:	5B038CEF519B60BB378CEAAD1EA0A101BE111C74613CBA63FC7F76625B4F72C7
SHA-512:	E8CCB322E60FC7107482D809B0D2CBC81BF76517A2B55FC0B690AB57DA0177B88D7481B7645A200D085AF255BBD469A44289965F06C9D90A4EEC20EE8FA6AFBE
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................v..........g.....e...$.y.........H....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Bookmarks (copy)

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1475
Entropy (8bit):	4.380824776919669
Encrypted:	false
SSDEEP:
MD5:	1221E75715EDEDB167E9B067708BB207
SHA1:	AC468CBED7D1A5350D9159CAEDA83DBF690892BE
SHA-256:	05F1406896A86E28A8128A590EBD372287F7DF07669A948E04E3DD37330A5F60
SHA-512:	96770C59AA36CDF86EC7E2572FD01ED63D25F508622D3646D931F28FC8914DB54F8EDD7F216618D66273CF30D06579FBC76986131C2254AD58EAD2C2D772B3AB
Malicious:	false
Preview:	{.. "checksum": "062d944254f76e5d8c2f92b0bbf02884",.. "roots": {.. "bookmark_bar": {.. "children": [ ],.. "date_added": "13375909796355253",.. "date_last_used": "0",.. "date_modified": "0",.. "guid": "0bc5d13f-2cba-5d74-951f-3f233fe6c908",.. "id": "1",.. "name": "Bookmarks bar",.. "type": "folder".. },.. "other": {.. "children": [ {.. "date_added": "13375909796475537",.. "date_last_used": "0",.. "guid": "58683416-3df0-41f9-b71f-074e8b0df376",.. "id": "5",.. "meta_info": {.. "power_bookmark_meta": "".. },.. "name": "New Tab Search",.. "type": "url",.. "url": "https://onestart.ai/chr/newtab?iid=40f05e8e-ef61-4211-af81-78bf374c0ab8".. } ],.. "date_added": "13375909796355257",.. "date_last_used": "0",.. "date_modified": "13375909796475537",.. "guid"

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\BrowsingTopicsSiteData

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	SQLite 3.x database, last written using SQLite version 3045002, file counter 1, database pages 7, cookie 0x4, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	0.43785293753385396
Encrypted:	false
SSDEEP:
MD5:	8C1AC221F2F20F7E7FB1B0D1E7FEFAE9
SHA1:	4AD093D4810C55A1620E86DA1452351DB5671452
SHA-256:	86B9EEC2F03317F300171428B5052450D80A6C79E92F538A7593E4FDE8EA48CF
SHA-512:	460D4662FD979837EB6371A0A627523C4A60360D48366B90A71C3CBF5DAEE826CC7A6EF6FFF27C493DD92DBA6E88FC3E1A8FC64E0ACD5EF4FF4404ACCAF66754
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................v..........g.......o..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\BrowsingTopicsState (copy)

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	414
Entropy (8bit):	5.04432285688484
Encrypted:	false
SSDEEP:
MD5:	762DB658A326EFC1C2F133997683FC72
SHA1:	5DDB60744ECE67BA6993E1F93C33BAB5D1D01A65
SHA-256:	A5409B15A81BC2EC1860CE953DC9FFDD4263A8BB6E1525734DB36F34B9619D34
SHA-512:	8AF8A33BE83C664413C357E9738BFF1F016EAA7420E8C54C6812FCFC161EAA38D8B596C9891D7DF42441C7897E09515B907ADA6F2A547508CF385AC7269E3B8D
Malicious:	false
Preview:	{.. "epochs": [ {.. "calculation_time": "13375909806408082",.. "config_version": 0,.. "model_version": "0",.. "padded_top_topics_start_index": 0,.. "taxonomy_version": 0,.. "top_topics_and_observing_domains": [ ].. } ],.. "hex_encoded_hmac_key": "50BB5A4E32B4D2477428885BECCAE6400B941241684DC517D405D177375D5C94",.. "next_scheduled_calculation_time": "13376514606408239"..}..

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Cache\Cache_Data\data_0

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	dBase III DBT, next free block index 3238316739, block length 1024
Category:	dropped
Size (bytes):	45056
Entropy (8bit):	0.028600118794284517
Encrypted:	false
SSDEEP:
MD5:	F9659C1C736C8FE2A89E7903BA361674
SHA1:	A9DEFB2006A180CA7B8DAD010A15A5A3B1538ED4
SHA-256:	4613CD743314515C5AC078B65C01C7D108FFE9CD5CA2DC71367962911310AF6E
SHA-512:	99ACBB60F16E7B416A1512593D04002E76A2556BFBB8D1EFB9EB7F9BB254E1C2DCF35E4FF5DE87AD15D0BAAE23027FEE6A1A4E7B9BB1DE82EE6B5973F0CCF252
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Cache\Cache_Data\data_1

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.03209782196058105
Encrypted:	false
SSDEEP:
MD5:	FD81F156741EF9EA3A835F569D9E9FAD
SHA1:	026F4BD4A1211CE1FFECC79CAF35BCF05A99E357
SHA-256:	6D1AFB5C629CD6DD4F8B1F7C53BFBF0C66FD2B580B0E95FEE38DC9626E465FDB
SHA-512:	62E6107E4D2D866AA32E751C1DABA4FEBDD76DBF687794B60E6D9DB276358FAF71E261743313182D1F2EB380C7C11635CAC08566E19B6A4092CA32F5DDFED651
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Cache\Cache_Data\data_2

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	data
Category:	dropped
Size (bytes):	1056768
Entropy (8bit):	0.11680829185356967
Encrypted:	false
SSDEEP:
MD5:	A1742A01D194C794312552D0E56A66A5
SHA1:	9153EC52F85B45D9861EC037A9464EC033D76293
SHA-256:	22F24932E3BC6B536E1BAEA6D7C9BA9B6765CC6173F39E0A9A6ED6C19A0BFC48
SHA-512:	24DD632946C3BCC056E151D029848735CF06EAB7540D3DB11655E5AC25DFD70D5D56A81BD7B4238B0681844938EA3034B5AA58AF45BD62392C8366BA45A6EE5C
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Cache\Cache_Data\data_3

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	data
Category:	dropped
Size (bytes):	4202496
Entropy (8bit):	0.029832089733106307
Encrypted:	false
SSDEEP:
MD5:	4E2438835E7F32099FFBC47875433577
SHA1:	74B9496F864ACBC65AE0E935914D1C40A72F9DB7
SHA-256:	A8FADD86A969BB80F7641240F241B2AF99F9971CA8EB14787A7B7AE51D1C362A
SHA-512:	ACEF8812CDE2B0584782357DAF6F31A5E2D68B4589DABB8E65322B8891DDC33C96BA438E65A87D282CC0E161505B38F4CD91CEF764917B3384652668A7B7DF8C
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Cache\Cache_Data\f_000001

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	gzip compressed data, original size modulo 2^32 143189
Category:	dropped
Size (bytes):	22049
Entropy (8bit):	7.968891558624075
Encrypted:	false
SSDEEP:
MD5:	4A1B7639121706633064982EEDB869AF
SHA1:	8E55A6115881EB8330223DC5C8B8EA508ADFC88B
SHA-256:	E4C4033D8FDAB0A2AB8C552BACC08CC4B4BCBEAF016D76EFE63EEF7FFE0C5F12
SHA-512:	72633E140BC7543BD483E89A80BC48384B095296A9A9406060846E45B60D7A3D06D0A8E6F4D83ACA846BA828C2E70906D474C13ED96B196D88927EC26A2EC056
Malicious:	false
Preview:	.............#9...B....R9..doW..s.sq.......,......T...S....1.;.t..Q9.H9%.>..H............/?......~...~.....................?...O?....M.......?......o?~Z.../......d.?............y..........O_...._~~.....b...\>.G....a..ovK..y..._..9......./.....O./..Z\|.u.fK....j91...&.[b......sM<...h....TSS....V.c<..?jj.1........T../-..s....>.E3...l.9s.....9......U6..cK.....Zj...g...V. ..U6Hg.R.l...V........T...9_j...KKe.l.....RY.%...[....Ze.....V..[...[...Ze..]....,.Ze.Xg..Ze..O....SK......l!CKe.\|.......,....l.K.,.]K....l[j..g.R.l..SSM...K^Zj.....Ze..>u..4H."...=.....O.?...R...V.P.\|.......b.^...5..yy....U..W..dM.b....F.U...f9.P.........M`..}{...4T......7.m....$r.j....G.R.......v5r.............Z..Al-h..Zk#..>...cj......R3....FW..LK.W..X...V.<...]5..z..\-..Z.u...l..s55...U.'.....ZOU.w.YR.o..ej~.._..y...KL\...._cl.....y...s.-...s.-5.T.R..9E.F...9F.fYZ..%....]2....-.,.%_.d...k...:...8.Zr.YF..Kf!...9.d`s7....B.\.\|..\.g....%.......6,....7...90.&7n..w.U..7Lf

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Cache\Cache_Data\index

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	524656
Entropy (8bit):	4.989325630401085E-4
Encrypted:	false
SSDEEP:
MD5:	F418CED4A4C0051685C1ECC2DD52F0AE
SHA1:	4C2B709254E5BE93E883D11898D608CFE0F95989
SHA-256:	CF84C1419A2B3D15300F7F7CC27B9901E1AFD575E1D1439AB078BC38193D2698
SHA-512:	B2408B755C9082286409AE1AB973C93B5F1DFAA556B7C1FB7DBF4806D92AFF2080EFE7E7FC4AB88C8B405A00F52CD652FA2B98705D4CBE1E95E03ABD5EEE640D
Malicious:	false
Preview:	......................................../...Q./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Code Cache\js\index

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	2.1431558784658327
Encrypted:	false
SSDEEP:
MD5:	54CB446F628B2EA4A5BCE5769910512E
SHA1:	C27CA848427FE87F5CF4D0E0E3CD57151B0D820D
SHA-256:	FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
SHA-512:	8F6ED2E91AED9BD415789B1DBE591E7EAB29F3F1B48FDFA5E864D7BF4AE554ACC5D82B4097A770DABC228523253623E4296C5023CF48252E1B94382C43123CB0
Malicious:	false
Preview:	0\r..m..................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Code Cache\js\index-dir\temp-index

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.9972243200613975
Encrypted:	false
SSDEEP:
MD5:	80277BF70CA5FA23CB4B4DACCD996235
SHA1:	2F1928F3B4A625F2B88F21FE05128C095C33D4EA
SHA-256:	0CFE850074848DF87503349BB1EBB6B7BD745997A9919582F8C772AF81CCC920
SHA-512:	903A5E7E48EB1938218F3700BEFA0D581D475698DD83A7353F1EC9313A29C42FF376AB34D45AD0DA05EDF3D28DCCE112997D7462E669CE58865BDAFA30B302D7
Malicious:	false
Preview:	(...s...oy retne........................l...Q./.

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Code Cache\js\index-dir\the-real-index (copy)

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.9972243200613975
Encrypted:	false
SSDEEP:
MD5:	80277BF70CA5FA23CB4B4DACCD996235
SHA1:	2F1928F3B4A625F2B88F21FE05128C095C33D4EA
SHA-256:	0CFE850074848DF87503349BB1EBB6B7BD745997A9919582F8C772AF81CCC920
SHA-512:	903A5E7E48EB1938218F3700BEFA0D581D475698DD83A7353F1EC9313A29C42FF376AB34D45AD0DA05EDF3D28DCCE112997D7462E669CE58865BDAFA30B302D7
Malicious:	false
Preview:	(...s...oy retne........................l...Q./.

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Code Cache\wasm\index

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	2.1431558784658327
Encrypted:	false
SSDEEP:
MD5:	54CB446F628B2EA4A5BCE5769910512E
SHA1:	C27CA848427FE87F5CF4D0E0E3CD57151B0D820D
SHA-256:	FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
SHA-512:	8F6ED2E91AED9BD415789B1DBE591E7EAB29F3F1B48FDFA5E864D7BF4AE554ACC5D82B4097A770DABC228523253623E4296C5023CF48252E1B94382C43123CB0
Malicious:	false
Preview:	0\r..m..................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Code Cache\wasm\index-dir\temp-index

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.955557653394731
Encrypted:	false
SSDEEP:
MD5:	4947823702275ADAC78624BBAC2F00BD
SHA1:	497C453B27BFFB029B072818C29C254CF02BF603
SHA-256:	2904B86421728ACC4934F03A2C0FCE7E95A6F4E12D8F0AE36EA7A2E0CD39EB4E
SHA-512:	4335CC811B1B21306F3CBED60211B7A23B88538A2A8CF7BC64AF305D2A3590B8C671C7F6C78587DD82F640581D7AF2001CEE77A194E3E254482624AC88A249F3
Malicious:	false
Preview:	(...j...oy retne........................uC..Q./.

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Code Cache\wasm\index-dir\the-real-index (copy)

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.955557653394731
Encrypted:	false
SSDEEP:
MD5:	4947823702275ADAC78624BBAC2F00BD
SHA1:	497C453B27BFFB029B072818C29C254CF02BF603
SHA-256:	2904B86421728ACC4934F03A2C0FCE7E95A6F4E12D8F0AE36EA7A2E0CD39EB4E
SHA-512:	4335CC811B1B21306F3CBED60211B7A23B88538A2A8CF7BC64AF305D2A3590B8C671C7F6C78587DD82F640581D7AF2001CEE77A194E3E254482624AC88A249F3
Malicious:	false
Preview:	(...j...oy retne........................uC..Q./.

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\DIPS

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	SQLite 3.x database, last written using SQLite version 3045002, file counter 1, database pages 9, cookie 0x4, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	0.4100115957342144
Encrypted:	false
SSDEEP:
MD5:	CB4E4BB3C076EEBC0F8B355777183888
SHA1:	E71A5F86B62239CCA5C3CE865EDFDC1F2A98A3C8
SHA-256:	C835BD65E6715EB5189ECCC144128D5BCA57C8329A49CCD12473ADE48FC48FFF
SHA-512:	48C0CD83744F09296B5507572B7F1DB8C7E735ABCDE2B78E625F15B673867B8E99F9146B8114712665B55365A4EBA852BBB47A26351F3932C23CCA6DFC3474D8
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................v..........g.....:....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\DawnGraphiteCache\data_0

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\DawnGraphiteCache\data_1

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	8.280239615765425E-4
Encrypted:	false
SSDEEP:
MD5:	D0D388F3865D0523E451D6BA0BE34CC4
SHA1:	8571C6A52AACC2747C048E3419E5657B74612995
SHA-256:	902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
SHA-512:	376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\DawnGraphiteCache\data_2

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\DawnGraphiteCache\data_3

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\DawnGraphiteCache\index

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:
MD5:	01AFBC86309A6DCA90763F0C4A2B9E35
SHA1:	E9A72B7CC4546F445CC3038CCEA567FD75DE49BE
SHA-256:	FBB3A9056D3F10138FA5B6BCBC2AA64D995CE139F9FCAA9B30E287144C22D231
SHA-512:	20E3A3D31ED4C77723CDAA26E3E0A2E1E18798F1368E0D111A86F707BB773211C487EC355C4D32099FC534A9294B9D4D6B6D37E3005F5D3AAFD11C7749D8022F
Malicious:	false
Preview:	........................................5.0.Q./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\DawnWebGPUCache\data_0

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\DawnWebGPUCache\data_1

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	8.280239615765425E-4
Encrypted:	false
SSDEEP:
MD5:	D0D388F3865D0523E451D6BA0BE34CC4
SHA1:	8571C6A52AACC2747C048E3419E5657B74612995
SHA-256:	902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
SHA-512:	376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\DawnWebGPUCache\data_2

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\DawnWebGPUCache\data_3

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\DawnWebGPUCache\index

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.448177365217996E-4
Encrypted:	false
SSDEEP:
MD5:	29A14B02FA780326F6874557A18BCDAF
SHA1:	B91C0B4401029EC121DC369A8CAF82444A51BD0B
SHA-256:	CCC9AF0DFD13A2A4CF9F7D60D3C57F9636705867FCCAECA2125DEC1470B63387
SHA-512:	50AA3C9EAF1A9066B7486309947AAD39BE1593F3B034AB2EF3C29810EBE86008A3D6852BC47099822382A566E21462147434F4162CA449AC50C30C0D9A29A533
Malicious:	false
Preview:	..........................................+.Q./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Extension Rules\000001.dbtmp

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Extension Rules\000003.log

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	data
Category:	dropped
Size (bytes):	152
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:
MD5:	5649E96DCAC327DDE1B450B1C06A27D3
SHA1:	7AA5F9FB94F95F5977AE9BFA7A4957724FD66F19
SHA-256:	FBCBAF8740CB027FF6A147C013B6745071CF2A1FDE4450AB2A7A04FBC401F0C9
SHA-512:	0BF8D7E6582330D8C362C85EE0688F2A38D3768ECD6DDB9277EFFAA718B2B6C7FD82F665CECCEFD164C2921FE4EB30C43DFB7A3AB3A8FA4496E5B8F3F8DF10C3
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Extension Rules\CURRENT (copy)

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Extension Rules\LOG

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.153843291021449
Encrypted:	false
SSDEEP:
MD5:	D65A138325BFC81552F54BD64403078E
SHA1:	F127885B4B9AD89AE63B4EDBF37373D32A8AE2F2
SHA-256:	AA144EAE29B84EAFC145D48FFF8CE19C1B319BD3813E8BD36F65ADA7F8EE26C1
SHA-512:	4740472233B7077A4DA5C2F18839D3D650231D78F329FCF4695D656C4F87AE824A8F08A8E25EEEF6FDA22B953E90625236C4EBC0FCBC06C3873CD7B747628506
Malicious:	false
Preview:	2024/11/12-13:29:56.541 2318 Creating DB C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Extension Rules since it was missing..2024/11/12-13:29:57.098 2318 Reusing MANIFEST C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Extension Rules/MANIFEST-000001.

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Extension Rules\MANIFEST-000001

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Extension Scripts\000001.dbtmp

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Extension Scripts\000003.log

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	data
Category:	dropped
Size (bytes):	76
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:
MD5:	CC4A8CFF19ABF3DD35D63CFF1503AA5F
SHA1:	52AF41B0D9C78AFCC8E308DB846C2B52A636BE38
SHA-256:	CC5DACF370F324B77B50DDDF5D995FD3C7B7A587CB2F55AC9F24C929D0CD531A
SHA-512:	0E9559CDA992AA2174A7465745884F73B96755008384D21A0685941ACF099C89C8203B13551DE72A87B8E23CDAAE3FA513BC700B38E1BF3B9026955D97920320
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Extension Scripts\CURRENT (copy)

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Extension Scripts\LOG

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	299
Entropy (8bit):	5.1285559293784395
Encrypted:	false
SSDEEP:
MD5:	57E190A4ADF7856051D080774AF59378
SHA1:	4406B59CE0EFA80754E2A78D711EABA7C115CB7F
SHA-256:	06CC32496B2D7A2AFDDE2A8482DECF9820F43F24EE359A0ACAD741F05D46F476
SHA-512:	06E6BD622928217DB00176019BE2C3C9292ED7FBC2774D10DF07E296A491D29A24292523D4E6F73CC808B220F0D74DD005EF8C3A4F056F12204E9B5A07E72731
Malicious:	false
Preview:	2024/11/12-13:29:57.271 2318 Creating DB C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Extension Scripts since it was missing..2024/11/12-13:29:57.652 2318 Reusing MANIFEST C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Extension Scripts/MANIFEST-000001.

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Extension Scripts\MANIFEST-000001

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Extension State\000001.dbtmp

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Extension State\000003.log

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	data
Category:	dropped
Size (bytes):	228
Entropy (8bit):	1.8784775129881184
Encrypted:	false
SSDEEP:
MD5:	AF1D95E1F9EB485393273B25446E1AE5
SHA1:	1D762C96B1C38BA6A849A5B76D12FAC636B8D780
SHA-256:	48D535BB330519C00D150578734C6CECB056C4B5CDD2A45C70590BC896D27D9F
SHA-512:	826D207EDD55401E1C13249350814ADBB3AB00A135C46B8DA8BB7267751C70580F183982CCCBC1E47BF3E3F433F20BA1D2F2AFD601FCB67B635C0E7429558165
Malicious:	false
Preview:	.f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5................f.5...............

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Extension State\CURRENT (copy)

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Extension State\LOG

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.110032857579553
Encrypted:	false
SSDEEP:
MD5:	E20B997EF3B5179A7A13E37E6E908F9A
SHA1:	9CC9BE4EDBD96B83CDDC1483C6022EEA7069DE27
SHA-256:	CD8007653B299DBA54EB06847F0D92A823A77929B9A31A2AB51E4096117553E5
SHA-512:	5F760B1DEA954607829949FFE88EE17CD421005975DC4E3FDF417408C5E3F134D93AEA18E9039089774FB570A0B83DEAA3497D10C03E08E6FE27A5304F57DB56
Malicious:	false
Preview:	2024/11/12-13:29:57.653 2318 Creating DB C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Extension State since it was missing..2024/11/12-13:29:57.902 2318 Reusing MANIFEST C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Extension State/MANIFEST-000001.

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Extension State\MANIFEST-000001

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Favicons

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	SQLite 3.x database, last written using SQLite version 3045002, page size 2048, file counter 1, database pages 10, cookie 0x8, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6972286527400751
Encrypted:	false
SSDEEP:
MD5:	5CDDA88F9ACBFD47B1D204E1F667F718
SHA1:	38C98603E0FFB54EC103988803240831C609C1C9
SHA-256:	513EDD15673066AD238EA11267AEEEB618959B5A974197243FC6B385EF7BB329
SHA-512:	DC0A73219D9B4D978F5A91BCB7A3FE629D6F7BC6E69097D0E1531A70E98F3D8E15F73347E92D7ED21F649E831A65B9AF331647888D698A65D6EF21630FC533CF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................v..........g....._.c...~.2.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................s...;+...indexfavicon_bitmaps_icon_idfavico

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\GCM Store\Encryption\000001.dbtmp

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\GCM Store\Encryption\CURRENT (copy)

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\GCM Store\Encryption\LOG

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	303
Entropy (8bit):	5.132038996112763
Encrypted:	false
SSDEEP:
MD5:	DFD92CACD0C8F7D6DFF79393F3153616
SHA1:	A31FCC2C67507E2F6F7E8E9B6FBF6B449814CC0E
SHA-256:	4D3D24D8AF9A74CAD8418EDD1D03FB7247EE75A48692DB7BA7DFBE1A2772EC3A
SHA-512:	8C9654631AC0BC3EE15773BAD220F0BB5F2786E4A2EC7EA7DDE95A520713103D383C5F3FC691BA670376162B14FB3B86387504A37F1B4483BB860CF0CCB4E053
Malicious:	false
Preview:	2024/11/12-13:30:07.386 aa4 Creating DB C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\GCM Store\Encryption since it was missing..2024/11/12-13:30:07.567 aa4 Reusing MANIFEST C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\GCM Store\Encryption/MANIFEST-000001.

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\GCM Store\Encryption\MANIFEST-000001

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\GPUCache\data_0

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\GPUCache\data_1

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	8.280239615765425E-4
Encrypted:	false
SSDEEP:
MD5:	D0D388F3865D0523E451D6BA0BE34CC4
SHA1:	8571C6A52AACC2747C048E3419E5657B74612995
SHA-256:	902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
SHA-512:	376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\GPUCache\data_2

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\GPUCache\data_3

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\GPUCache\index

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:
MD5:	186FDAFAC8AB301D840C1A7462C460CA
SHA1:	3D0F63E0BA44F54D13447AFFC19E20DEDCA7FFF6
SHA-256:	216755C8F0775EA121BAA7A0AC44F7A0AAFAA923C3E9DD279D278FF7034081D1
SHA-512:	C65EA460054E437ED5634C01133C81A960F9BAB15FA2C8BA726C5E1A13C1403F1C99E0F0A91FFD299E12F61F0E5B2A8EF4B588AB237429BB3A4CA4C9A0245003
Malicious:	false
Preview:	..........................................&.Q./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Google Profile.ico (copy)

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	MS Windows icon resource - 13 icons, 8x8, 32 bits/pixel, 10x10, 32 bits/pixel
Category:	dropped
Size (bytes):	167109
Entropy (8bit):	5.081780452241832
Encrypted:	false
SSDEEP:
MD5:	70E5D4E286C45331931C22DBF5B15A9B
SHA1:	BB4DBEE62F4410666033D8BBF658227C80A3AD9A
SHA-256:	6FD93AA2E71AE66DF17C2E84E719D27DF69762375894522D80C95D7C82393793
SHA-512:	BB3931D23042265B7F9C0E4F35470FED8E3279CF677AA7B98DDCF19E110E1EA61B36778890B322BD0FA111023F6097CF4DFE185CF54C89A8E5B2AC3FF5283913
Malicious:	false
Preview:	............ .H............. ............... .p............. .h...n......... ............... ......... .... .....n...((.... .h.......00.... ..%..~H..@@.... .(B..&n..``.... .....N......... .(....D........ ..?...M..(............. ..............................-.-./...TI..}...v..#,......+./..2 ..+...I:..........,....5!..0.../ g.!.\|._`...<.....&...0.....B.........gc.../......F...O...D).........:w.........H...Q...G..'O..`............E0..H...O...E...2...4...<...K,......D1..J...K...M...P...U-....................................(............. ....................................Y.8'..f\...~...\|..TX.............-...1.......,...SE.......Y.........-.U.1.../...0.../..&...]X...p......U./..2...2...-.x.3"..#...A:..j.......$...0.o."...............D...Q.........@k..R...G}......U......h............I...N...L...Bi.....................F_..L...I...I..1...........,...3U......F...L...J...K...C...@...H...L...............G^..I...H...J...M...JY..........................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Google Profile.ico~RF7ac533.TMP (copy)

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	MS Windows icon resource - 13 icons, 8x8, 32 bits/pixel, 10x10, 32 bits/pixel
Category:	dropped
Size (bytes):	167109
Entropy (8bit):	5.081780452241832
Encrypted:	false
SSDEEP:
MD5:	70E5D4E286C45331931C22DBF5B15A9B
SHA1:	BB4DBEE62F4410666033D8BBF658227C80A3AD9A
SHA-256:	6FD93AA2E71AE66DF17C2E84E719D27DF69762375894522D80C95D7C82393793
SHA-512:	BB3931D23042265B7F9C0E4F35470FED8E3279CF677AA7B98DDCF19E110E1EA61B36778890B322BD0FA111023F6097CF4DFE185CF54C89A8E5B2AC3FF5283913
Malicious:	false
Preview:	............ .H............. ............... .p............. .h...n......... ............... ......... .... .....n...((.... .h.......00.... ..%..~H..@@.... .(B..&n..``.... .....N......... .(....D........ ..?...M..(............. ..............................-.-./...TI..}...v..#,......+./..2 ..+...I:..........,....5!..0.../ g.!.\|._`...<.....&...0.....B.........gc.../......F...O...D).........:w.........H...Q...G..'O..`............E0..H...O...E...2...4...<...K,......D1..J...K...M...P...U-....................................(............. ....................................Y.8'..f\...~...\|..TX.............-...1.......,...SE.......Y.........-.U.1.../...0.../..&...]X...p......U./..2...2...-.x.3"..#...A:..j.......$...0.o."...............D...Q.........@k..R...G}......U......h............I...N...L...Bi.....................F_..L...I...I..1...........,...3U......F...L...J...K...C...@...H...L...............G^..I...H...J...M...JY..........................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Google Profile.ico~RF7ac9a7.TMP (copy)

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	MS Windows icon resource - 13 icons, 8x8, 32 bits/pixel, 10x10, 32 bits/pixel
Category:	dropped
Size (bytes):	167109
Entropy (8bit):	5.081780452241832
Encrypted:	false
SSDEEP:
MD5:	70E5D4E286C45331931C22DBF5B15A9B
SHA1:	BB4DBEE62F4410666033D8BBF658227C80A3AD9A
SHA-256:	6FD93AA2E71AE66DF17C2E84E719D27DF69762375894522D80C95D7C82393793
SHA-512:	BB3931D23042265B7F9C0E4F35470FED8E3279CF677AA7B98DDCF19E110E1EA61B36778890B322BD0FA111023F6097CF4DFE185CF54C89A8E5B2AC3FF5283913
Malicious:	false
Preview:	............ .H............. ............... .p............. .h...n......... ............... ......... .... .....n...((.... .h.......00.... ..%..~H..@@.... .(B..&n..``.... .....N......... .(....D........ ..?...M..(............. ..............................-.-./...TI..}...v..#,......+./..2 ..+...I:..........,....5!..0.../ g.!.\|._`...<.....&...0.....B.........gc.../......F...O...D).........:w.........H...Q...G..'O..`............E0..H...O...E...2...4...<...K,......D1..J...K...M...P...U-....................................(............. ....................................Y.8'..f\...~...\|..TX.............-...1.......,...SE.......Y.........-.U.1.../...0.../..&...]X...p......U./..2...2...-.x.3"..#...A:..j.......$...0.o."...............D...Q.........@k..R...G}......U......h............I...N...L...Bi.....................F_..L...I...I..1...........,...3U......F...L...J...K...C...@...H...L...............G^..I...H...J...M...JY..........................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Google Profile.ico~RF7acc66.TMP (copy)

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	MS Windows icon resource - 13 icons, 8x8, 32 bits/pixel, 10x10, 32 bits/pixel
Category:	dropped
Size (bytes):	167109
Entropy (8bit):	5.081780452241832
Encrypted:	false
SSDEEP:
MD5:	70E5D4E286C45331931C22DBF5B15A9B
SHA1:	BB4DBEE62F4410666033D8BBF658227C80A3AD9A
SHA-256:	6FD93AA2E71AE66DF17C2E84E719D27DF69762375894522D80C95D7C82393793
SHA-512:	BB3931D23042265B7F9C0E4F35470FED8E3279CF677AA7B98DDCF19E110E1EA61B36778890B322BD0FA111023F6097CF4DFE185CF54C89A8E5B2AC3FF5283913
Malicious:	false
Preview:	............ .H............. ............... .p............. .h...n......... ............... ......... .... .....n...((.... .h.......00.... ..%..~H..@@.... .(B..&n..``.... .....N......... .(....D........ ..?...M..(............. ..............................-.-./...TI..}...v..#,......+./..2 ..+...I:..........,....5!..0.../ g.!.\|._`...<.....&...0.....B.........gc.../......F...O...D).........:w.........H...Q...G..'O..`............E0..H...O...E...2...4...<...K,......D1..J...K...M...P...U-....................................(............. ....................................Y.8'..f\...~...\|..TX.............-...1.......,...SE.......Y.........-.U.1.../...0.../..&...]X...p......U./..2...2...-.x.3"..#...A:..j.......$...0.o."...............D...Q.........@k..R...G}......U......h............I...N...L...Bi.....................F_..L...I...I..1...........,...3U......F...L...J...K...C...@...H...L...............G^..I...H...J...M...JY..........................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\History

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	SQLite 3.x database, last written using SQLite version 3045002, file counter 2, database pages 40, cookie 0x21, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	163840
Entropy (8bit):	0.6275373414750637
Encrypted:	false
SSDEEP:
MD5:	FFA7C25ED56AF941ADC6F6719610C8D7
SHA1:	3B54093CB3988A34FE3A1373CCB3EE85906D0123
SHA-256:	2DE9B9AAD178DEE816F751D218085EF9411F5D892BCF38B58D78E3D6997502C5
SHA-512:	FF507393976D7BE205CAD353D90ED2D45A306301C833E3FEB9A75076BCFB39BCC1D8D9D55BC6CA05A47A018084E201566556EE8B1ABBAA58F2766191558C49C7
Malicious:	true
Preview:	SQLite format 3......@ .......(...........!......................................................v.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\History-journal

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	data
Category:	modified
Size (bytes):	8720
Entropy (8bit):	0.21949228367239304
Encrypted:	false
SSDEEP:
MD5:	CA431347B878708B5D63FE30769AF1D0
SHA1:	A7109DC79AAE8001EECDE1692573A0B911823DBD
SHA-256:	033B19FAFB769767D75B4F116FDD584EEB3A09D2E9123DE5E5FDFC1302647B0F
SHA-512:	2526E15C2E27F5E79E5CC239C3189B94B6F1B0619AE5331E534D895A0DAA091B143EAB5D5386C79E46E02CAC8DB0FDEEF591428C883451520187955401EAEFA0
Malicious:	false
Preview:	.............,KG...(....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\InterestGroups

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	SQLite 3.x database, last written using SQLite version 3045002, writer version 2, read version 2, file counter 1, database pages 1, cookie 0, schema 0, unknown 0 encoding, version-valid-for 1
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.0905602561507182
Encrypted:	false
SSDEEP:
MD5:	B016510815CFC2BCD2E04D07A0D4CF80
SHA1:	8B67DFF3DEBD7898315D5051C1CA791E3EC9E25F
SHA-256:	02E374A9C1AFDD0D65F515922C3343CD3EA5CC8CCEA04D9F026A9406AF752B55
SHA-512:	5AF6956CC960770D5651B19096A0F55143CAC4FE79F76054042180E9EBBB322A9B1A29DC4FBBB8C12BD8708BB2AF67C8B4280B70B0D1192021FD8D423333344B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................v.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\InterestGroups-journal

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.28499812076190567
Encrypted:	false
SSDEEP:
MD5:	D1B78C6F82558044118603C9C8181EA3
SHA1:	7E710DBAA5180082ED460908F6D3370965102BE7
SHA-256:	5AF4E8455B72879E67F22C53206CB36A3513042C75EB4C8D515A0B516879104A
SHA-512:	35C5B95B7EC8045D79FD358315AE38466F5E44AE9EF03E36C2F04B8266F5890F0DCDF3B71859B91AEB2F0680590958A614960EE9F15501DA0ABE4EB7A0531476
Malicious:	false
Preview:	.... .c........+................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\InterestGroups-wal

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	173072
Entropy (8bit):	2.163348500927099
Encrypted:	false
SSDEEP:
MD5:	2FB3681B027C3C7C40A57EF864948F43
SHA1:	9BF2FF388C24F62FC0D56EDADEF19562E88BCC94
SHA-256:	9DC182A320B5416241E88813AF524E49794C2236FFE486CFB3D29ABA40815C85
SHA-512:	CFBCC4555059D44131276AF6D61BC959245A00DD0975D20A51760E9CFE2B9F76ACD7C7949C3D3A14D3A87C6C557529D3DA45466B5A92F53A701858106B65644B
Malicious:	false
Preview:	7....-............X.?....?..M............X.?....t+.H..\SQLite format 3......@ ..........................................................................v.......g..g..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Local Extension Settings\memhbiihnoblfombkckdfmemihcnlihc\000001.dbtmp

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Local Extension Settings\memhbiihnoblfombkckdfmemihcnlihc\CURRENT (copy)

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Local Extension Settings\memhbiihnoblfombkckdfmemihcnlihc\LOG

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	379
Entropy (8bit):	5.226513843590836
Encrypted:	false
SSDEEP:
MD5:	2FC87587A9E8A1266890713632C2A4C9
SHA1:	B81BAA6991F574078278D2D013270E1CE7C2FBB2
SHA-256:	6BCC27AA42F6DED6B6F952F2547DB7C39CB84C5A9B8D94D59B272AB83238A77C
SHA-512:	0B3712740BCCB9E161552B6E8B9B5A1E83EC919BC1E6141D31D336831A741742ADDCFE4CAFF48391BB42CA196F0F0475C868688C20F07C9F46245851348A2485
Malicious:	false
Preview:	2024/11/12-13:30:08.733 2348 Creating DB C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Local Extension Settings\memhbiihnoblfombkckdfmemihcnlihc since it was missing..2024/11/12-13:30:08.859 2348 Reusing MANIFEST C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Local Extension Settings\memhbiihnoblfombkckdfmemihcnlihc/MANIFEST-000001.

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Local Extension Settings\memhbiihnoblfombkckdfmemihcnlihc\MANIFEST-000001

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Local Storage\leveldb\000001.dbtmp

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Local Storage\leveldb\CURRENT (copy)

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Local Storage\leveldb\LOG

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	307
Entropy (8bit):	5.150467043211909
Encrypted:	false
SSDEEP:
MD5:	8866AEB408772C07B8049715710026EA
SHA1:	7DA42209915D3015BA3D56A486757E862F6DC509
SHA-256:	16F58A8FD68856A8BD2BB39B4AF60609BF35D6CD05D49EB9E2350BFCDE3A12E1
SHA-512:	C9C8769467772BAEA9D70B598DC33F3F123985F15B6C62A937159C31FA0A80651744AE290E22529F761C394DC6C4B1A9A88661B93DB28431D4E5E0038B3524D0
Malicious:	false
Preview:	2024/11/12-13:29:57.008 1a8c Creating DB C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Local Storage\leveldb since it was missing..2024/11/12-13:29:57.541 1a8c Reusing MANIFEST C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Local Storage\leveldb/MANIFEST-000001.

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Local Storage\leveldb\MANIFEST-000001

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Login Data

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	SQLite 3.x database, last written using SQLite version 3045002, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8621516222976348
Encrypted:	false
SSDEEP:
MD5:	CD6917CC36422AED5E2A20A1132943DB
SHA1:	481F964FC0721A3338A3A9A1F6CEB7D6B27B231C
SHA-256:	0ACE9FF85BC53BE1DEBB74C7F6A767BABFEF479921CBC174496E701AFD2239A9
SHA-512:	20E82CC32641275828ACD5BF5AB2EF5F760414B9B77FCD2E9AFEA76DF47615259AC7BA1D58F8A8F341F1492CEADCC3C98243BDB19D5B83D97674E7A238E48272
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................v.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Login Data For Account

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	SQLite 3.x database, last written using SQLite version 3045002, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8621516222976348
Encrypted:	false
SSDEEP:
MD5:	CD6917CC36422AED5E2A20A1132943DB
SHA1:	481F964FC0721A3338A3A9A1F6CEB7D6B27B231C
SHA-256:	0ACE9FF85BC53BE1DEBB74C7F6A767BABFEF479921CBC174496E701AFD2239A9
SHA-512:	20E82CC32641275828ACD5BF5AB2EF5F760414B9B77FCD2E9AFEA76DF47615259AC7BA1D58F8A8F341F1492CEADCC3C98243BDB19D5B83D97674E7A238E48272
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................v.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Network Action Predictor

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	SQLite 3.x database, last written using SQLite version 3045002, file counter 3, database pages 11, cookie 0x6, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	45056
Entropy (8bit):	0.4028722755425988
Encrypted:	false
SSDEEP:
MD5:	EBBBB297C4628BF5E0CA978FBF51D28B
SHA1:	AA337992CC26CB38638DF6C022DCFAF8DC90663C
SHA-256:	552405E1173A579F6C593EF7366373AFE2E7CE18590D8E7571F89D3F5D97CB05
SHA-512:	AE6F30B05F3DD4B0902A100FAD201B2A2C73F2D34332964093859E926548E9DB243989C1635264FF91F8A1DE2BAA4A8942F9B4FC3E592AA1BBACF4F58AA06F6C
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................v.......?......\.v.-.@.......?........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Network\714645c4-0a22-43fc-91f7-9ea6a6d34d6d.tmp

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:
MD5:	2800881C775077E1C4B6E06BF4676DE4
SHA1:	2873631068C8B3B9495638C865915BE822442C8B
SHA-256:	226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
SHA-512:	E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Network\74a21654-44cf-4360-bb93-bcb0a40ab128.tmp

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Network\7f9cbc1f-c689-4c30-b872-049a753f8447.tmp

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Network\Cookies

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	SQLite 3.x database, last written using SQLite version 3045002, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6121372591693102
Encrypted:	false
SSDEEP:
MD5:	E58E2C64B8C2FE54AE61D1B7E505BC73
SHA1:	E426536FCA236FAFE02B0A54C330E90C90C024A0
SHA-256:	15A22EBBC358370AD3476BA0A0C44F87F548F01D59720D17FF580C534A35E058
SHA-512:	1CCF704BC0DA1C968DF2D204BAD825863486397BCC9DF994964B3FD6B6C2603FE8540C795D27BACEE2FDDAECFA53ACFBA09F76ED0FBCA686CD09E0CE5618328A
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................v.......@..g.....@....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Network\Network Persistent State (copy)

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.619434150836742
Encrypted:	false
SSDEEP:
MD5:	2800881C775077E1C4B6E06BF4676DE4
SHA1:	2873631068C8B3B9495638C865915BE822442C8B
SHA-256:	226EEC4486509917AA336AFEBD6FF65777B75B65F1FB06891D2A857A9421A974
SHA-512:	E342407AB65CC68F1B3FD706CD0A37680A0864FFD30A6539730180EDE2CDCD732CC97AE0B9EF7DB12DA5C0F83E429DF0840DBF7596ACA859A0301665E517377B
Malicious:	false
Preview:	{"net":{"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Network\Reporting and NEL

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	SQLite 3.x database, last written using SQLite version 3045002, file counter 5, database pages 9, cookie 0x4, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	0.6943114868302145
Encrypted:	false
SSDEEP:
MD5:	CD3DA77D569D875697EE6FB582E2F365
SHA1:	4D6C211070FFFDF41295FFF09AC54FE37E21453C
SHA-256:	978937A70D56CFC32F25DF6EEDC6F1DA220E0B5135BAEAA88EA068F623181547
SHA-512:	41E72556C4929B36BF33FF0BA6B3A3C02EFB1350F55198E27F7742DB9B7B079B6A03B578BE8ABB7F4DE17D92A77279962B4E8185F16B3A36DB234727A41A6278
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................v..........g...D.........7............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Network\SCT Auditing Pending Reports (copy)

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Network\SCT Auditing Pending Reports~RF7ac590.TMP (copy)

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:
MD5:	D751713988987E9331980363E24189CE
SHA1:	97D170E1550EEE4AFC0AF065B78CDA302A97674C
SHA-256:	4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
SHA-512:	B25B294CB4DEB69EA00A4C3CF3113904801B6015E5956BD019A8570B1FE1D6040E944EF3CDEE16D0A46503CA6E659A25F21CF9CEDDC13F352A3C98138C15D6AF
Malicious:	false
Preview:	[]

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Network\Trust Tokens

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	SQLite 3.x database, last written using SQLite version 3045002, file counter 3, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	0.3650098242300801
Encrypted:	false
SSDEEP:
MD5:	BA18BF06E5B76061522CDEF07791AB8D
SHA1:	3A237D7DC0CE618F9DADD49D9841548E3DD1302A
SHA-256:	9E73B896C702A73BC8CC8B2D8F9B8FFA303581802EBB26F95C34793A4CD12FCA
SHA-512:	382012DB8AE451368AD429C60CB7CD8E21842DFBBE8C7E8D43EDE29CDFB06FB76774365D07E7EB1EC37874F4F99F75299D0629C4CA2583683A573919C026FD1C
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................v.......X..g...}.....$.X..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Preferences

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2222
Entropy (8bit):	4.7921253635304195
Encrypted:	false
SSDEEP:
MD5:	A6AAA8E55F56DB3A1808283A290494F6
SHA1:	3B994B330E8BDDEF3F1316AE150D5C0ABBFEB23B
SHA-256:	D1112D5D138ADE49D88401273F3270C15E9781D5CAB28977B97CA107C7E7B9C3
SHA-512:	5C59A87C024F64FDAFD71A68005EC3E28A6CFD3643B57DB3C3659C47CDFE6D5FB22963CB007F5075694526AD1ED0AD35DEC38894670F677E925E7ABD4334BCB0
Malicious:	false
Preview:	{.. "protection": {.. "macs": {.. "browser": {.. "show_home_button": "904452986128BBEE5A7B1FFB8F342100C3150E3D9FD76C4105DF33EB021E22FD".. },.. "default_search_provider_data": {.. "template_url_data": "575D258E47F940C6887685ABA99A5839CBFE4BA30863349DFE0D0C375AAB8816".. },.. "enterprise_signin": {.. "policy_recovery_token": "7D3124ECAF7E96407EB65EAF5A43B02C7EE5F2D4A9FA38A9F371F9E1B74D6383".. },.. "google": {.. "services": {.. "account_id": "E5B4CD7C5FA271A47D07D462465AFD63DBF6A8CDFAFEF4839D13F8F552131486",.. "last_account_id": "6C67156FD15665D53CD24B5098D16B462BA8B8A0EFDD969A317C3235E973A4A3",.. "last_signed_in_username": "82DB8D884695C643C31778B7B50DBB376848E2F81B5A1AECDA34FD448CECD10D",.. "last_username": "24FCEF9BF7DF12A2935BE143E58951E09DBAA1D3E0E24430C0FF93009F5D6AFD".. }.. },.. "homepage": "B1E9

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Preferences~RF7ae722.TMP (copy)

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2222
Entropy (8bit):	4.7921253635304195
Encrypted:	false
SSDEEP:
MD5:	A6AAA8E55F56DB3A1808283A290494F6
SHA1:	3B994B330E8BDDEF3F1316AE150D5C0ABBFEB23B
SHA-256:	D1112D5D138ADE49D88401273F3270C15E9781D5CAB28977B97CA107C7E7B9C3
SHA-512:	5C59A87C024F64FDAFD71A68005EC3E28A6CFD3643B57DB3C3659C47CDFE6D5FB22963CB007F5075694526AD1ED0AD35DEC38894670F677E925E7ABD4334BCB0
Malicious:	false
Preview:	{.. "protection": {.. "macs": {.. "browser": {.. "show_home_button": "904452986128BBEE5A7B1FFB8F342100C3150E3D9FD76C4105DF33EB021E22FD".. },.. "default_search_provider_data": {.. "template_url_data": "575D258E47F940C6887685ABA99A5839CBFE4BA30863349DFE0D0C375AAB8816".. },.. "enterprise_signin": {.. "policy_recovery_token": "7D3124ECAF7E96407EB65EAF5A43B02C7EE5F2D4A9FA38A9F371F9E1B74D6383".. },.. "google": {.. "services": {.. "account_id": "E5B4CD7C5FA271A47D07D462465AFD63DBF6A8CDFAFEF4839D13F8F552131486",.. "last_account_id": "6C67156FD15665D53CD24B5098D16B462BA8B8A0EFDD969A317C3235E973A4A3",.. "last_signed_in_username": "82DB8D884695C643C31778B7B50DBB376848E2F81B5A1AECDA34FD448CECD10D",.. "last_username": "24FCEF9BF7DF12A2935BE143E58951E09DBAA1D3E0E24430C0FF93009F5D6AFD".. }.. },.. "homepage": "B1E9

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Preferences~RF7b0e42.TMP (copy)

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2222
Entropy (8bit):	4.7921253635304195
Encrypted:	false
SSDEEP:
MD5:	A6AAA8E55F56DB3A1808283A290494F6
SHA1:	3B994B330E8BDDEF3F1316AE150D5C0ABBFEB23B
SHA-256:	D1112D5D138ADE49D88401273F3270C15E9781D5CAB28977B97CA107C7E7B9C3
SHA-512:	5C59A87C024F64FDAFD71A68005EC3E28A6CFD3643B57DB3C3659C47CDFE6D5FB22963CB007F5075694526AD1ED0AD35DEC38894670F677E925E7ABD4334BCB0
Malicious:	false
Preview:	{.. "protection": {.. "macs": {.. "browser": {.. "show_home_button": "904452986128BBEE5A7B1FFB8F342100C3150E3D9FD76C4105DF33EB021E22FD".. },.. "default_search_provider_data": {.. "template_url_data": "575D258E47F940C6887685ABA99A5839CBFE4BA30863349DFE0D0C375AAB8816".. },.. "enterprise_signin": {.. "policy_recovery_token": "7D3124ECAF7E96407EB65EAF5A43B02C7EE5F2D4A9FA38A9F371F9E1B74D6383".. },.. "google": {.. "services": {.. "account_id": "E5B4CD7C5FA271A47D07D462465AFD63DBF6A8CDFAFEF4839D13F8F552131486",.. "last_account_id": "6C67156FD15665D53CD24B5098D16B462BA8B8A0EFDD969A317C3235E973A4A3",.. "last_signed_in_username": "82DB8D884695C643C31778B7B50DBB376848E2F81B5A1AECDA34FD448CECD10D",.. "last_username": "24FCEF9BF7DF12A2935BE143E58951E09DBAA1D3E0E24430C0FF93009F5D6AFD".. }.. },.. "homepage": "B1E9

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Preferences~RF7b5c71.TMP (copy)

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2222
Entropy (8bit):	4.7921253635304195
Encrypted:	false
SSDEEP:
MD5:	A6AAA8E55F56DB3A1808283A290494F6
SHA1:	3B994B330E8BDDEF3F1316AE150D5C0ABBFEB23B
SHA-256:	D1112D5D138ADE49D88401273F3270C15E9781D5CAB28977B97CA107C7E7B9C3
SHA-512:	5C59A87C024F64FDAFD71A68005EC3E28A6CFD3643B57DB3C3659C47CDFE6D5FB22963CB007F5075694526AD1ED0AD35DEC38894670F677E925E7ABD4334BCB0
Malicious:	false
Preview:	{.. "protection": {.. "macs": {.. "browser": {.. "show_home_button": "904452986128BBEE5A7B1FFB8F342100C3150E3D9FD76C4105DF33EB021E22FD".. },.. "default_search_provider_data": {.. "template_url_data": "575D258E47F940C6887685ABA99A5839CBFE4BA30863349DFE0D0C375AAB8816".. },.. "enterprise_signin": {.. "policy_recovery_token": "7D3124ECAF7E96407EB65EAF5A43B02C7EE5F2D4A9FA38A9F371F9E1B74D6383".. },.. "google": {.. "services": {.. "account_id": "E5B4CD7C5FA271A47D07D462465AFD63DBF6A8CDFAFEF4839D13F8F552131486",.. "last_account_id": "6C67156FD15665D53CD24B5098D16B462BA8B8A0EFDD969A317C3235E973A4A3",.. "last_signed_in_username": "82DB8D884695C643C31778B7B50DBB376848E2F81B5A1AECDA34FD448CECD10D",.. "last_username": "24FCEF9BF7DF12A2935BE143E58951E09DBAA1D3E0E24430C0FF93009F5D6AFD".. }.. },.. "homepage": "B1E9

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\PreferredApps

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	33
Entropy (8bit):	4.051821770808046
Encrypted:	false
SSDEEP:
MD5:	2B432FEF211C69C745ACA86DE4F8E4AB
SHA1:	4B92DA8D4C0188CF2409500ADCD2200444A82FCC
SHA-256:	42B55D126D1E640B1ED7A6BDCB9A46C81DF461FA7E131F4F8C7108C2C61C14DE
SHA-512:	948502DE4DC89A7E9D2E1660451FCD0F44FD3816072924A44F145D821D0363233CC92A377DBA3A0A9F849E3C17B1893070025C369C8120083A622D025FE1EACF
Malicious:	false
Preview:	{"preferred_apps":[],"version":1}

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\PrivateAggregation

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	SQLite 3.x database, last written using SQLite version 3045002, file counter 2, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.3492142191231064
Encrypted:	false
SSDEEP:
MD5:	9C86BFFCBDDA480BD26A2EBF89212E38
SHA1:	2AEC250F58D0BADD524E6CB02533874CAF7EBB4F
SHA-256:	BA9F35B83B1BF3D2FB51FEF95ED9A9B77A896094124682069C20D2076947CA80
SHA-512:	3E24FEBF1BE76C393D70A3DB02B233753DD885263CA49B56CF9FCEB142FA687299AFEE03FBCF17D2A2ED6F90AD3D2B41283EFB6CE215DB35D04E0033FA49A102
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................v.......d..g...d......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Safe Browsing Network\Safe Browsing Cookies

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	SQLite 3.x database, last written using SQLite version 3045002, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6121372591693102
Encrypted:	false
SSDEEP:
MD5:	E58E2C64B8C2FE54AE61D1B7E505BC73
SHA1:	E426536FCA236FAFE02B0A54C330E90C90C024A0
SHA-256:	15A22EBBC358370AD3476BA0A0C44F87F548F01D59720D17FF580C534A35E058
SHA-512:	1CCF704BC0DA1C968DF2D204BAD825863486397BCC9DF994964B3FD6B6C2603FE8540C795D27BACEE2FDDAECFA53ACFBA09F76ED0FBCA686CD09E0CE5618328A
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................v.......@..g.....@....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Secure Preferences (copy)

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6298
Entropy (8bit):	5.520041538337388
Encrypted:	false
SSDEEP:
MD5:	B2D9E83B10CC5E9923700579F1FFE3BB
SHA1:	062F260CD8A33943AFAE12CA60F8FB9FCBEC182D
SHA-256:	7519E09DE0C7D122FF8C27E53432DB48BC1356AA9AF2C5E25F02A539D6499818
SHA-512:	D54D3EC5C41D1A4D4AA055C38694CE5E6F82A215BBB626F3527E1F13321F57D74F349EF127D9586D7B1267F807F0206D2491ACF8DC4EBA29D27C79BB5583A5AA
Malicious:	false
Preview:	{"default_search_provider_data":{"template_url_data":{"alternate_urls":["https://onestart.ai/chr/search?iid=40f05e8e-ef61-4211-af81-78bf374c0ab8&q={searchTerms}"],"contextual_search_url":"","created_by_policy":1,"created_from_play_api":false,"date_created":"13375909799032521","doodle_url":"","enforced_by_policy":true,"favicon_url":"","featured_by_policy":false,"id":"11","image_search_branding_label":"","image_translate_source_language_param_key":"","image_translate_target_language_param_key":"","image_translate_url":"","image_url":"","image_url_post_params":"","input_encodings":[],"is_active":1,"keyword":"onestart.ai","last_modified":"13375909799032521","last_visited":"0","logo_url":"","new_tab_url":"","originating_url":"","preconnect_to_search_url":false,"prefetch_likely_navigations":false,"prepopulate_id":0,"safe_for_autoreplace":false,"search_intent_params":[],"search_url_post_params":"","short_name":"OneStart","side_image_search_param":"","side_search_param":"","starter_pack_id":0,

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Secure Preferences~RF7b16be.TMP (copy)

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6298
Entropy (8bit):	5.520041538337388
Encrypted:	false
SSDEEP:
MD5:	B2D9E83B10CC5E9923700579F1FFE3BB
SHA1:	062F260CD8A33943AFAE12CA60F8FB9FCBEC182D
SHA-256:	7519E09DE0C7D122FF8C27E53432DB48BC1356AA9AF2C5E25F02A539D6499818
SHA-512:	D54D3EC5C41D1A4D4AA055C38694CE5E6F82A215BBB626F3527E1F13321F57D74F349EF127D9586D7B1267F807F0206D2491ACF8DC4EBA29D27C79BB5583A5AA
Malicious:	false
Preview:	{"default_search_provider_data":{"template_url_data":{"alternate_urls":["https://onestart.ai/chr/search?iid=40f05e8e-ef61-4211-af81-78bf374c0ab8&q={searchTerms}"],"contextual_search_url":"","created_by_policy":1,"created_from_play_api":false,"date_created":"13375909799032521","doodle_url":"","enforced_by_policy":true,"favicon_url":"","featured_by_policy":false,"id":"11","image_search_branding_label":"","image_translate_source_language_param_key":"","image_translate_target_language_param_key":"","image_translate_url":"","image_url":"","image_url_post_params":"","input_encodings":[],"is_active":1,"keyword":"onestart.ai","last_modified":"13375909799032521","last_visited":"0","logo_url":"","new_tab_url":"","originating_url":"","preconnect_to_search_url":false,"prefetch_likely_navigations":false,"prepopulate_id":0,"safe_for_autoreplace":false,"search_intent_params":[],"search_url_post_params":"","short_name":"OneStart","side_image_search_param":"","side_search_param":"","starter_pack_id":0,

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Service Worker\Database\000001.dbtmp

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Service Worker\Database\000003.log

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	data
Category:	dropped
Size (bytes):	2014
Entropy (8bit):	5.826105107981401
Encrypted:	false
SSDEEP:
MD5:	488D7F8C6A2011DF793655D0DFA1CCC4
SHA1:	B5E9BA39E3725C1B310FF11EB8AC26F366565CC2
SHA-256:	15771E086D3A9BC7FE3DC213ABC018ED7D4FE027879111C7B9315E3912C6C169
SHA-512:	BF171F2C155C1155AABCA17230CF83BF3544B767E4825A41E497A3894AE4E8DBE7F59C761939DA944BAA23A741EC251013F7041929DA61606EB4260816414C50
Malicious:	false
Preview:	....I................URES:0...INITDATA_NEXT_RESOURCE_ID.1..INITDATA_DB_VERSION.2..\..................INITDATA_NEXT_REGISTRATION_ID.1..INITDATA_NEXT_VERSION_ID.1.KINITDATA_UNIQUE_ORIGIN:chrome-extension://memhbiihnoblfombkckdfmemihcnlihc/..:REG:chrome-extension://memhbiihnoblfombkckdfmemihcnlihc/.0.....4chrome-extension://memhbiihnoblfombkckdfmemihcnlihc/.Dchrome-extension://memhbiihnoblfombkckdfmemihcnlihc/serviceWorker.js .(.0.8.......@...Z.b.....trueh.h..h..h..p.x..............................REGID_TO_ORIGIN:04chrome-extension://memhbiihnoblfombkckdfmemihcnlihc/..RES:0.0.....Dchrome-extension://memhbiihnoblfombkckdfmemihcnlihc/serviceWorker.js...."@C35D78C92FAC28E781BD741BF0320715A9F7746DCE391D69ADA8BCD3CF7ED6B6..URES:0..PRES:0x.mx................:REG:chrome-extension://memhbiihnoblfombkckdfmemihcnlihc/.0.....4chrome-extension://memhbiihnoblfombkckdfmemihcnlihc/.Dchrome-extension://memhbiihnoblfombkckdfmemihcnlihc/serviceWorker.js .(.0.8.......@...Z.b.....trueh.h..h..h..p.x........

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Service Worker\Database\CURRENT (copy)

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Service Worker\Database\LOG

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	311
Entropy (8bit):	5.089512141417842
Encrypted:	false
SSDEEP:
MD5:	FEEA2C08E28D155C5DC09F64336183A6
SHA1:	3DB87833E68375C553A3B212BF766C8F35EFAFE4
SHA-256:	A2190731C9987BF32C7A4B714BEE52C661277663CC03B32D2EF9DF9AE770BFEB
SHA-512:	F5D8C00D6371FAB3B4B73C6E2BAB8CDD4B8B0A3662AF15681366C46F1F6895C48BB8C83FEBA0DC618E207E3E3B301DE72E40E2AE542A28FDE5041706DF44A1CB
Malicious:	false
Preview:	2024/11/12-13:30:08.588 2310 Creating DB C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Service Worker\Database since it was missing..2024/11/12-13:30:08.705 2310 Reusing MANIFEST C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Service Worker\Database/MANIFEST-000001.

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Service Worker\Database\MANIFEST-000001

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Service Worker\ScriptCache\2cc80dabc69f58b6_0

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	data
Category:	dropped
Size (bytes):	33639
Entropy (8bit):	4.9018627190197925
Encrypted:	false
SSDEEP:
MD5:	1ED7B6756A84C5E20ABF485C51EC5B4D
SHA1:	1F28BFB8324907BA34316AC724044402B5FE0954
SHA-256:	76CA1E375613C05DEA2AEF614B909F4BF2B0136EEA2985DED476455B7773A955
SHA-512:	331F17895492CCC51373896F5078FEB678134C5DE94215A4468E5EE845E3D3262DD9EF2636235421BB389D9D95F834081A9EA576960E8629194B1A31AB539615
Malicious:	false
Preview:	0\r..m..........rSG.....0/****/ (() => { // webpackBootstrap./**/ ."use strict";./**/ .var __webpack_modules__ = ({..// 700:./*/ ((__unused_webpack_module, __webpack_exports__, __webpack_require__) => {...// EXPORTS.__webpack_require__.d(__webpack_exports__, {. A: () => (/ binding / Ads).});..// EXTERNAL MODULE: ./src/background/user.ts.var user = __webpack_require__(223);.// EXTERNAL MODULE: ./src/common/tabs.ts.var tabs = __webpack_require__(655);.// EXTERNAL MODULE: ./src/common/messages.ts.var messages = __webpack_require__(95);.;// CONCATENATED MODULE: ./src/background/spotlight.ts..const showSpotlight = async (adData, tabId)=>{. const tab = await (0,tabs/ getTab */.i)(tabId);. const tabWidth = tab.width ?? 0;. const tabHeight = tab.height ?? 0;. // Spotlight unit can fit into the screen. if (tabWidth <= adData.width \|\| tabHeight <= adData.height) {. return;. }. // Tab is in focus. if (!tab.active) {. return;. }. await

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Service Worker\ScriptCache\2cc80dabc69f58b6_1

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	data
Category:	dropped
Size (bytes):	42809
Entropy (8bit):	5.873082732555324
Encrypted:	false
SSDEEP:
MD5:	F2251A47C9BEC4A4DF876F217A46FE92
SHA1:	73110340D99E765D286A530E9D739AE96CB917EB
SHA-256:	ADDE085C13E025ABA050D1CCF745F08186978553EDB1D463EB4C7D630006E0F1
SHA-512:	B03F6AE8A0C80F71FFB771AD0E5F70B0B8833ACAAA6E8D3D817B143CDE5A83FD0E9759CE508F61C64C4A96E39847FB7B3C10173BBBB35947E8B602618F263934
Malicious:	false
Preview:	0\r..m..........rSG.....0....r .;........<...............!............0T..4...`............a........`............q.`.....0T....`<.........a........`........<.`.....<Sddp................... Rf.......__webpack_modules__..$Rg..._....__webpack_module_cache__. Rf.W".....__webpack_require__.b............I`....D.0T..h..`z........4a........`..........`......bj.....b..............bj....b............r8................1..../...........7...........1.../.........._..../.......`.....(Sd.qA.........*........,`....D. ....d..........0..........H......PQ.L.'..D...chrome-extension://memhbiihnoblfombkckdfmemihcnlihc/serviceWorker.jsa........Db............D`........Y.`............0T......`...........`a........`..........`.q.`,....xSddpW.............$M....RbR^.,....user..Rb..}.....tabs..Rc........messages..Re.J.?....showSpotlight.....Re...'....common_static.....Rd~.......REQUEST_URL...Rd"?.p....AD_FILL_URL...Re.Y.u....CONVERSION_URL... Rf&.M.....MAX_KEYWORDS_LENGTH...Rb6......Ads.i.................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Service Worker\ScriptCache\4cb013792b196a35_0

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	data
Category:	dropped
Size (bytes):	16256
Entropy (8bit):	4.126420225788366
Encrypted:	false
SSDEEP:
MD5:	7B9CEF7A03E9EDB9956BEF58F41A4961
SHA1:	722B5885E0131B515D4C2D30C10713B2F21D4338
SHA-256:	DB4A9B1F5FB7E4E61163CB274EF2F14A3C25492CF1641F178C1FA40417FABC66
SHA-512:	7540284526B3869AE25CEF0718F44A159A21FFFDD3DBE1F70344E641D79923F0BF8C80A292964167B38774096F4EEBAE6ACC42E763439A63C0F4C50B7BB2AB19
Malicious:	false
Preview:	0\r..m..........V.......1/****/ (() => { // webpackBootstrap./****/ ."use strict";.var __webpack_exports__ = {};..// UNUSED EXPORTS: C1_Offer_Key, checkIfExtensionInstall, default..;// CONCATENATED MODULE: ./src/common/messages.ts.const openShadTab = 'open-shad-tab';.const notif_frame_id = 'notf_' + chrome.runtime.id;.const c1_ext_id = 'nenlahapcbofgnanklpelkaejcehkggg';.const close_ls_id = 'ls_close';..;// CONCATENATED MODULE: ./src/common/utils.ts.const isValidUrl = (url)=>{. try {. return !!new URL(url);. } catch {. return false;. }.};.const inQueue = (fn)=>{. const promises = [];. return (...args)=>{. const promise = Promise.all(promises).then(()=>fn(...args));. promises.push(promise);. return promise;. };.};.function wrapInPromise(wrapper) {. return new Promise((resolve, reject)=>wrapper((result)=>{. if (chrome.runtime.lastError) {. reject(new Error(chrome.runtime.lastError.message));.

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Service Worker\ScriptCache\4cb013792b196a35_1

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	data
Category:	dropped
Size (bytes):	19009
Entropy (8bit):	6.062988938851045
Encrypted:	false
SSDEEP:
MD5:	B85601BBC8716E40043D088CCB0F6F0A
SHA1:	B83F920BCA50E7093ED809D37AD09596DC81AC22
SHA-256:	7B87227B9E6EF7EC3CD9EC22AFEC17FD506B88BFC28E3E2B9E6A4AC094CCAAF8
SHA-512:	FB8F7AF57424F742EEED81232706159135776D954E6081667F651C6B5DDFCE2C24A9D5F18E24F5A0DC21AC2E0945F5A2F61DBA5BE42B9E398838C8D769440196
Malicious:	false
Preview:	0\r..m..........V.......1....r .;........<.......>.......!.I...........0T..4...`............a........`............q.`.....0T..9...`..........a........`..........`L.....Sddp...............\|... Rf^e.5....checkCookieExists.....Rd..r.....USER_ID_KEY...ReV.......INSTALL_ID_KEY....Rb.z>.....User..Rdj.wx....requestOffer. RfF......getNewTabBookmarkUrl..Rd..4N....getInstallId.$Rg........checkIfExtensionInstall...Re.1g.....createShadTab.....Re...&....installExtension..Re^.g.....isUpdatedVersion..Rd...M....getBVersion...Rd..e.....C1_Offer_Key..Rbr..+....C1..m........................................................I`....D.0T..h..`z........`a........`........y.d .......'...s...........`.....9..0T..T...`T..........ta........`............q.`.....8SddpW..........a...d...q....a....(...I`....D. ..Rc.(......chrome....Rd..P.....bookmarks.........0T..L..`H.........a........`..........`.........B...0T..T...`V...........a........`............q.`.........Rb.ek#....url.......,Ri...(....https://onestart.ai/

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Service Worker\ScriptCache\index

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	2.1431558784658327
Encrypted:	false
SSDEEP:
MD5:	54CB446F628B2EA4A5BCE5769910512E
SHA1:	C27CA848427FE87F5CF4D0E0E3CD57151B0D820D
SHA-256:	FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
SHA-512:	8F6ED2E91AED9BD415789B1DBE591E7EAB29F3F1B48FDFA5E864D7BF4AE554ACC5D82B4097A770DABC228523253623E4296C5023CF48252E1B94382C43123CB0
Malicious:	false
Preview:	0\r..m..................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Service Worker\ScriptCache\index-dir\temp-index

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	data
Category:	dropped
Size (bytes):	96
Entropy (8bit):	3.5424812503605794
Encrypted:	false
SSDEEP:
MD5:	47FAB76070712DBC3B671E7B8C01B9A9
SHA1:	5F262059BAD615BB1F1BF9F0228116DF44558DF7
SHA-256:	A02475BE3483E229A0D329DA3E2FD984F35D522BFBDE4C44646F14CCA44E6837
SHA-512:	FCFEAB7710A1E8EFEDD94B96B02C5D94F92F644835E9DA0A1F839A7011895D781012DCD0D5D05A1042DE06C9754E2130907E5B6C11F41A587D620FE1C97D1BB7
Malicious:	false
Preview:	X.....1.oy retne........................5j.+y..L<................X....,<........+......g,..Q./.

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index (copy)

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	data
Category:	dropped
Size (bytes):	96
Entropy (8bit):	3.5424812503605794
Encrypted:	false
SSDEEP:
MD5:	47FAB76070712DBC3B671E7B8C01B9A9
SHA1:	5F262059BAD615BB1F1BF9F0228116DF44558DF7
SHA-256:	A02475BE3483E229A0D329DA3E2FD984F35D522BFBDE4C44646F14CCA44E6837
SHA-512:	FCFEAB7710A1E8EFEDD94B96B02C5D94F92F644835E9DA0A1F839A7011895D781012DCD0D5D05A1042DE06C9754E2130907E5B6C11F41A587D620FE1C97D1BB7
Malicious:	false
Preview:	X.....1.oy retne........................5j.+y..L<................X....,<........+......g,..Q./.

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RF7b4242.TMP (copy)

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	data
Category:	dropped
Size (bytes):	96
Entropy (8bit):	3.5424812503605794
Encrypted:	false
SSDEEP:
MD5:	47FAB76070712DBC3B671E7B8C01B9A9
SHA1:	5F262059BAD615BB1F1BF9F0228116DF44558DF7
SHA-256:	A02475BE3483E229A0D329DA3E2FD984F35D522BFBDE4C44646F14CCA44E6837
SHA-512:	FCFEAB7710A1E8EFEDD94B96B02C5D94F92F644835E9DA0A1F839A7011895D781012DCD0D5D05A1042DE06C9754E2130907E5B6C11F41A587D620FE1C97D1BB7
Malicious:	false
Preview:	X.....1.oy retne........................5j.+y..L<................X....,<........+......g,..Q./.

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Session Storage\000001.dbtmp

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Session Storage\000003.log

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	data
Category:	modified
Size (bytes):	189
Entropy (8bit):	4.922088743092261
Encrypted:	false
SSDEEP:
MD5:	D48ED8033023B017A68984278EE41F0C
SHA1:	FB9EA4939D502DAA6A02C9520991CFE12BC6E1A2
SHA-256:	79D650FBEEFAB2C3EFBC1F51823557E26FB80BF4691EB19B657F0D924CDFA28E
SHA-512:	50430BF2C4CE22B98B7A61D4CA809ED4C56690EB2435812F26B80CA44DA343794A1C162434DF49A86BADF56D14E35D987C5F7D842FC50403CEB311DFC671A661
Malicious:	false
Preview:	*...#................version.1..namespace-..&f................k3.y................next-map-id.1.Znamespace-ae210b97_fe8d_45e7_aeb5_a7c4c7a15a53-https://onestart.ai/^0chrome://new-tab-page.0

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Session Storage\CURRENT (copy)

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Session Storage\LOG

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.058744120406183
Encrypted:	false
SSDEEP:
MD5:	233444973FCD9D973B03415C2E3807F0
SHA1:	52E60C26F68B8F4AE5FF04D2D6FC178DA0529CE1
SHA-256:	9D6B6598699CBBF6A2B1C6F164461874FD936C8D96A39500C6659D5D54B7126C
SHA-512:	8A67FED83929BB52B5A8EF97847ACDC4280C46DE216A54A4BE50055A3424C88B801F94C4732B5D7DBDF2DEA7D54F6BBF24382D48EA4FF2593B59820016BF4F0D
Malicious:	false
Preview:	2024/11/12-13:29:59.039 1a8c Creating DB C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Session Storage since it was missing..2024/11/12-13:29:59.224 1a8c Reusing MANIFEST C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Session Storage/MANIFEST-000001.

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Session Storage\MANIFEST-000001

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Sessions\Session_13375909801840321

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	data
Category:	dropped
Size (bytes):	3400
Entropy (8bit):	2.995459993521419
Encrypted:	false
SSDEEP:
MD5:	FAF353A2B6A10F421916123047F98A46
SHA1:	1D51318802E836BFE3D8323C59CC8657BD6A68F1
SHA-256:	1A3927173B949D46649FC8DDCF5E2EDFAE42DB51657F1E8C711D4E17DEACE168
SHA-512:	9CDD47BA540F2D985E9D65980C5C0CCC626F1AF12D0FFEF1F91E4CB1E9C3F4B862021D2E9ED24DBBE1C28DF142A358A4804B5DA5B40A30E3AA7A65FC940361C9
Malicious:	false
Preview:	SNSS.......+..h...........+..h...........+..h...... +..h.......,..h.......,..h....!..,..h...............................+..h,..h1..,...,..h$...ae210b97_fe8d_45e7_aeb5_a7c4c7a15a53...+..h.......,..h......'.Q./....+..h...+..h.......................+..h.......................+..h.......................,..h...........,..h........chrome://newtab/....N.e.w. .T.a.b...d...`...!...X......................................................................................................g.&.....g.&..................................h...............................................4.......c.h.r.o.m.e.:././.n.e.w.-.t.a.b.-.p.a.g.e./.....................................8.......0.......8....................................................................... .......................................................P...$...a.b.1.b.d.1.f.5.-.d.6.2.0.-.4.e.d.6.-.b.3.0.6.-.0.5.3.8.2.0.e.5.f.3.2.b.................P...$...d.7.9.2.0.d.5.d.-.1.a.f.4.-.4.c.9.e.-.8.a.b.e.-.d.c.f.d.8.c.9.b.e.f.5.1.....................c

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Shared Dictionary\cache\index

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	2.1431558784658327
Encrypted:	false
SSDEEP:
MD5:	54CB446F628B2EA4A5BCE5769910512E
SHA1:	C27CA848427FE87F5CF4D0E0E3CD57151B0D820D
SHA-256:	FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D
SHA-512:	8F6ED2E91AED9BD415789B1DBE591E7EAB29F3F1B48FDFA5E864D7BF4AE554ACC5D82B4097A770DABC228523253623E4296C5023CF48252E1B94382C43123CB0
Malicious:	false
Preview:	0\r..m..................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Shared Dictionary\cache\index-dir\temp-index

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.9972243200613975
Encrypted:	false
SSDEEP:
MD5:	BDA6813C75FD4918FFCC9B33002D3274
SHA1:	FB83AF12E2B721A839506E84B3A37609BFC50A84
SHA-256:	286D5D62C462CA505861EA0C55249239D76713C240DA565CFFC2AFD359F26657
SHA-512:	2C3389A536D3DBA833D8A793D114DDAABCE1A81C4CF4921211A1FEC65EF2D8D3F42451E459B0B9EC49E418E1A793A4FAE3A800C146491877AC671FEC94D2FF30
Malicious:	false
Preview:	(.....N;oy retne.........................E..Q./.

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Shared Dictionary\cache\index-dir\the-real-index (copy)

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	data
Category:	dropped
Size (bytes):	48
Entropy (8bit):	2.9972243200613975
Encrypted:	false
SSDEEP:
MD5:	BDA6813C75FD4918FFCC9B33002D3274
SHA1:	FB83AF12E2B721A839506E84B3A37609BFC50A84
SHA-256:	286D5D62C462CA505861EA0C55249239D76713C240DA565CFFC2AFD359F26657
SHA-512:	2C3389A536D3DBA833D8A793D114DDAABCE1A81C4CF4921211A1FEC65EF2D8D3F42451E459B0B9EC49E418E1A793A4FAE3A800C146491877AC671FEC94D2FF30
Malicious:	false
Preview:	(.....N;oy retne.........................E..Q./.

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Shared Dictionary\db

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	SQLite 3.x database, last written using SQLite version 3045002, file counter 2, database pages 11, cookie 0x8, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	45056
Entropy (8bit):	0.42922658759693877
Encrypted:	false
SSDEEP:
MD5:	358D089087AA109E41F38DDDA1FF8368
SHA1:	42F68E8E7C6806485AAB068AD2EF9D8992FE3867
SHA-256:	E1EA1994A9C238120944C0009B25C9B75C3B8ACB5CC137A78CD4A8450C809130
SHA-512:	4630EBA964CE1DCCFBB8663F04141C91FF0A3CEE399621637BDEF17C696735316DA23A5BF6F7235B9616005652D175E276E83C8ACA5F99F9F3B4D9C713818553
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................v..........g...\|.*.../...W............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\SharedStorage

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	SQLite 3.x database, last written using SQLite version 3045002, writer version 2, read version 2, file counter 1, database pages 1, cookie 0, schema 0, unknown 0 encoding, version-valid-for 1
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.0905602561507182
Encrypted:	false
SSDEEP:
MD5:	B016510815CFC2BCD2E04D07A0D4CF80
SHA1:	8B67DFF3DEBD7898315D5051C1CA791E3EC9E25F
SHA-256:	02E374A9C1AFDD0D65F515922C3343CD3EA5CC8CCEA04D9F026A9406AF752B55
SHA-512:	5AF6956CC960770D5651B19096A0F55143CAC4FE79F76054042180E9EBBB322A9B1A29DC4FBBB8C12BD8708BB2AF67C8B4280B70B0D1192021FD8D423333344B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................v.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\SharedStorage-journal

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.28499812076190567
Encrypted:	false
SSDEEP:
MD5:	0EFC8BB81E6477E940872378D311A835
SHA1:	1EC1F7594F5CC0B69E823DD605ACF16FFB89A560
SHA-256:	08EC88A594858671E903ACBCC12B0AA715462F7614849F6A8F6C91FB353478FB
SHA-512:	899986FE089326E2C8815C3513ED930EAD681CC399B70C032974FB5B5D433E3D5BC33746B09317C2C9D812EA13E0A52FF69CD0506CC4F460CC985071CD912C99
Malicious:	false
Preview:	.... .c.....9...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Shortcuts

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	SQLite 3.x database, last written using SQLite version 3045002, file counter 1, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.4355788121928965
Encrypted:	false
SSDEEP:
MD5:	D08E89C67B96F8B4C69549952F40D807
SHA1:	99B421E849CA76AD8CF3A45FC212961306F1272C
SHA-256:	573AEB98AD60F2762917498C221DCDD1190678FC214C8DBE9347AA8086AE8765
SHA-512:	9199F7C19792F62812076722F3DCF2585E22857B6041772E76101455C68216D66F209D87B291946AD574D4769428D4CC8BA94BF5E6F8B2BFB1F6DD4B232FAE5B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................v..........g....."....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Site Characteristics Database\000001.dbtmp

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Site Characteristics Database\000003.log

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	3.473726825238924
Encrypted:	false
SSDEEP:
MD5:	148079685E25097536785F4536AF014B
SHA1:	C5FF5B1B69487A9DD4D244D11BBAFA91708C1A41
SHA-256:	F096BC366A931FBA656BDCD77B24AF15A5F29FC53281A727C79F82C608ECFAB8
SHA-512:	C2556034EA51ABFBC172EB62FF11F5AC45C317F84F39D4B9E3DDBD0190DA6EF7FA03FE63631B97AB806430442974A07F8E81B5F7DC52D9F2FCDC669ADCA8D91F
Malicious:	false
Preview:	.On.!................database_metadata.1

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Site Characteristics Database\CURRENT (copy)

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Site Characteristics Database\LOG

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	323
Entropy (8bit):	5.022098599835343
Encrypted:	false
SSDEEP:
MD5:	88CE02936F72A44D81DFE5D9CEBBC415
SHA1:	279ED6AE8E4F0FE9791AA3BFD159E1BF5A5CF471
SHA-256:	C0D752BE2F6667097D734111C341DF0F095B9CAD493AE35EA690DBA73A3DF4C3
SHA-512:	655E2B92DBEDEEB65BE484924D9E6E490D14F8492D1247F588FFEEE9602697A09739F53489AB3B3FFFBDC011B754803BFF0A2402CF6CD96F846FAA66BA7D4DE9
Malicious:	false
Preview:	2024/11/12-13:29:56.361 1de0 Creating DB C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Site Characteristics Database since it was missing..2024/11/12-13:29:56.730 1de0 Reusing MANIFEST C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Site Characteristics Database/MANIFEST-000001.

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Site Characteristics Database\MANIFEST-000001

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Sync Data\LevelDB\000001.dbtmp

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Sync Data\LevelDB\000003.log

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	data
Category:	dropped
Size (bytes):	65
Entropy (8bit):	3.8214220438289908
Encrypted:	false
SSDEEP:
MD5:	B14764CD1BC1AA64A1F0551CD3682B81
SHA1:	21FE0B213419AD4EFA4EA03B856F8DA1B3AE9351
SHA-256:	8FF00D859349A3EA206706CDD3FA2762AE7C8EFE2FDD33A95A72FEE45AAC6BC4
SHA-512:	86B372FE41C4C2A8E75B5E3CB8979425CA07E6CF0142EF88959C8FD3C35890D8ECA2B83E77BF19CB19900B1C4C296D94ABCA81C135F1D40329C4E3470BDC302A
Malicious:	false
Preview:	...n'................_mts_schema_descriptor.....F................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Sync Data\LevelDB\CURRENT (copy)

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Sync Data\LevelDB\LOG

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	299
Entropy (8bit):	5.1538013274702354
Encrypted:	false
SSDEEP:
MD5:	B1E08A35D47BA245599520B4EE17AED9
SHA1:	79032B3E628E43906C78E3E2EEF32E60A1ED52EB
SHA-256:	54F9C6D5F71A020778F7FF734208751BD8F4B28AE13FA8991B76019C44B792F0
SHA-512:	8EC9FC37959566824154029F7774935DB03CB1B7272F6E99E7A740C81823A79797535361AC03681CC5CFD4066A558AC979C3F686785FC9DDA470276374E7F780
Malicious:	false
Preview:	2024/11/12-13:29:56.355 2310 Creating DB C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Sync Data\LevelDB since it was missing..2024/11/12-13:29:56.748 2310 Reusing MANIFEST C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Sync Data\LevelDB/MANIFEST-000001.

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Sync Data\LevelDB\MANIFEST-000001

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Top Sites

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	SQLite 3.x database, last written using SQLite version 3045002, file counter 1, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.37183843434873126
Encrypted:	false
SSDEEP:
MD5:	220CEEE1D8619A3D13CF2358135AAFDA
SHA1:	F98AEF3776F9D095F55B0068516AF5D7ADC00C74
SHA-256:	C05858C15EC3E96A46FD3FB9139BE18C22373970028A3688EE2AE406D18D7F41
SHA-512:	6EB60475C046B6317C2C8AFCABA86EBF321D68ECFF10E870C8CE0C3AB0B0648B956A45F0C118B335A6799939AF55EDF29471F37247751C4DC77A7420AD0CE2F4
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................v..........g.....4....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Visited Links

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.011004339783076744
Encrypted:	false
SSDEEP:
MD5:	55E28EC7C2E4FF332AFDB1389E81AC50
SHA1:	3AF3B44653ACC981E2A8D148AFD24572CAA0A05B
SHA-256:	7436FB2BFBF3E8BB1B994609BDB0E69F02463B0AC8CF434614236407AD0B0EB5
SHA-512:	599D0A86D4469F6A1F44E460043F95F295ECFA53AB297D0386B44D7C65763F1BBE9E1876168BB6023F8D87853616AA30CF8F3E8B3B8E47216344B61C01579B87
Malicious:	false
Preview:	VLnk.....?..........&..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................]..jU.[Q........................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\Web Data

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	SQLite 3.x database, last written using SQLite version 3045002, page size 2048, file counter 3, database pages 64, cookie 0x27, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	1.1315099850169645
Encrypted:	false
SSDEEP:
MD5:	D472E7F64B9E26BC705574A6B69689B7
SHA1:	D68BF0A2FD47734CE452AE86E9D5902D61DFF9F2
SHA-256:	D03DFEEEA29D4D10F282C6B374213E6B5939D79FFDE3CEA63F4FC73EEFF701E4
SHA-512:	0EA46F8EC5CC488A05133338DE51E2061C8342DFF49ECFFF11277F6018E2CE3700CA719EA54A678972965334435CE04391630E77726CEC1DFE0D46E87D3A4CDE
Malicious:	false
Preview:	SQLite format 3......@ .......@...........'......................................................v............=........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\WebStorage\QuotaManager

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	SQLite 3.x database, last written using SQLite version 3045002, file counter 1, database pages 10, cookie 0x7, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.562896263713383
Encrypted:	false
SSDEEP:
MD5:	8576A1077EB65226A20B536CAA7FA99C
SHA1:	449D0517BFD9019A7F53D92ECEC58894B35A91DC
SHA-256:	960EFE2C6627777C006D8D89A9FCF833AB905F78DF453F2F2537BB99AF0F5F42
SHA-512:	F8A992332BED99FF7AD4EE71D0691A8BD52A06B242AA44476519A302353132A2903C6CB0C1463B622C29FB4192A5D285D2B73B61039DBF5800EAC8A7A0BA906D
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................v.......w..g...........M...w..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\a210ecc2-52b9-4ec2-8958-f239ef13a230.tmp

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	414
Entropy (8bit):	5.04432285688484
Encrypted:	false
SSDEEP:
MD5:	762DB658A326EFC1C2F133997683FC72
SHA1:	5DDB60744ECE67BA6993E1F93C33BAB5D1D01A65
SHA-256:	A5409B15A81BC2EC1860CE953DC9FFDD4263A8BB6E1525734DB36F34B9619D34
SHA-512:	8AF8A33BE83C664413C357E9738BFF1F016EAA7420E8C54C6812FCFC161EAA38D8B596C9891D7DF42441C7897E09515B907ADA6F2A547508CF385AC7269E3B8D
Malicious:	false
Preview:	{.. "epochs": [ {.. "calculation_time": "13375909806408082",.. "config_version": 0,.. "model_version": "0",.. "padded_top_topics_start_index": 0,.. "taxonomy_version": 0,.. "top_topics_and_observing_domains": [ ].. } ],.. "hex_encoded_hmac_key": "50BB5A4E32B4D2477428885BECCAE6400B941241684DC517D405D177375D5C94",.. "next_scheduled_calculation_time": "13376514606408239"..}..

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\b3279c52-673d-4a3f-a638-a666451637ee.tmp

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	10053
Entropy (8bit):	5.183559251347346
Encrypted:	false
SSDEEP:
MD5:	C7DFF537E7A190CB9B2D1699F1225D0D
SHA1:	768B65BE505E90A9E0E02ED4A060CF5A0052670F
SHA-256:	E509D6EDA60E163579C3CC7B514423E3903FC6C7E939C81E6442B80688A0A031
SHA-512:	C0DFD6ED2A961BF2993DAF566230B36A355EDBF642E726571DDF82B253797CB829A1A55BE0C30B239D54C54F031F16DE9C3CFA8ED232287D829524783D47F6A9
Malicious:	false
Preview:	{"NewTabPage":{"PrevNavigationTime":"13375909799623327"},"account_tracker_service_last_update":"13375909797168740","alternate_error_pages":{"backup":true},"announcement_notification_service_first_run_time":"13375909796445850","apps":{"shortcuts_arch":"","shortcuts_version":0},"autocomplete":{"retention_policy_last_version":128},"autofill":{"last_version_deduped":128},"browser":{"has_seen_welcome_page":false,"window_placement":{"bottom":1030,"left":10,"maximized":false,"right":955,"top":10,"work_area_bottom":1040,"work_area_left":0,"work_area_right":1920,"work_area_top":0}},"countryid_at_install":18242,"default_apps_install_state":3,"default_search_provider":{"guid":"04e7a9fa-708c-43d3-93ee-3a398fe03efc","synced_guid":"04e7a9fa-708c-43d3-93ee-3a398fe03efc"},"domain_diversity":{"last_reporting_timestamp":"13375909797160618"},"enterprise_profile_guid":"0d947a32-d677-46ae-8194-3b072e0e792a","extensions":{"alerts":{"initialized":true},"chrome_url_overrides":{},"last_chrome_version":"128.0.6

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\c65de637-06f4-4863-a040-1afdfd13ef10.tmp

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	MS Windows icon resource - 13 icons, 8x8, 32 bits/pixel, 10x10, 32 bits/pixel
Category:	dropped
Size (bytes):	167109
Entropy (8bit):	5.081780452241832
Encrypted:	false
SSDEEP:
MD5:	70E5D4E286C45331931C22DBF5B15A9B
SHA1:	BB4DBEE62F4410666033D8BBF658227C80A3AD9A
SHA-256:	6FD93AA2E71AE66DF17C2E84E719D27DF69762375894522D80C95D7C82393793
SHA-512:	BB3931D23042265B7F9C0E4F35470FED8E3279CF677AA7B98DDCF19E110E1EA61B36778890B322BD0FA111023F6097CF4DFE185CF54C89A8E5B2AC3FF5283913
Malicious:	false
Preview:	............ .H............. ............... .p............. .h...n......... ............... ......... .... .....n...((.... .h.......00.... ..%..~H..@@.... .(B..&n..``.... .....N......... .(....D........ ..?...M..(............. ..............................-.-./...TI..}...v..#,......+./..2 ..+...I:..........,....5!..0.../ g.!.\|._`...<.....&...0.....B.........gc.../......F...O...D).........:w.........H...Q...G..'O..`............E0..H...O...E...2...4...<...K,......D1..J...K...M...P...U-....................................(............. ....................................Y.8'..f\...~...\|..TX.............-...1.......,...SE.......Y.........-.U.1.../...0.../..&...]X...p......U./..2...2...-.x.3"..#...A:..j.......$...0.o."...............D...Q.........@k..R...G}......U......h............I...N...L...Bi.....................F_..L...I...I..1...........,...3U......F...L...J...K...C...@...H...L...............G^..I...H...J...M...JY..........................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\heavy_ad_intervention_opt_out.db

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	SQLite 3.x database, last written using SQLite version 3045002, file counter 2, database pages 4, cookie 0x2, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.3519250993311556
Encrypted:	false
SSDEEP:
MD5:	56B9706A81A233EDFA726B351E150636
SHA1:	01FC2783EB2F7E6B8B83374C826859DE45F87D6E
SHA-256:	C65C6AD07BB139ADCD7450FC0D107D18D8CB538A068707283C7676F31BB8E385
SHA-512:	CD9333F2104E32463ACFFB1D54FB162CA6577C4C163DC441A492B8A8A929090C40046321F901F16CD669095C56AD6670241E87168AB36498451A8CE09A769614
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................v.......Q......Q......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\shared_proto_db\000001.dbtmp

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\shared_proto_db\000003.log

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	data
Category:	dropped
Size (bytes):	9184
Entropy (8bit):	6.612427255294198
Encrypted:	false
SSDEEP:
MD5:	779ED45E98F6576EFD98533ADD19D983
SHA1:	648434C8C7BDC0186937B12E7BA302CCAEBE978B
SHA-256:	98C8CB9258D74E7931DA35B2FC249AA1175E818CE1275C30145FEBB97F596E42
SHA-512:	0F083D6FE7A587C237D9BCB584FF20A67981CAD9670E93018B127F6C2B179D59E09763F66C32F28DD0D23A443C95B39B0840C0E51A6F0BEAEE9E0765D0B66AD9
Malicious:	false
Preview:	...)................41_https://www.example.com/..F...................J.................37_DEFAULT_16v...h.... .(.0.R.(....Session.TotalDuration.T<.A..GO .(.0.../.'.%....?..ChromeLowUserEngagement..Other...... .(...10.S..L.................37_DEFAULT_21........... .(.0.RZ.X...CCommerce.PriceDrops.ActiveTabNavigationComplete.IsProductDetailPage.w.cG$.. .(.0.8.R9.7...$Autofill_PolledCreditCardSuggestions...c..vP. .(.0...$........?..ShoppingUser..Other...... .(...10.... ................37_DEFAULT_23........... .(.0.RH.F...1Omnibox.SuggestionUsed.ClientSummarizedResultType.q/.v.g:` .(.0.8.Ra._.DSELECT COUNT(id) FROM metrics WHERE metric_hash = '64BD7CCE5A95BF00'......................dh...8.0........?..Low......@..Medium......A..High..None...... .(...10.....................37_DEFAULT_27........... .(.0.R=.;...."%..wait_for_device_info_in_seconds..60.SyncDeviceInfoh.p...t.r.p....AndroidPhone..IosPhoneChrome..AndroidTablet..IosTablet..Desktop..Other..SyncedAndFirstDevice..NotSynced..

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\shared_proto_db\CURRENT (copy)

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\shared_proto_db\LOG

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.221453394232623
Encrypted:	false
SSDEEP:
MD5:	6CD4DE884FE9239546FA9F676A033CC1
SHA1:	9A3C45C04A77695073A5109D5D4F51580E5F7E00
SHA-256:	1B7B043A50A9AB5C98B418BD7AC2B340ED15E648A84CFAA800910153852B8213
SHA-512:	ED224795701D1F11E0D3C1AF5FB9FE1E5FBA891E1AECA7B7619592D48FF48B7549760545841C6A3FEF03CF7F6D8F44C1FDE7836F8273E40B2BB2EB7BA16AC7A2
Malicious:	false
Preview:	2024/11/12-13:29:57.275 2360 Creating DB C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\shared_proto_db since it was missing..2024/11/12-13:29:57.788 2360 Reusing MANIFEST C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\shared_proto_db/MANIFEST-000001.

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\shared_proto_db\MANIFEST-000001

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\shared_proto_db\metadata\000001.dbtmp

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\shared_proto_db\metadata\000003.log

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	data
Category:	dropped
Size (bytes):	1048
Entropy (8bit):	3.9615038799955617
Encrypted:	false
SSDEEP:
MD5:	003824921E9D3F434CE16D95EDE81054
SHA1:	7C6B994B61777C9252CE6E9D9DF07DB22F4BDE96
SHA-256:	FF807771FC2FD78F4D335200B85A6CA17E3482BBF049CD8920A9F1935E8F16AA
SHA-512:	B400E964A588DC6475F19EC0CD0BCA4452CEEC61CF4D4EAEA0BA1200657BCDC4A3DB3438F13FE91468019319F8E2EAAEA8522E889C3F262009A32AB7D19EE674
Malicious:	false
Preview:	.h.6.................__global... .t...................__global... .y..H.................50_.....B....................33_.....zw.).................48_.....[....................41_..........................49_.......S.................32_.......5..................21_..........................44_.....'}2..................37_.......c..................38_......i...................39_......cZy.................50_.........................33_.......E..................48_.....1T...................41_.....V(.N.................49_.......x..................32_......Gt&.................21_.......p..................44_......@o..................37_.....n5._.................38_.....LZa..................39_.......LL.................20_..........................19_.......n..................9_.....TN...................3_.....{-%z.................4_.....L..D.................18_.....2}./.................20_......g.9... .............19_............!.............9_.....V..H...".............3_.....y......#.

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\shared_proto_db\metadata\CURRENT (copy)

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.2743974703476995
Encrypted:	false
SSDEEP:
MD5:	46295CAC801E5D4857D09837238A6394
SHA1:	44E0FA1B517DBF802B18FAF0785EEEA6AC51594B
SHA-256:	0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
SHA-512:	8969402593F927350E2CEB4B5BC2A277F3754697C1961E3D6237DA322257FBAB42909E1A742E22223447F3A4805F8D8EF525432A7C3515A549E984D3EFF72B23
Malicious:	false
Preview:	MANIFEST-000001.

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\shared_proto_db\metadata\LOG

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	313
Entropy (8bit):	5.156466496077878
Encrypted:	false
SSDEEP:
MD5:	B825DB72C4772BA6AB38852292DE5814
SHA1:	C8EDBBDA88E159D568B72F36308ED42346D23AC5
SHA-256:	9F52A51162249D72A470BC7D61B5734B06C2A1B0A333330ABAB30412AFD23A06
SHA-512:	9089890EC3969C7AE722DE6E0E1791D5AB83714A042608663336C085BBE76887EC5CDA9D8B49D98F17AC24B0D92EA81C7AA44C583D75DC8EA59709B55C40A8D3
Malicious:	false
Preview:	2024/11/12-13:29:56.730 2360 Creating DB C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\shared_proto_db\metadata since it was missing..2024/11/12-13:29:57.146 2360 Reusing MANIFEST C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\shared_proto_db\metadata/MANIFEST-000001.

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\shared_proto_db\metadata\MANIFEST-000001

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.704993772857998
Encrypted:	false
SSDEEP:
MD5:	5AF87DFD673BA2115E2FCF5CFDB727AB
SHA1:	D5B5BBF396DC291274584EF71F444F420B6056F1
SHA-256:	F9D31B278E215EB0D0E9CD709EDFA037E828F36214AB7906F612160FEAD4B2B4
SHA-512:	DE34583A7DBAFE4DD0DC0601E8F6906B9BC6A00C56C9323561204F77ABBC0DC9007C480FFE4092FF2F194D54616CAF50AECBD4A1E9583CAE0C76AD6DD7C2375B
Malicious:	false
Preview:	.\|.."....leveldb.BytewiseComparator......

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Default\trusted_vault.pb (copy)

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	data
Category:	dropped
Size (bytes):	38
Entropy (8bit):	4.023471592049354
Encrypted:	false
SSDEEP:
MD5:	3433CCF3E03FC35B634CD0627833B0AD
SHA1:	789A43382E88905D6EB739ADA3A8BA8C479EDE02
SHA-256:	F7D5893372EDAA08377CB270A99842A9C758B447B7B57C52A7B1158C0C202E6D
SHA-512:	21A29F0EF89FEC310701DCAD191EA4AB670EDC0FC161496F7542F707B5B9CE619EB8B709A52073052B0F705D657E03A45BE7560C80909E92AE7D5939CE688E9C
Malicious:	false
Preview:	..... 2a68348c2ca0c50ad315d43d90f5a986

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\DeferredBrowserMetrics\BrowserMetrics-67339EA7-1914.pma (copy)

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	data
Category:	dropped
Size (bytes):	4194304
Entropy (8bit):	0.006074957759105921
Encrypted:	false
SSDEEP:
MD5:	F21C12F1F6485227DEC6F98A7F6A2DB1
SHA1:	4E23D45FFA53741E1C2A5A9202714349806A828A
SHA-256:	66DBFFDF54240971C86C9AB8B3D6555E193CB8FE5D5D75869D809D79AD78B210
SHA-512:	FA8E29702E5D822771D059CBA3DC7C99149C79A6FFBC8091F620504B9AB3680F722F0FC2FE0B912F44A116C9DEBE1549F105794B82D20824EA3CC9A0829C489B
Malicious:	false
Preview:	...@..@...@.....C.].....@...............`...................`... ...i.y.........BrowserMetrics......i.y..Yd.........A.......d...2......._.z.....Gy.7....................Gy.7....................UMA.PersistentAllocator.EarlyHistograms.BrowserMetrics......i.y.["......................................................................................................................... ..."...$...&...(...*...-...0...3...6...9...<...@...D...H...L...P...U...Z..._...d...............i.y..Yd........A...............`...v.0.....UV&K.k<................UV&K.k<................UMA.PersistentHistograms.InitResult.....8...i.y.[".................................................i.y.Pq.3....................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\GrShaderCache\data_0

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	data
Category:	dropped
Size (bytes):	45056
Entropy (8bit):	0.2506279305782656
Encrypted:	false
SSDEEP:
MD5:	BA840986C28E1551C2540EF58E624270
SHA1:	1DF2BC76EA386B8249B032A39B453072318FD817
SHA-256:	986727AFDB0232A7DA563F7C3E777428A8024FD1428486C0D3953ACFF121419A
SHA-512:	255B861E9CA7739512972BC880E8AB1A4DBD87A58D998A141CE02E53532D8CB0E1F32546360891A25A3C913562F3F8FB016E07FE8EF67ACC351C102160019F23
Malicious:	false
Preview:	............$...".......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\GrShaderCache\data_1

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	0.45429167664008946
Encrypted:	false
SSDEEP:
MD5:	7BE6742559A4048D242A51C55887B739
SHA1:	891FC08EE5E3E41EE2C4F65191F7864D066067D1
SHA-256:	7D18E20F3DEFDDFB70EB4A5A98BC609D8DE093087F468CB3BF9E0732853A6507
SHA-512:	CA4C4EE188DE91BDE686ADD51080CB9CC5EE3CA9F4839904443D0CB9FCC4CED86319A76EEFC2D3373313332011342C4EC782AC45AE0AA1B3EED49F33053D1893
Malicious:	false
Preview:	................#.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\GrShaderCache\data_2

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\GrShaderCache\data_3

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	data
Category:	dropped
Size (bytes):	4202496
Entropy (8bit):	0.5714124858123018
Encrypted:	false
SSDEEP:
MD5:	18EF2291F198320D907B97359F7A9E6E
SHA1:	89ADDF8D2404042277E96845494A43C87756C859
SHA-256:	48CB7DA25D1D129BE2438E20E73F2A67549DF07EF652D4F9893F07D162A7A897
SHA-512:	F76EEB4905E10EC033368790A2E9F84F47FFE453AD64B527C36E73F2EB29DCED9A56D609263E7CFC2F857CD95AB8A006E5DDD99F7E240223AB2D2D40C66C6475
Malicious:	false
Preview:	...................................................................................ww..7....www.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\GrShaderCache\f_000001

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	data
Category:	dropped
Size (bytes):	16696
Entropy (8bit):	4.72091580950855
Encrypted:	false
SSDEEP:
MD5:	155449E39B65114E7A0C0C65E9F1A953
SHA1:	34F071F415FACA61711474D573C7FA51F93E70AE
SHA-256:	98BE44B960ADC3B6F4EB02BD4E22A1D11EFEBA82C4CFAD17EDE371C298501500
SHA-512:	42121A3EC4851D1A7F8CAE0F87A4A8454EEF2507BA74ABDA0ABB3AA54ADDF2212BB859F1C96B4BEA974577466644C1E2E6CA9568873E542DC98771DC6D990EF3
Malicious:	false
Preview:	....BPLG........"A..6fe6c9a5e90d45b3....d...d.......ANGLE (Intel, Intel(R) UHD Graphics 630 (0x00003E98) Direct3D11 vs_5_0 ps_5_0, D3D11-27.20.100.9415)........................................................................................................................................................................,...............,.......................radii_selector........_uradii_selectorR.......................corner_and_radius_outsets........_ucorner_and_radius_outsetsR.......................aa_bloat_and_coverage........_uaa_bloat_and_coverageR.......................radii_x........_uradii_xR.......................radii_y........_uradii_yR.......................skew........_uskewR.......................translate_and_localrotate........_utranslate_and_localrotateP.......................color........_ucolorR..........................................................................................sk_RTAdjust........_usk_RTAdjust....................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\GrShaderCache\f_000002

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	data
Category:	dropped
Size (bytes):	17680
Entropy (8bit):	4.6751618249801306
Encrypted:	false
SSDEEP:
MD5:	2FC191F7F43008A1F81553BF90857504
SHA1:	D8FD39D45D3F98B8A1468113E3594C1D258A1C5C
SHA-256:	21859C25EA3D202AE112F940F1665EF18D369AD56514ED6121C3FAA132706C47
SHA-512:	038FB34F0C005F98D9E35CE9451B99538C093BF247D01680705BC1C0DC90BC6C495846119613C4F1C63B2A0BE1012D9211780F00DE2A5FF544CB425734A7F052
Malicious:	false
Preview:	....BPLG.........D..6fe6c9a5e90d45b3....d...d.......ANGLE (Intel, Intel(R) UHD Graphics 630 (0x00003E98) Direct3D11 vs_5_0 ps_5_0, D3D11-27.20.100.9415)........................................................................................................................................................................,...............,.......................inPosition........_uinPositionP.......................inCoverage........_uinCoverage...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\GrShaderCache\f_000003

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	data
Category:	dropped
Size (bytes):	19116
Entropy (8bit):	4.721829839519717
Encrypted:	false
SSDEEP:
MD5:	E6A7FD08F9B2B434920FA62BE1EBEFB5
SHA1:	A1E2C14888B53F6D36001995F00EA2B114BDF874
SHA-256:	A7644B6DBB091373AF0E2FE29645D6BDBC023CE954327F1DB677F10D666C1BD8
SHA-512:	63C63FB9458F5AF80E50AA01EAA34F088A6AC436332181C69C3F5946E66BE38C6FE3DB1FCB22792CF0B93B14D833810C48FE0F7AD6E1FC1368B220157B4EFA91
Malicious:	false
Preview:	....BPLG.........J..6fe6c9a5e90d45b3....d...d.......ANGLE (Intel, Intel(R) UHD Graphics 630 (0x00003E98) Direct3D11 vs_5_0 ps_5_0, D3D11-27.20.100.9415)........................................................................................................................................................................,...............,.......................inPosition........_uinPositionP.......................inColor........_uinColorR.......................inTextureCoords........_uinTextureCoords.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\GrShaderCache\index

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:
MD5:	AE7E956DA2939B13363B5F45F5DC8164
SHA1:	772AD4DC54D3D9D88309E407B074F0C69888CE77
SHA-256:	C04559D83A8C7BE55A4F301E619BF9740172E56313E9BA42F004054E1A2BACEE
SHA-512:	6B7214BF784E8C449DB60FA1BC0FDB38C94651B0B7C6065A3D0EB2F5E1EE44E18AC147774D9C396564030B9A378CFFE2E139F676A7F2A4BF123DDBD99506985E
Malicious:	false
Preview:	.........................................h..Q./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\GraphiteDawnCache\data_0

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\GraphiteDawnCache\data_1

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	8.280239615765425E-4
Encrypted:	false
SSDEEP:
MD5:	D0D388F3865D0523E451D6BA0BE34CC4
SHA1:	8571C6A52AACC2747C048E3419E5657B74612995
SHA-256:	902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
SHA-512:	376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\GraphiteDawnCache\data_2

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\GraphiteDawnCache\data_3

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\GraphiteDawnCache\index

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.47693366977411E-4
Encrypted:	false
SSDEEP:
MD5:	5B76F11E6942986A3D6FFB62C3060A3C
SHA1:	31AD8CB310AB7C1460CCD5ED957AF15D12FE2324
SHA-256:	D9BD8D4D3FF0088153B33CC937D4094FA0FE39561362145BF3499E0556C56499
SHA-512:	6BBA2DFB19AFE9A9B4E8606D5D1641BCDBD1A2A6A76A0633152836BD248966938BC3CF06CD302B247484F2940105A17D8A439ABA978D3FB4B6A5646D53897B40
Malicious:	false
Preview:	............................................Q./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Last Browser

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	data
Category:	dropped
Size (bytes):	150
Entropy (8bit):	3.0972865117126833
Encrypted:	false
SSDEEP:
MD5:	D69FCF0BD73E0484E01346D2477CCD25
SHA1:	299E5D398639F49D5FC60D65B72FB69786571506
SHA-256:	1FD9F12139BA7F09B3FF97C3AC193424E83481475B1506D20ACAA72819859FC7
SHA-512:	8ED8FA8D6F650A5A662FD4D7999F8B79C48C6000F5FE49A48CD8F9D247C273C802BEC39A95AAA3B5358B8BB163F06A9A9B799FD7579204823935F83FCCA8DB31
Malicious:	false
Preview:	C.:.\.U.s.e.r.s.\.A.r.t.h.u.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.O.n.e.S.t.a.r.t...a.i.\.O.n.e.S.t.a.r.t.\.A.p.p.l.i.c.a.t.i.o.n.\.o.n.e.s.t.a.r.t...e.x.e.

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Last Version

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	14
Entropy (8bit):	2.8423709931771093
Encrypted:	false
SSDEEP:
MD5:	79FF5A3D87F652E1AB0658C6A684A10D
SHA1:	DA689018E135A7D13CD4695FBF44560D58480793
SHA-256:	857E0822E78130C7C4BD78937BC33EDAC69671D255944F17C9C1A6AD36BC9EDD
SHA-512:	A38B67418BCFEC584DBAF2469564E0E7E156F00FCDF93C7D2923258C7CA1C1D6C7D7C5BECC9FACB033F6E5D54EAA2B0795C02D4B761D37364A18E2F387D28D72
Malicious:	false
Preview:	128.0.6613.124

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Local State (copy)

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.66140215321506
Encrypted:	false
SSDEEP:
MD5:	EC10E54723ABD97A68976E788CDEC3C4
SHA1:	4EE255BB8182EB90396980D4E8FEB674AEF8063A
SHA-256:	94E235EB94F2CD1527C8512EB02FE98284B12359174EEACC01CD6E1CC3AD39B2
SHA-512:	1DF12BBC334854B7001348B2FCF846E417FFF79B5351C4E01755B30A555E179993D695A217FDF11E670062AC2EC351A794D0AA589C7463EE6DBAF4DE495B1C83
Malicious:	false
Preview:	{"background_tracing":{"session_state":{"privacy_filter":true,"state":0}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAA6vxecm76BQJWKOsxqFV2AEAAAABIAAABPAG4AZQBTAHQAYQByAHQAAAAQZgAAAAEAACAAAAAWx9yjBoYOqSygDGsaITTZQunZedqU0HzyKkjvBQUQHAAAAAAOgAAAAAIAACAAAADlsblOoGehQSJgBx2IMu0SmjROOsRghHcaznydx24tDjAAAADnETdKKL4VzmAOxmNJtXHxQlRQsjbmMIGGR1JBMZXxCSfklja4rQ0ABk0FnqfBOxxAAAAAjp4rCHCcdoEKNeSWQO3QtcXVU2pOGRZjJXBps464SqFgtO+cjOOrfdb7DSOgA/hsvpEY29Hae4iqIfoVaOgrOg=="},"uninstall_metrics":{"installation_date2":"1731436195"},"user_experience_metrics":{"limited_entropy_randomization_source":"DBC6BFE2ECE69C7E01D6283A97F1D763","low_entropy_source3":6974,"pseudo_low_entropy_source":3767,"stability":{"browser_last_live_timestamp":"13375909795081666"}},"variations_limited_entropy_synthetic_trial_seed_v2":"84"}

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Local State~RF7abca7.TMP (copy)

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.66140215321506
Encrypted:	false
SSDEEP:
MD5:	EC10E54723ABD97A68976E788CDEC3C4
SHA1:	4EE255BB8182EB90396980D4E8FEB674AEF8063A
SHA-256:	94E235EB94F2CD1527C8512EB02FE98284B12359174EEACC01CD6E1CC3AD39B2
SHA-512:	1DF12BBC334854B7001348B2FCF846E417FFF79B5351C4E01755B30A555E179993D695A217FDF11E670062AC2EC351A794D0AA589C7463EE6DBAF4DE495B1C83
Malicious:	false
Preview:	{"background_tracing":{"session_state":{"privacy_filter":true,"state":0}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAA6vxecm76BQJWKOsxqFV2AEAAAABIAAABPAG4AZQBTAHQAYQByAHQAAAAQZgAAAAEAACAAAAAWx9yjBoYOqSygDGsaITTZQunZedqU0HzyKkjvBQUQHAAAAAAOgAAAAAIAACAAAADlsblOoGehQSJgBx2IMu0SmjROOsRghHcaznydx24tDjAAAADnETdKKL4VzmAOxmNJtXHxQlRQsjbmMIGGR1JBMZXxCSfklja4rQ0ABk0FnqfBOxxAAAAAjp4rCHCcdoEKNeSWQO3QtcXVU2pOGRZjJXBps464SqFgtO+cjOOrfdb7DSOgA/hsvpEY29Hae4iqIfoVaOgrOg=="},"uninstall_metrics":{"installation_date2":"1731436195"},"user_experience_metrics":{"limited_entropy_randomization_source":"DBC6BFE2ECE69C7E01D6283A97F1D763","low_entropy_source3":6974,"pseudo_low_entropy_source":3767,"stability":{"browser_last_live_timestamp":"13375909795081666"}},"variations_limited_entropy_synthetic_trial_seed_v2":"84"}

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Local State~RF7ae3a7.TMP (copy)

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.66140215321506
Encrypted:	false
SSDEEP:
MD5:	EC10E54723ABD97A68976E788CDEC3C4
SHA1:	4EE255BB8182EB90396980D4E8FEB674AEF8063A
SHA-256:	94E235EB94F2CD1527C8512EB02FE98284B12359174EEACC01CD6E1CC3AD39B2
SHA-512:	1DF12BBC334854B7001348B2FCF846E417FFF79B5351C4E01755B30A555E179993D695A217FDF11E670062AC2EC351A794D0AA589C7463EE6DBAF4DE495B1C83
Malicious:	false
Preview:	{"background_tracing":{"session_state":{"privacy_filter":true,"state":0}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAA6vxecm76BQJWKOsxqFV2AEAAAABIAAABPAG4AZQBTAHQAYQByAHQAAAAQZgAAAAEAACAAAAAWx9yjBoYOqSygDGsaITTZQunZedqU0HzyKkjvBQUQHAAAAAAOgAAAAAIAACAAAADlsblOoGehQSJgBx2IMu0SmjROOsRghHcaznydx24tDjAAAADnETdKKL4VzmAOxmNJtXHxQlRQsjbmMIGGR1JBMZXxCSfklja4rQ0ABk0FnqfBOxxAAAAAjp4rCHCcdoEKNeSWQO3QtcXVU2pOGRZjJXBps464SqFgtO+cjOOrfdb7DSOgA/hsvpEY29Hae4iqIfoVaOgrOg=="},"uninstall_metrics":{"installation_date2":"1731436195"},"user_experience_metrics":{"limited_entropy_randomization_source":"DBC6BFE2ECE69C7E01D6283A97F1D763","low_entropy_source3":6974,"pseudo_low_entropy_source":3767,"stability":{"browser_last_live_timestamp":"13375909795081666"}},"variations_limited_entropy_synthetic_trial_seed_v2":"84"}

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Local State~RF7b0e61.TMP (copy)

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.66140215321506
Encrypted:	false
SSDEEP:
MD5:	EC10E54723ABD97A68976E788CDEC3C4
SHA1:	4EE255BB8182EB90396980D4E8FEB674AEF8063A
SHA-256:	94E235EB94F2CD1527C8512EB02FE98284B12359174EEACC01CD6E1CC3AD39B2
SHA-512:	1DF12BBC334854B7001348B2FCF846E417FFF79B5351C4E01755B30A555E179993D695A217FDF11E670062AC2EC351A794D0AA589C7463EE6DBAF4DE495B1C83
Malicious:	false
Preview:	{"background_tracing":{"session_state":{"privacy_filter":true,"state":0}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAA6vxecm76BQJWKOsxqFV2AEAAAABIAAABPAG4AZQBTAHQAYQByAHQAAAAQZgAAAAEAACAAAAAWx9yjBoYOqSygDGsaITTZQunZedqU0HzyKkjvBQUQHAAAAAAOgAAAAAIAACAAAADlsblOoGehQSJgBx2IMu0SmjROOsRghHcaznydx24tDjAAAADnETdKKL4VzmAOxmNJtXHxQlRQsjbmMIGGR1JBMZXxCSfklja4rQ0ABk0FnqfBOxxAAAAAjp4rCHCcdoEKNeSWQO3QtcXVU2pOGRZjJXBps464SqFgtO+cjOOrfdb7DSOgA/hsvpEY29Hae4iqIfoVaOgrOg=="},"uninstall_metrics":{"installation_date2":"1731436195"},"user_experience_metrics":{"limited_entropy_randomization_source":"DBC6BFE2ECE69C7E01D6283A97F1D763","low_entropy_source3":6974,"pseudo_low_entropy_source":3767,"stability":{"browser_last_live_timestamp":"13375909795081666"}},"variations_limited_entropy_synthetic_trial_seed_v2":"84"}

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Local State~RF7b4678.TMP (copy)

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.66140215321506
Encrypted:	false
SSDEEP:
MD5:	EC10E54723ABD97A68976E788CDEC3C4
SHA1:	4EE255BB8182EB90396980D4E8FEB674AEF8063A
SHA-256:	94E235EB94F2CD1527C8512EB02FE98284B12359174EEACC01CD6E1CC3AD39B2
SHA-512:	1DF12BBC334854B7001348B2FCF846E417FFF79B5351C4E01755B30A555E179993D695A217FDF11E670062AC2EC351A794D0AA589C7463EE6DBAF4DE495B1C83
Malicious:	false
Preview:	{"background_tracing":{"session_state":{"privacy_filter":true,"state":0}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAA6vxecm76BQJWKOsxqFV2AEAAAABIAAABPAG4AZQBTAHQAYQByAHQAAAAQZgAAAAEAACAAAAAWx9yjBoYOqSygDGsaITTZQunZedqU0HzyKkjvBQUQHAAAAAAOgAAAAAIAACAAAADlsblOoGehQSJgBx2IMu0SmjROOsRghHcaznydx24tDjAAAADnETdKKL4VzmAOxmNJtXHxQlRQsjbmMIGGR1JBMZXxCSfklja4rQ0ABk0FnqfBOxxAAAAAjp4rCHCcdoEKNeSWQO3QtcXVU2pOGRZjJXBps464SqFgtO+cjOOrfdb7DSOgA/hsvpEY29Hae4iqIfoVaOgrOg=="},"uninstall_metrics":{"installation_date2":"1731436195"},"user_experience_metrics":{"limited_entropy_randomization_source":"DBC6BFE2ECE69C7E01D6283A97F1D763","low_entropy_source3":6974,"pseudo_low_entropy_source":3767,"stability":{"browser_last_live_timestamp":"13375909795081666"}},"variations_limited_entropy_synthetic_trial_seed_v2":"84"}

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\ShaderCache\data_0

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\ShaderCache\data_1

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	data
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	8.280239615765425E-4
Encrypted:	false
SSDEEP:
MD5:	D0D388F3865D0523E451D6BA0BE34CC4
SHA1:	8571C6A52AACC2747C048E3419E5657B74612995
SHA-256:	902F30C1FB0597D0734BC34B979EC5D131F8F39A4B71B338083821216EC8D61B
SHA-512:	376011D00DE659EB6082A74E862CFAC97A9BB508E0B740761505142E2D24EC1C30AA61EFBC1C0DD08FF0F34734444DE7F77DD90A6CA42B48A4C7FAD5F0BDDD17
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\ShaderCache\data_2

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\ShaderCache\data_3

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\ShaderCache\index

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:
MD5:	AE74693F91774B36EA780DFAE4CD0398
SHA1:	1D902362540CD9AED8A2079FEDAAE05B4E99FD7B
SHA-256:	228FC835B7B10046CF1FEE2BF48C5D7C3CBE0CF3E9F4CA0EB676E257FD46FC55
SHA-512:	B5B09D1BCB927BDEE3E9F4D21AB0549EAB53CDBFAA9F6AA01DC686DE05C8E6D1E484F3E6D6538B008C2E3F017B6313965EF3E363CA429A16989B5863FC4E8E97
Malicious:	false
Preview:	........................................r..Q./.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Variations

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	86
Entropy (8bit):	4.3751917412896075
Encrypted:	false
SSDEEP:
MD5:	961E3604F228B0D10541EBF921500C86
SHA1:	6E00570D9F78D9CFEBE67D4DA5EFE546543949A7
SHA-256:	F7B24F2EB3D5EB0550527490395D2F61C3D2FE74BB9CB345197DAD81B58B5FED
SHA-512:	535F930AFD2EF50282715C7E48859CC2D7B354FF4E6C156B94D5A2815F589B33189FFEDFCAF4456525283E993087F9F560D84CFCF497D189AB8101510A09C472
Malicious:	false
Preview:	{"user_experience_metrics.stability.exited_cleanly":false,"variations_crash_streak":0}

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\c49d7a0f-f187-4a79-bcb9-7d1e732471ca.tmp

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1157
Entropy (8bit):	5.632144947163551
Encrypted:	false
SSDEEP:
MD5:	93CC58A61E02F0C435235190B6D23851
SHA1:	A260C5E5E7C688F6E34A83EED97F61E9B3605C51
SHA-256:	7BCB5620D40E90BA8BCAE9CF9250EA7F8D0F7D6089D92A494554836EAB7CC187
SHA-512:	BD2FFAB807CAABCB97113948A643D6349193DBFCAAFDCA8385EC38B66B6C07BE088EBDC216CD9269C024F47ECA534AD6FA1A2CCAA5505B92B7B8D5B5ADB26053
Malicious:	false
Preview:	{"background_tracing":{"session_state":{"privacy_filter":true,"state":0}},"legacy":{"profile":{"name":{"migrated":true}}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAA6vxecm76BQJWKOsxqFV2AEAAAABIAAABPAG4AZQBTAHQAYQByAHQAAAAQZgAAAAEAACAAAAAWx9yjBoYOqSygDGsaITTZQunZedqU0HzyKkjvBQUQHAAAAAAOgAAAAAIAACAAAADlsblOoGehQSJgBx2IMu0SmjROOsRghHcaznydx24tDjAAAADnETdKKL4VzmAOxmNJtXHxQlRQsjbmMIGGR1JBMZXxCSfklja4rQ0ABk0FnqfBOxxAAAAAjp4rCHCcdoEKNeSWQO3QtcXVU2pOGRZjJXBps464SqFgtO+cjOOrfdb7DSOgA/hsvpEY29Hae4iqIfoVaOgrOg=="},"privacy_budget":{"meta_experiment_activation_salt":0.8636587688786131},"profile":{"info_cache":{},"profile_counts_reported":"13375909795223421","profiles_order":[]},"uninstall_metrics":{"installation_date2":"1731436195"},"user_experience_metrics":{"limited_entropy_randomization_source":"DBC6BFE2ECE69C7E01D6283A97F1D763","low_entropy_source3":6974,"pseudo_low_entropy_source":3767,"stability":{"browser_last_live_timestamp":"13375909795081666"

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\component_crx_cache\oimompecagnajdejgnnjijobebaeigek_1.567f5df81ea0c9bdcfb7221f0ea091893150f8c16e3012e4f0314ba3d43f1632 (copy)

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	Google Chrome extension, version 3
Category:	dropped
Size (bytes):	14507539
Entropy (8bit):	7.999857010958995
Encrypted:	true
SSDEEP:
MD5:	3DB950B4014A955D2142621AAEECD826
SHA1:	C2B728B05BC34B43D82379AC4CE6BDAE77D27C51
SHA-256:	567F5DF81EA0C9BDCFB7221F0EA091893150F8C16E3012E4F0314BA3D43F1632
SHA-512:	03105DCF804E4713B6ED7C281AD0343AC6D6EB2AED57A897C6A09515A8C7F3E06B344563E224365DC9159CFD8ED3EF665D6AEC18CC07AAAD66EED0DC4957DDE3
Malicious:	false
Preview:	Cr24..............0.."0....H.............0...........\7c.<........Fto.8.2'5..qk...%....2...C.F.9.#..e.xQ.......[...L\|....3>/....u.:T.7...(.yM...?V.<?........1.a...O?d.....A.H..'.MpB..T.m..Vn Ip..>k.\|1..n.<Fb..f..Q1.....s..2..{.6....Pp....obM..1.......b1.......(.u^.'z......v.F.W.X4."-eu...b.........d.x.,.......o.6.......\|..gn{F..d.."....L.....!_qC/..#......E.Z..tA....s..=...6.%@..K(.v...D.v.z..ZO$...v.,....m.V?;'...e.ajM.@1.`..Fa.}......g.C.5...+.9...F\|.b.nY.K....p..z...E.....\|...Q..Gt.<....[.")nt+.....sw.i.`c.m}.....p.p..2:. .{..N.......0..0....H............0............<.bi.......'o..h...ZD..".^.`...........zG(.....d..,.t<...ZD..g._wI.5.-..g.).._......:.P.......B..4S....$..d...............E^.A...L.>F...E.A./VpY<.O3.....!.+Pv....6.a.r..?n.L .....s...V.^..x\.T.J...5...%aGe.0"}.QGc......T.Ljh.2..k.t.ym.....H..?.y....[0Y0....H.=....*.H.=....B..............r...2..+Y.I...k..bR.j5Sl..8.......H"i.-l..`.Q.{...G0E.!.......t.>g'=>.o.k....{..

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\e53ea2d9-aa77-4c14-85e5-555ef2b6f6a6.tmp

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3540
Entropy (8bit):	5.3864018413699055
Encrypted:	false
SSDEEP:
MD5:	4C049967B0D08CF290448FE0B2779895
SHA1:	2C99E4957DBDAEA3BE2DAAF42E2882DB968EB1AB
SHA-256:	58110CB1014FC8339E48BA0B0C02B12F9E83FD0542AD730E312E56BF46A960FA
SHA-512:	0D391A8B94A48113B716A2C4BA1F5B8F315DF103DA14487761262DA7A01592378D0B6CCC30F9E0CD2B91A51DAE29E63AD1FEFBAC5DCA647776272DAF24637623
Malicious:	false
Preview:	{"autofill":{"ablation_seed":"Y2zO35uayqM="},"background_mode":{"enabled":true},"background_tracing":{"session_state":{"privacy_filter":true,"state":0}},"breadcrumbs":{"enabled":false,"enabled_time":"13375909795512130"},"browser":{"first_run_finished":true},"check_updates_on_startup":{"enabled":true},"hardware_acceleration_mode_previous":true,"keep_app_up_to_date":{"enabled":true},"launch_browser_on_startup":{"enabled":true},"launch_browser_on_wake":{"enabled":true},"launch_dock_on_startup":{"enabled":true},"legacy":{"profile":{"name":{"migrated":true}}},"local":{"password_hash_data_list":[]},"management":{"platform":{"azure_active_directory":0,"enterprise_mdm_win":0}},"optimization_guide":{"model_store_metadata":{}},"os_crypt":{"audit_enabled":true,"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAA6vxecm76BQJWKOsxqFV2AEAAAABIAAABPAG4AZQBTAHQAYQByAHQAAAAQZgAAAAEAACAAAAAWx9yjBoYOqSygDGsaITTZQunZedqU0HzyKkjvBQUQHAAAAAAOgAAAAAIAACAAAADlsblOoGehQSJgBx2IMu0SmjROOsRghHcaznydx24tDjAAAAD

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\first_party_sets.db

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	SQLite 3.x database, last written using SQLite version 3045002, file counter 1, database pages 12, cookie 0xa, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.5160159945805083
Encrypted:	false
SSDEEP:
MD5:	E52D9864A92D73CABB391DF745E79D60
SHA1:	ACCA54C8968C914D08821D88B3EF925AD084F8E3
SHA-256:	72294439EA999709AE9574292116846BF946D640FDE793E49DEEC4A2B3A23BB9
SHA-512:	FE4ED62A668EE3BE1A9208E9D17A9B57B784C8F63ED47B6DA6282DE71C8415788B65A869F5938C3BD18AD945AE49FEB32E45D38059B17F00296F8AB2330A2065
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................v.......\..g.................C.\......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\segmentation_platform\ukm_db

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	SQLite 3.x database, last written using SQLite version 3045002, file counter 11, database pages 12, cookie 0xb, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.37323556012560016
Encrypted:	false
SSDEEP:
MD5:	42EB168DADB65F1AC131D6E678182F3F
SHA1:	004347069BF5FEC235A546BE1720EEFE12B16F2C
SHA-256:	E04BD28B7A9AFA16B8A696E811E8A085AD3CC7D6FCC67AB48B4CB4D5CA656089
SHA-512:	BC7BB1E558B429C6294558CDAF51926794EA04F4940E4564CDC0B56EC237EE047E232F82B360C24A8CF945CF50B522FA879A39C70AB04C69A9BE8916F9831962
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................v.......<..........x.....j.....<......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\segmentation_platform\ukm_db-journal

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	data
Category:	dropped
Size (bytes):	21032
Entropy (8bit):	0.027220743097499663
Encrypted:	false
SSDEEP:
MD5:	EC0FDA7CD323CF3961B69835D3A64030
SHA1:	3FBCA90B1EA7893560B7DB358944404B4D99CD5F
SHA-256:	615A9BF54DD68332A4C930AE87CDFAA1A2BBE819764F78AFBF35676BE117D3DC
SHA-512:	5AED4E7106246A16AAFCE63A9C24DEC82311B08447033906E87AAAC4FA5E52B9CB0D71AC05CAC93A345D0C66852C9AF97B2BF893704C47181499AD9D661AB5CF
Malicious:	false
Preview:	............F..(........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\0b8ded05-1ee4-4921-a79f-f0289f96f3b5.tmp

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	Google Chrome extension, version 3
Category:	dropped
Size (bytes):	675649
Entropy (8bit):	7.939926429650404
Encrypted:	false
SSDEEP:
MD5:	A87FB3BC36E1CEBA7526EB8C25892D53
SHA1:	F6D4B07A784893E34CD7DAF4549870DFE968F1E8
SHA-256:	D13D98F05244220CBF3C0EB23D628D952F6D5282D3D67E404F9300B4DCFFE669
SHA-512:	5D0F54BF0B33331250CFBE6C618A422A6408C0ED3165D93FAFB2119E6CD943DB16C45F171EA770532CC43523DCF440BE07DF4A578068D1F3BAF2DF3E37574928
Malicious:	false
Preview:	Cr24....E.........0.."0....H.............0............>...{]...dq....C....u...b......8....CZ7.. p..ys i.V.0.:7Z.vV\|...~.`..]...~.w.4.....K..B..$..u.@.Y.....g..N.....&.....,.....g.F.-f.I...)MW..Xj..=.yy....J...~..8}^.8.B.......kh.N._w>+.aE.q.S. .U.E'J.....y`H.e.%...a.ta.L:.)...Md,ma....a.A..............".@.......!.@...v...{.....}..D.kX.`5o.&..c.L.....bI.7..\,cw.#.nb...a.B.%.._...2./...2......'+..,....D..Z.d%....f[.`-..E.........~~{...a........v.........L..9n(.d.0.....eqk+...tt...4.F{....L.$.6..Q4.t...<....n..k.....TH.$.f......F`..A$L.....?.......lx.um........<.PK..-.....UJlY.ZAKk...........manifest.json....................mR.j.0.=....>..4.V....].;...WM..v..n0....m.[.......Fi.....O0Z..x..."qEb.\|..}].....:!...d:...=#K.#...i<.`3.../"#..xd...le.T...O.Rsr.......P.m7Ji.@...a.r...v...\|..6.....oB.-.....:.....W\|.Vo7.8g....@.>.j..E.....-...0..>._)%...l>..H.8.y....6.M..^...:~6R.}...#t..*..w.s..m.0..Q..o'M...iN.Ln...Jg>...n6;..............!.0.I.... ..5...x.B[.

C:\Users\user\AppData\Local\Temp\4b2e4fe6-8e45-4775-96fb-94396cb60b32.tmp

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Temp\MSIC904.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608380087035959
Encrypted:	false
SSDEEP:
MD5:	EC6EBF65FE4F361A73E473F46730E05C
SHA1:	01F946DFBF773F977AF5ADE7C27FFFC7FE311149
SHA-256:	D3614D7BECE53E0D408E31DA7D9B0FF2F7285A7DD544C778847ED0C5DED5D52F
SHA-512:	E4D7AAFA75D07A3071D2739D18B4C2B0A3798F754B339C349DB9A6004D031BF02F3970B030CEC4A5F55B4C19F03794B0CE186A303D936C222E7E6E8726FFFFF7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L...l..f.........."!...).....`............... ......................................Di....@A............................L...,...@....................Z..`=......h....K..p....................L...... K..@............ ...............................text...Z........................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSICA1F.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608380087035959
Encrypted:	false
SSDEEP:
MD5:	EC6EBF65FE4F361A73E473F46730E05C
SHA1:	01F946DFBF773F977AF5ADE7C27FFFC7FE311149
SHA-256:	D3614D7BECE53E0D408E31DA7D9B0FF2F7285A7DD544C778847ED0C5DED5D52F
SHA-512:	E4D7AAFA75D07A3071D2739D18B4C2B0A3798F754B339C349DB9A6004D031BF02F3970B030CEC4A5F55B4C19F03794B0CE186A303D936C222E7E6E8726FFFFF7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L...l..f.........."!...).....`............... ......................................Di....@A............................L...,...@....................Z..`=......h....K..p....................L...... K..@............ ...............................text...Z........................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIE62D.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608380087035959
Encrypted:	false
SSDEEP:
MD5:	EC6EBF65FE4F361A73E473F46730E05C
SHA1:	01F946DFBF773F977AF5ADE7C27FFFC7FE311149
SHA-256:	D3614D7BECE53E0D408E31DA7D9B0FF2F7285A7DD544C778847ED0C5DED5D52F
SHA-512:	E4D7AAFA75D07A3071D2739D18B4C2B0A3798F754B339C349DB9A6004D031BF02F3970B030CEC4A5F55B4C19F03794B0CE186A303D936C222E7E6E8726FFFFF7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L...l..f.........."!...).....`............... ......................................Di....@A............................L...,...@....................Z..`=......h....K..p....................L...... K..@............ ...............................text...Z........................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIE6AB.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608380087035959
Encrypted:	false
SSDEEP:
MD5:	EC6EBF65FE4F361A73E473F46730E05C
SHA1:	01F946DFBF773F977AF5ADE7C27FFFC7FE311149
SHA-256:	D3614D7BECE53E0D408E31DA7D9B0FF2F7285A7DD544C778847ED0C5DED5D52F
SHA-512:	E4D7AAFA75D07A3071D2739D18B4C2B0A3798F754B339C349DB9A6004D031BF02F3970B030CEC4A5F55B4C19F03794B0CE186A303D936C222E7E6E8726FFFFF7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L...l..f.........."!...).....`............... ......................................Di....@A............................L...,...@....................Z..`=......h....K..p....................L...... K..@............ ...............................text...Z........................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIE719.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608380087035959
Encrypted:	false
SSDEEP:
MD5:	EC6EBF65FE4F361A73E473F46730E05C
SHA1:	01F946DFBF773F977AF5ADE7C27FFFC7FE311149
SHA-256:	D3614D7BECE53E0D408E31DA7D9B0FF2F7285A7DD544C778847ED0C5DED5D52F
SHA-512:	E4D7AAFA75D07A3071D2739D18B4C2B0A3798F754B339C349DB9A6004D031BF02F3970B030CEC4A5F55B4C19F03794B0CE186A303D936C222E7E6E8726FFFFF7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L...l..f.........."!...).....`............... ......................................Di....@A............................L...,...@....................Z..`=......h....K..p....................L...... K..@............ ...............................text...Z........................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIE768.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608380087035959
Encrypted:	false
SSDEEP:
MD5:	EC6EBF65FE4F361A73E473F46730E05C
SHA1:	01F946DFBF773F977AF5ADE7C27FFFC7FE311149
SHA-256:	D3614D7BECE53E0D408E31DA7D9B0FF2F7285A7DD544C778847ED0C5DED5D52F
SHA-512:	E4D7AAFA75D07A3071D2739D18B4C2B0A3798F754B339C349DB9A6004D031BF02F3970B030CEC4A5F55B4C19F03794B0CE186A303D936C222E7E6E8726FFFFF7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L...l..f.........."!...).....`............... ......................................Di....@A............................L...,...@....................Z..`=......h....K..p....................L...... K..@............ ...............................text...Z........................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIE7C7.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608380087035959
Encrypted:	false
SSDEEP:
MD5:	EC6EBF65FE4F361A73E473F46730E05C
SHA1:	01F946DFBF773F977AF5ADE7C27FFFC7FE311149
SHA-256:	D3614D7BECE53E0D408E31DA7D9B0FF2F7285A7DD544C778847ED0C5DED5D52F
SHA-512:	E4D7AAFA75D07A3071D2739D18B4C2B0A3798F754B339C349DB9A6004D031BF02F3970B030CEC4A5F55B4C19F03794B0CE186A303D936C222E7E6E8726FFFFF7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L...l..f.........."!...).....`............... ......................................Di....@A............................L...,...@....................Z..`=......h....K..p....................L...... K..@............ ...............................text...Z........................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIE816.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1201504
Entropy (8bit):	6.4558508565404535
Encrypted:	false
SSDEEP:
MD5:	03CC8828BB0E0105915B7695B1EC8D88
SHA1:	CBF8EC531EA7E3EE58B51BD642F8BFABDC759EE1
SHA-256:	0E1491AE7344F3A5EC824732648CCDDA19B271D6F01471793BF292840FC83B5E
SHA-512:	593A76166EB6CE2E3537B0D93E216DAEF12E4AB5B181A194B55A90B39A1AF2E0374C4EC3833A000530425319A003CD1A648489640FCCAF108061EBEA1D9CB1E7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............@G..@G..@G.yCF..@G.yEF..@G.\|CF..@G.\|DF..@G.\|EF..@G.yDF..@G.yAF..@G..AG..@G.}IF..@G.}@F..@G.}.G..@G...G..@G.}BF..@GRich..@G........PE..L...v..f.........."!...).~..........Pq.......................................`............@A........................ ...t...............................`=.......l......p........................... ...@...............L............................text...J}.......~.................. ..`.rdata...;.......<..................@..@.data...............................@....fptable............................@....rsrc...............................@..@.reloc...l.......n..................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIE875.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608380087035959
Encrypted:	false
SSDEEP:
MD5:	EC6EBF65FE4F361A73E473F46730E05C
SHA1:	01F946DFBF773F977AF5ADE7C27FFFC7FE311149
SHA-256:	D3614D7BECE53E0D408E31DA7D9B0FF2F7285A7DD544C778847ED0C5DED5D52F
SHA-512:	E4D7AAFA75D07A3071D2739D18B4C2B0A3798F754B339C349DB9A6004D031BF02F3970B030CEC4A5F55B4C19F03794B0CE186A303D936C222E7E6E8726FFFFF7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L...l..f.........."!...).....`............... ......................................Di....@A............................L...,...@....................Z..`=......h....K..p....................L...... K..@............ ...............................text...Z........................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIE8C4.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608380087035959
Encrypted:	false
SSDEEP:
MD5:	EC6EBF65FE4F361A73E473F46730E05C
SHA1:	01F946DFBF773F977AF5ADE7C27FFFC7FE311149
SHA-256:	D3614D7BECE53E0D408E31DA7D9B0FF2F7285A7DD544C778847ED0C5DED5D52F
SHA-512:	E4D7AAFA75D07A3071D2739D18B4C2B0A3798F754B339C349DB9A6004D031BF02F3970B030CEC4A5F55B4C19F03794B0CE186A303D936C222E7E6E8726FFFFF7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L...l..f.........."!...).....`............... ......................................Di....@A............................L...,...@....................Z..`=......h....K..p....................L...... K..@............ ...............................text...Z........................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIE913.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608380087035959
Encrypted:	false
SSDEEP:
MD5:	EC6EBF65FE4F361A73E473F46730E05C
SHA1:	01F946DFBF773F977AF5ADE7C27FFFC7FE311149
SHA-256:	D3614D7BECE53E0D408E31DA7D9B0FF2F7285A7DD544C778847ED0C5DED5D52F
SHA-512:	E4D7AAFA75D07A3071D2739D18B4C2B0A3798F754B339C349DB9A6004D031BF02F3970B030CEC4A5F55B4C19F03794B0CE186A303D936C222E7E6E8726FFFFF7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L...l..f.........."!...).....`............... ......................................Di....@A............................L...,...@....................Z..`=......h....K..p....................L...... K..@............ ...............................text...Z........................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\c7fba9a7-b83b-43a3-81a1-7ffae577edfc.tmp

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	5058F1AF8388633F609CADB75A75DC9D
SHA1:	3A52CE780950D4D969792A2559CD519D7EE8C727
SHA-256:	CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
SHA-512:	0B61241D7C17BCBB1BAEE7094D14B7C451EFECC7FFCBD92598A0F13D313CC9EBC2A07E61F007BAF58FBF94FF9A8695BDD5CAE7CE03BBF1E94E93613A00F25F21
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Temp\d1709b48-7a9f-4ad5-b51e-aec365ad34e0.tmp

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	Google Chrome extension, version 3
Category:	dropped
Size (bytes):	16531
Entropy (8bit):	7.960808577940416
Encrypted:	false
SSDEEP:
MD5:	B573810B867447E62F77BD35663C2B07
SHA1:	FB663C755F6472D752244E3337967A1261BD27D3
SHA-256:	9F270911E90BC74F3628BBE1083F5189F4D57FB61D3E5A1674C6FE3997439D41
SHA-512:	5DC7BB708C03470EBA1EF7A00B4B26DC516FEA852E38E81D40F32BB540F775A4599BF049F4FC1D28AC7479B30F6086E8631B914DAE00EFA5C596015973381457
Malicious:	false
Preview:	Cr24....E.........0.."0....H.............0.........G3fQ.......r.s.-+Dz...4..1)..F.TI..fF2.@H...fn.q.c./.l}..U.&.bFl.#.p..(g............."....L.RM. t..O.....E......OQ..r....w.s...<..`j.......Q..;.}...z..3[.x...^./R.....y.y....z.....g..v.$.&.g.\....5.M..Z.u...}...9F..K.v....dW....a.h..7D._q..............L+T)..C3..[..T....sj..8].t.~q.Z,Z.)...HY6.69f...b..X)...E6.5.H4.q......t.<[.<.w.,.kb..F.s.#I..9.@M.......m.t..'+../PUX..o9\..F,.....w.V...sz.x.n....{:.qz...u..[J.DRD~...6(.E..:.Ro;t..8mw"..4...b..U.]._......t......c..b.c..cN..=...v..d....................^...\L.-.rPK..-.....#&.Y..04...........conversion-overlay.js.....................T.n.@.}G.?L.....I.."..Z)O..[.;.....;8v".{....v%..9saf.Iw"....{x.(...j................5Yv.%..O..19+2.[...7h...!.y...1....K..}."2.XX...1..M..6...3..8.. .IyS..Y....-...ao2.gJB.>9&...8.i...T.l.~..(GY.1S.r.Q\c....%.l.8.......$..Q2..W..#.I.m....f...AA...W.<_.Q..Z/.b..H...~.q\Fh.2O.U._.......X.;.I.eed%..B.....-.....j..b.H...

C:\Users\user\AppData\Local\Temp\scoped_dir8756_1359693283\0b8ded05-1ee4-4921-a79f-f0289f96f3b5.tmp

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	Google Chrome extension, version 3
Category:	dropped
Size (bytes):	675649
Entropy (8bit):	7.939926429650404
Encrypted:	false
SSDEEP:
MD5:	A87FB3BC36E1CEBA7526EB8C25892D53
SHA1:	F6D4B07A784893E34CD7DAF4549870DFE968F1E8
SHA-256:	D13D98F05244220CBF3C0EB23D628D952F6D5282D3D67E404F9300B4DCFFE669
SHA-512:	5D0F54BF0B33331250CFBE6C618A422A6408C0ED3165D93FAFB2119E6CD943DB16C45F171EA770532CC43523DCF440BE07DF4A578068D1F3BAF2DF3E37574928
Malicious:	false
Preview:	Cr24....E.........0.."0....H.............0............>...{]...dq....C....u...b......8....CZ7.. p..ys i.V.0.:7Z.vV\|...~.`..]...~.w.4.....K..B..$..u.@.Y.....g..N.....&.....,.....g.F.-f.I...)MW..Xj..=.yy....J...~..8}^.8.B.......kh.N._w>+.aE.q.S. .U.E'J.....y`H.e.%...a.ta.L:.)...Md,ma....a.A..............".@.......!.@...v...{.....}..D.kX.`5o.&..c.L.....bI.7..\,cw.#.nb...a.B.%.._...2./...2......'+..,....D..Z.d%....f[.`-..E.........~~{...a........v.........L..9n(.d.0.....eqk+...tt...4.F{....L.$.6..Q4.t...<....n..k.....TH.$.f......F`..A$L.....?.......lx.um........<.PK..-.....UJlY.ZAKk...........manifest.json....................mR.j.0.=....>..4.V....].;...WM..v..n0....m.[.......Fi.....O0Z..x..."qEb.\|..}].....:!...d:...=#K.#...i<.`3.../"#..xd...le.T...O.Rsr.......P.m7Ji.@...a.r...v...\|..6.....oB.-.....:.....W\|.Vo7.8g....@.>.j..E.....-...0..>._)%...l>..H.8.y....6.M..^...:~6R.}...#t..*..w.s..m.0..Q..o'M...iN.Ln...Jg>...n6;..............!.0.I.... ..5...x.B[.

C:\Users\user\AppData\Local\Temp\scoped_dir8756_1359693283\CRX_INSTALL\images\c1_lb_1.jpeg

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, progressive, precision 8, 728x90, components 3
Category:	dropped
Size (bytes):	14915
Entropy (8bit):	7.905353274802453
Encrypted:	false
SSDEEP:
MD5:	2596A25889470A45C108D6FD37B4F137
SHA1:	1B1195A1ADC83BA51EF8F2886445941153BBAC6D
SHA-256:	C7B0F9EB37EAF86C289033245805DD4A3A97AB9658CCBA278B1BD0393C4B99BD
SHA-512:	3CD8DA2ED618FC2EEF4051CE861A24CFEF00C3A91775FF520FD93FEBBFEE26491F8E90466AD95DDC3A2D758B059D9506EADE5C91CA8DC3492516106B214E9AC6
Malicious:	false
Preview:	......JFIF.....d.d......Ducky.......<.....&Adobe.d................b..._..)...:A............................................................................................................................................Z............................................................................................ ..0@P!1"245p`.6B#3&F......................!..1"2.AQaq.....#3. 0@B......Rr.s`..b...P.Cc......................! `.1Qa"....................!1AQa.q.. 0.....@P.`p................@...................................................../........9.y$...t9u.d.......................G<..R.Z..g<uE.<.U..V.I...^X.............e.fL<....<...\|.............P..@.T[T[J.k.E=\f=oG..ot....U.D{...alE'.. .J&..yy.`_.GHS..LQ....Y.E.vE ....~t.....8P...................!Mw'......l.~O...6.o......i^t.&X...g.O2%.yHp.Hs.lq.Zs'DP...t_.1.A.....I.......8P...K..kP.lw...2.H....[c.N......G.r."...kf.y.&.k..!Z%D..@.....T.K..............{.(W..;/...*..cmm...b.\|:O7....{.....6..Zf..).......P..@..w'...]....

C:\Users\user\AppData\Local\Temp\scoped_dir8756_1359693283\CRX_INSTALL\images\c1_lb_16.jpeg

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=4, xresolution=62, yresolution=70, resolutionunit=2, software=paint.net 5.0.13], baseline, precision 8, 1940x500, components 3
Category:	dropped
Size (bytes):	152242
Entropy (8bit):	7.685194020466907
Encrypted:	false
SSDEEP:
MD5:	A9F1D8CDD1BCF409CC4DCEDCE7381F3D
SHA1:	6B2D4A8A1957A2922324A39E7A1413E54D52780C
SHA-256:	E4B98338E8DF4501E3CE72BCACE80CEAA92EB07FE6D341D226CC8B84AA36AB8D
SHA-512:	1F91EB6D194D13329D1E7FE1FBF87DB2EC2307A3E4559EBD8919D99A40BB18008323C1725B287077307CA6B1E62B4036F0BBF60A9DBA671CA687BC62C1F98F62
Malicious:	false
Preview:	......JFIF.....`.`.....hExif..MM..................>...........F.(...........1.........N.......`.......`....paint.net 5.0.13.....C....................................................................C.........................................................................................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..9.....6...........`.V..#..f..q_..4....\|3....@..2. .....z./.^......^.p..p.l....M..7..E......].......wG-..}.9....X....R.ns....../....(.Q.d..e...?$........#...i_...L......4............/.L...?......eyq..lq]..7....k...x.*......#:.=.mZR..F.5....S....Z......8

C:\Users\user\AppData\Local\Temp\scoped_dir8756_1359693283\CRX_INSTALL\images\c1_lb_2.jpeg

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, comment: "Compressed by jpeg-recompress", progressive, precision 8, 980x120, components 3
Category:	dropped
Size (bytes):	23794
Entropy (8bit):	7.96440831363997
Encrypted:	false
SSDEEP:
MD5:	D59FCDCD3022C0304B35CD2A10A13C32
SHA1:	EC5352DA59DCFF776CFB300175EDB44CF6C94767
SHA-256:	77557F6040906D410036FF39B14FD476F53C5C7B24D91A4548384DB4300EED3B
SHA-512:	A9BA1DF594BF952CD6FD18652D3535293A4DD15A4B26C154402C3A21C5988D8554FED7E45229BF55DF064180DB82D96558B7F1A2B20B216D7032B1F930D661D7
Malicious:	false
Preview:	......JFIF..............Compressed by jpeg-recompress......................................................"..."%%424DD\.................................................."..."%%424DD\......x...."...................................................................+L.^.nU....d9.%.SI}.K~......C+...Jz]....0...q..)..LJ...h..N.\|q.j...#..C>.G.J.}....,......K.....{.=..{.=..."1.."-.U.TK.yV...._g...'/............9............`......8.......\|...^.{..a..p..8..........5$.K..]g..\....o..@>...b..x.q....E..............f.=a...l.i..n.?.~W^l..Q.{....ds.A/......Q.....q.\|..Z......o....}...zu...~..,.duJGC....`..sOr.9.S.[.3Xm....OguO.zu.`q:..-:.o.~.1..u>..a....s.r...&..m../8.&w..k...L...}..JbK...l................[.G....7.....!?]?.o.....}..............z.....m'.w.A.....i..e..W9.*...F..=#. j.;..KG.Yy.y.}e.~.....7..:.$&..L....t{.....k#..[g.]......:-....j..T.zz..r[+..........U.uR......d..m.+...d.YL..F..OCA..P%..Fo(......Z.....I.Og.5...._a........3.,..N..}..GdQ.#... 2......

C:\Users\user\AppData\Local\Temp\scoped_dir8756_1359693283\CRX_INSTALL\images\c1_lb_3.jpeg

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, comment: "Compressed by jpeg-recompress", progressive, precision 8, 728x90, components 3
Category:	dropped
Size (bytes):	18437
Entropy (8bit):	7.96459795791236
Encrypted:	false
SSDEEP:
MD5:	9E483B1CFF41498A4734B98346342137
SHA1:	8B4A1F9BB00AC1AD9613DB364CAEFAB445C3954B
SHA-256:	B3009C71B5948B2F504114E43DE86C3ECF14D943B9579CC9614809F0814446A5
SHA-512:	62E3F49980A718009207D841A12C38ACA2C91EDAE6DE051080F3762C5DEE191840EF30E52F27DD2810661AF561EA1041058F2AC03027D5AF37BAE1854FB0245F
Malicious:	false
Preview:	......JFIF..............Compressed by jpeg-recompress......................................................"..."%%424DD\.................................................."..."%%424DD\......Z...."..............................................................g).......&n.......+.l....O.[J%....?..i.....(..............k.....k[~..K..j.............{V..q1.....Bn.d.....8..............i7.g..!....p.....4]..N..1...m.c..>{..5...g..F.........]Ov.)}........e5.2.uR.v._.+_,..ki...-....>...j.5j.u.H.=..?........-..`{...7..G27.............,..oeh.~....?A.>.j?ai:...~.j-..;-..%3...c...bhN...X..yan59......a....nk.9.........z~$P..../.x.k...........5Yn..v.g5]...vs...j.V,:..6.\v&..\....Yff.0=...&;.)..G....u.V9......_.F9..d}..>....J..........P..n.........t>..$Y?...89.r8r........@8....9.H@.}..$_q........FG'..C}Y.\.+..4.yf09~'.6....y.y$...u..1a.3......eb..o.9...~..{..K....._..O+.GF...h..%..>.....G.>........f#..wNr7..y$Q..F>O....<.."U..w.d.._..$..dp.,?9x.....\|>i.g7...b.

C:\Users\user\AppData\Local\Temp\scoped_dir8756_1359693283\CRX_INSTALL\images\c1_lb_4.jpeg

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 728x90, components 3
Category:	dropped
Size (bytes):	66595
Entropy (8bit):	7.853094212908445
Encrypted:	false
SSDEEP:
MD5:	2EB2A49789692BD5CFCF81F92E7DBD5F
SHA1:	B1359E6CDF8C7C518F52D5C77F33C9F8639BC044
SHA-256:	7076BEBB3284F12F4F8AB81B9B34283DD7FC1D4A6A70C28D65C8D057892B0057
SHA-512:	09F7456A197057E89098FA79897B37B17F14A9815859D73FD1BD0FD289241475C1A8F976DF69AF663FFE5B9D6CE7B783C72DCF04D42F435C6224B2BEA1A53C37
Malicious:	false
Preview:	......JFIF.....H.H.....C....................................................................C.......................................................................Z.................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...\|W.;..t:.....O{..%.pK0.X.n..n.mPF..@H...!..{....eZT(J.'.R..YN1.....*>k.VVJ..~Fu.ar,-<^..".:....4i.js.V.mU.F<..d.Rn.>.M.w...t{=n.;..o~..Gv.Gp.f.....i....d.+.....Q.3.S.....(J..NgM....Eg(._..w......ey....C0.F.(.=.$k.....j.%..s..y...+...7..s../.?.R.Q...._......>..o7..E...j....gk....eX...{....\|..S...?//%:...w..V.....".d.U..,U_...g.hQ./..<...._.G......e\|o..T....

C:\Users\user\AppData\Local\Temp\scoped_dir8756_1359693283\CRX_INSTALL\images\c1s-blue.svg

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	14428
Entropy (8bit):	3.9206955363820994
Encrypted:	false
SSDEEP:
MD5:	03D820AB5315D5C7DE366E9F48DC3CE8
SHA1:	1EF4875E0F2E2BB6134844C3A37002A0A2699D24
SHA-256:	C78AE917C43C79556C528E4739A3911BC9BD94BC52D8159E3517E2933F54F2E4
SHA-512:	9FE470D780082E7D72059E44E31EC513A644434513A98037C95E387422691A5A2604846764978C5189222195343D7EDAF136A969448C5DDD4CE058FB473F9E23
Malicious:	false
Preview:	<svg viewBox="0 0 320 64" fill="none" xmlns="http://www.w3.org/2000/svg">..<path d="M190 47.9399C190.874 48.5709 191.883 49.066 193.029 49.4155C194.174 49.7649 195.33 49.9397 196.485 49.9397C198.203 49.9397 199.591 49.5125 200.64 48.6583C201.688 47.804 202.212 46.6876 202.212 45.2896C202.212 44.4159 201.979 43.6878 201.514 43.0957C201.048 42.5035 200.29 41.9792 199.242 41.523L196.922 40.5425C195.417 39.9115 194.339 39.1834 193.679 38.3679C193.029 37.5525 192.699 36.5331 192.699 35.31C192.699 33.9606 193.068 32.7665 193.796 31.7472C194.524 30.7181 195.524 29.9318 196.786 29.3785C198.048 28.8251 199.485 28.5436 201.077 28.5436C202.164 28.5436 203.29 28.6795 204.436 28.9513C205.581 29.2231 206.542 29.5823 207.329 30.0192L206.872 32.3782C205.125 31.4851 203.28 31.0385 201.339 31.0385C199.698 31.0385 198.397 31.3977 197.417 32.1161C196.436 32.8344 195.941 33.7955 195.941 34.9993C195.941 35.6983 196.145 36.2904 196.543 36.7661C196.941 37.2418 197.592 37.6787 198.494 38.0767L200.882 39.1251C2

C:\Users\user\AppData\Local\Temp\scoped_dir8756_1359693283\CRX_INSTALL\images\close.svg

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	211
Entropy (8bit):	4.976401556684502
Encrypted:	false
SSDEEP:
MD5:	75E2E1EA6CABCAE4F318453E2E58213A
SHA1:	ABB9E7FEE28C39ED9320C8C19306470BC3EA4B62
SHA-256:	4BEBED1986FC4908A180A8B62C84FF1CCBAA1CDBAE05F220B3FD123D8A0928A8
SHA-512:	044258568D69CDEE73CCF05614F2CB58A0C9CC438E3DEBB524453EED02EEAEAF66AA04CB95928D691B869CBFCB81D8947E87D42D16377CC4781A805F86167732
Malicious:	false
Preview:	<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24">.. <path fill="#777777" d="M13.46,12L19,17.54V19H17.54L12,13.46L6.46,19H5V17.54L10.54,12L5,6.46V5H6.46L12,10.54L17.54,5H19V6.46L13.46,12Z" />..</svg>

C:\Users\user\AppData\Local\Temp\scoped_dir8756_1359693283\CRX_INSTALL\images\coupert-logo.png

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	PNG image data, 300 x 154, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	10661
Entropy (8bit):	7.9158568170739905
Encrypted:	false
SSDEEP:
MD5:	0DABAEA157F53D2FA2BB5DD1616C3AC7
SHA1:	665E084DD4DC833A0D7B0909E25ACF9C24F05C32
SHA-256:	08F02EB7B5386E5952F0A020E07F0F85AF1ED8B4E4DB5A2033EAB2D97CDCAEE4
SHA-512:	C79B56C170435FBAE0ED1ED4AFA0FD1F74EEF90567E897649A7B8E2B4777AC27582F3D42656786A4BF08FE7B76E955B81152C1F4D9BFB65234BF6573DD082CFA
Malicious:	false
Preview:	.PNG........IHDR...,.........$G......PLTEGpL.LL.KE.LE.LF.KE.LF.LE.LF.KE.KE.KE.KE.KE.KF.KE.LG.LD.JF.LE.LF.LE.KE.KE.OI.PJ.QK.RL.QJ.RK.PI.MG.LF.KE.LF.LE.KE.LF.LF.LF.LF.LF.OH.MG.LF.LF.NE.O?.LE.NH.NG.MG.IC.JC.MG.MG.LE.11.LF.KE.LF.KE.LF.KE.LF.LF.LF.JE.KD.KE.LE.KF.KE.KE.LF.JB.M?.LF.KF.KF.KE.MF.KF.A>.KF.KE.LF.JE.LF.MG.MG.KE.KD.ME.MG.KE.LE.KE.LF.IC.LF.MG.MG.LF.LG.LF.IF.MG.LF.KE.NG.KE.TM.MQ.LF.LF.MF.LF.LE.MG.KE.LE.QI.NH.KE.KF.cZ.LF.KE.LE.LF.HG.KF.KD.KE.MG.MG.LF.KE.LE.SL.VP.KF.KE.LF.KE.TN.KE.MG.LF.GE.LF.KE.KF.LF.GE.KF.LF.LE.LF.MG.KF.LD.LF.LF.MG.KE.KE.KF.KE.LF.KE.KE.LF.KE.LF.LE.A=.LE.MG.MG.LF.KE.LF.IH.SM.LE.LE.KE.MD.LF.MG.KF.LF.KG.NG.LF.KE.LF.MG.ZI.KF.JC.LE.LF.KE.LG.KE.LF.LE.KE.KF.LE.IE.LE.LE.KE.KF.LE.ME.LE.JE.LE.KE.KF.MG.KE.KE.LE.LF.MF.KE.LF.LF.KE.KF.OI.KE.MF.LD.KE.KE.MG.LE.KF.NH.KE.JD.MF.LD.LF.JD.OJ.PJ.MG..#$....tRNS...6Up.......gF%."V.............y.E........s.......,..i.O....\|aQ@?=I]......X)..0..3l.k(A.5m.v$...N...c^........K..S...<...{..2!M....&...#.[.....e.'.........ox..n.............

C:\Users\user\AppData\Local\Temp\scoped_dir8756_1359693283\CRX_INSTALL\images\coupert-logo.svg

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	4040
Entropy (8bit):	3.98793847099381
Encrypted:	false
SSDEEP:
MD5:	AE95C4E9C175A7A3EAAF987161038E45
SHA1:	7B5217C3B416EA4000D29385C86A34BC2833591C
SHA-256:	5C3437C9C96A8DBBBA6CE889C97D592E493596FFC0C7EC1D0631268E91ECCC04
SHA-512:	6BE7593FFAF838A1985B9063E84A274058D430D377BEF2A7DF32F4614D68CCC7403E41973FF2E0C62B43C7CE004DFC730CAC4C39119697ADEF87D2295125F82B
Malicious:	false
Preview:	<?xml version="1.0" standalone="no"?>.<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 20010904//EN". "http://www.w3.org/TR/2001/REC-SVG-20010904/DTD/svg10.dtd">.<svg version="1.0" xmlns="http://www.w3.org/2000/svg". width="300.000000pt" height="154.000000pt" viewBox="0 0 300.000000 154.000000". preserveAspectRatio="xMidYMid meet">..<g transform="translate(0.000000,154.000000) scale(0.100000,-0.100000)".fill="#000000" stroke="none">.<path d="M660 1515 c-127 -35 -281 -127 -380 -226 -115 -115 -204 -272 -246.-436 -100 -384 71 -704 409 -768 175 -33 315 -5 573 116 59 27 105 52 102 54.-2 3 -72 -17 -154 -44 -199 -66 -339 -89 -445 -73 -103 15 -181 53 -250 121.-208 208 -209 596 -3 907 138 209 314 324 493 324 108 -1 191 -55 221 -146 31.-94 -18 -246 -104 -320 -51 -44 -132 -84 -168 -84 -46 0 -78 40 -78 95 0 81.38 128 136 170 l59 26 -57 -4 c-108 -7 -206 -95 -215 -194 -5 -42 -1 -53 22.-81 53 -63 140 -62 280 3 110 51 326 117 456 139 38 7 67 30 51 40 -11 7 -174.-27 -281 -57 -45 -14 -84 -21 -86 -16 -3 4 4 23 15 4

C:\Users\user\AppData\Local\Temp\scoped_dir8756_1359693283\CRX_INSTALL\images\coupert_lb_1.jpeg

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 728x90, components 3
Category:	dropped
Size (bytes):	46236
Entropy (8bit):	7.9682943571719385
Encrypted:	false
SSDEEP:
MD5:	9A3EBBFB61AC8B4A3FE8064015F2291D
SHA1:	B9D11E982F9250D8317C614230EB53EF555453E3
SHA-256:	7FCE1D28C2248AF6A26D01498532D54930530E83F35710DD1F1313601293799A
SHA-512:	B65ABB4C1C2CE0B9FF3B517871D3E73FA74143D7E53BB0B854C6E5BF27A687BF5808C1A4B4B7E54822FE776D4AFEC8B27A33FCC45536579349CB01E27836352D
Malicious:	false
Preview:	......JFIF.............(ICC_PROFILE...............mntrRGB XYZ ............acsp.......................................-....................................................desc.......trXYZ...d....gXYZ...x....bXYZ........rTRC.......(gTRC.......(bTRC.......(wtpt........cprt.......<mluc............enUS...X.....s.R.G.B................................................................................XYZ ......o...8.....XYZ ......b.........XYZ ......$.........para..........ff......Y.......[........XYZ ...............-mluc............enUS... .....G.o.o.g.l.e. .I.n.c... .2.0.1.6...C....................................................................C.......................................................................Z...."..........................................l.........................!1AQa..q.....".......$%2BRb....5U.#&'467DEWe...(GV...Tfguw....3Xdrv...89FHt........................................W...........................!...1A..Qaq."#......$UV......%23C.SWcf.&'56BFRbrt..4eu...........

C:\Users\user\AppData\Local\Temp\scoped_dir8756_1359693283\CRX_INSTALL\images\coupert_lb_2.jpeg

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 728x90, components 3
Category:	dropped
Size (bytes):	53362
Entropy (8bit):	7.961536942161352
Encrypted:	false
SSDEEP:
MD5:	3077BFE15A025EBBC6AE1C504CA09307
SHA1:	94CCF4C3E5A3AA7841846A02D97AF6E9EF1A43B0
SHA-256:	AF7C7A820F81B0C68D494AB7859B29AE3288EA63C04AF843DB3FC4F5BDB24CE9
SHA-512:	93D3273994B907EE36E74604687F628D6C9021E247E9FE614E983A75F7C93DFAAD43E1EFE3DE3559DE401D0A9CB7BE23529AA16EC98244883DE926331B63B6A9
Malicious:	false
Preview:	......JFIF.............(ICC_PROFILE...............mntrRGB XYZ ............acsp.......................................-....................................................desc.......trXYZ...d....gXYZ...x....bXYZ........rTRC.......(gTRC.......(bTRC.......(wtpt........cprt.......<mluc............enUS...X.....s.R.G.B................................................................................XYZ ......o...8.....XYZ ......b.........XYZ ......$.........para..........ff......Y.......[........XYZ ...............-mluc............enUS... .....G.o.o.g.l.e. .I.n.c... .2.0.1.6...C....................................................................C.......................................................................Z...."..........................................].........................!..1.."A.....Q$%2aq.#6BRb..&5D..'4HVd...78FGTfr.(3CWgw.9htv..........................................T...............................!.1."#$34AQa.%5cq..2Udv..TVWu.......6Bb....CFr&7e..............?......\..B8

C:\Users\user\AppData\Local\Temp\scoped_dir8756_1359693283\CRX_INSTALL\images\coupert_lb_3.jpeg

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 728x90, components 3
Category:	dropped
Size (bytes):	51642
Entropy (8bit):	7.960184846525321
Encrypted:	false
SSDEEP:
MD5:	66B5D7A5D3320B0CAB0C873B2C04DCEB
SHA1:	6D0DF8A3F464AED1D935CA0C63FAACCBB261930C
SHA-256:	E699244DFF5047925BC202B1DAF2F324702C2BB61364310B2BA2C3CECB1FA094
SHA-512:	734D18887764B66318070849B9159880EA177CF13815744C537AE774B458EF050C38CC21EE780B50713E874B087E5BD7833AF7854AA0630FCFB4FD2B1029339A
Malicious:	false
Preview:	......JFIF.............(ICC_PROFILE...............mntrRGB XYZ ............acsp.......................................-....................................................desc.......trXYZ...d....gXYZ...x....bXYZ........rTRC.......(gTRC.......(bTRC.......(wtpt........cprt.......<mluc............enUS...X.....s.R.G.B................................................................................XYZ ......o...8.....XYZ ......b.........XYZ ......$.........para..........ff......Y.......[........XYZ ...............-mluc............enUS... .....G.o.o.g.l.e. .I.n.c... .2.0.1.6...C....................................................................C.......................................................................Z...."..........................................p........................!...1A..."Q....2aq$%6BR..#3b..&4CWd....'(78DGSTfgru....EVtvw.......FHUehs......59........................................X...............................!.1A."#$34a..5Qq..%2cd..VW..CTU......BDFReuv..67Ebfrs...

C:\Users\user\AppData\Local\Temp\scoped_dir8756_1359693283\CRX_INSTALL\images\coupert_lb_4.jpeg

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 1005x124, components 3
Category:	dropped
Size (bytes):	92164
Entropy (8bit):	7.956618409621496
Encrypted:	false
SSDEEP:
MD5:	3C97FFC8F1CBE59B6F465DE1E40EBBD4
SHA1:	3819F35ADF6B853F3C4596A104279D881560E86E
SHA-256:	9373EB54EF68874ECE5148CDF77729D97305431996BB33AB3266218B43E173D9
SHA-512:	22F7C1CA19737FFFA0933B4E2440534DCEA70F3A76D5EE0787CAB38618610FACB5B24B63F19D97F7A0CCB424165868D228C2A403726DC268F81B611641850249
Malicious:	false
Preview:	......JFIF.............(ICC_PROFILE...............mntrRGB XYZ ............acsp.......................................-....................................................desc.......trXYZ...d....gXYZ...x....bXYZ........rTRC.......(gTRC.......(bTRC.......(wtpt........cprt.......<mluc............enUS...X.....s.R.G.B................................................................................XYZ ......o...8.....XYZ ......b.........XYZ ......$.........para..........ff......Y.......[........XYZ ...............-mluc............enUS... .....G.o.o.g.l.e. .I.n.c... .2.0.1.6...C....................................................................C.......................................................................\|...."..........................................j.......................!..1..."AQ..2a...#Bq.Rb.$%35S...46CFr..&DEUVWXfv.......'(78Tcde.9GHu......g........................................R............................!1.A.."Qaq.#...2B....$RVW.......3Sb..7CTv%&..4Dcrs..............?.

C:\Users\user\AppData\Local\Temp\scoped_dir8756_1359693283\CRX_INSTALL\images\coupon-temu.svg

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	7530
Entropy (8bit):	4.5038823373338275
Encrypted:	false
SSDEEP:
MD5:	F2FC24FF56CBEB38D8BD17742E6EBDD6
SHA1:	D3A47D054B9EA6A1B56E1514743F1AD6D69CDCBC
SHA-256:	AEFA5D551492AD04D9C9B7B26502F0D83AC989F0FFF5FDE7C77411E9C472F274
SHA-512:	472C416085B1F715F1A205F76486EE9228C0E0200C9EC9A0403AB16F355D7CCBFD23A9121F2C52000552C03B2BCB554C1CDD5601A419C6B4260A213FBD5CA523
Malicious:	false
Preview:	<svg width="153" height="153" viewBox="0 0 153 153" fill="none" xmlns="http://www.w3.org/2000/svg">..<g clip-path="url(#clip0_2647_309)">..<path d="M76.4743 145.299C112.644 145.299 141.965 115.977 141.965 79.8075C141.965 43.6378 112.644 14.3164 76.4743 14.3164C40.3045 14.3164 10.9832 43.6378 10.9832 79.8075C10.9832 115.977 40.3045 145.299 76.4743 145.299Z" fill="white"/>..<path d="M81.0656 145.299C117.235 145.299 146.557 115.977 146.557 79.8075C146.557 43.6378 117.235 14.3164 81.0656 14.3164C44.8958 14.3164 15.5745 43.6378 15.5745 79.8075C15.5745 115.977 44.8958 145.299 81.0656 145.299Z" stroke="black" stroke-width="2.1" stroke-miterlimit="3" stroke-linecap="round"/>..<path fill-rule="evenodd" clip-rule="evenodd" d="M92.8798 126.15L93.6039 122.895C93.6527 122.676 93.7866 122.485 93.9762 122.364C94.1658 122.244 94.3952 122.203 94.6145 122.252C98.656 123.151 120.883 128.097 124.923 128.996C125.145 129.045 125.334 129.178 125.455 129.368C125.575 129.557 125.616 129.787 125.568 130.007L121

C:\Users\user\AppData\Local\Temp\scoped_dir8756_1359693283\CRX_INSTALL\images\coupon-walmart.svg

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	15360
Entropy (8bit):	4.0750576458459875
Encrypted:	false
SSDEEP:
MD5:	71D4CFB4D68B862C9D829B3E3186006F
SHA1:	4909706E9DD92223A5D87A3C2CA575AAFE281A57
SHA-256:	A904E2824A28B54E98CF0CC36E8B65F07E4C5E5455DF9705DD8E10CC4D5E06E7
SHA-512:	A9B7A96F6A065917F522591F04AE05887F2EB0E5F6CBDFA7BA12C9B9AB1E18468CC2BA6FCA3181BFB3108946ACA5FBD63F916088467C3160705399FD1C708876
Malicious:	false
Preview:	<svg width="145" height="144" viewBox="0 0 145 144" fill="none" xmlns="http://www.w3.org/2000/svg">..<path d="M71.4055 142.308C108.131 142.308 137.903 112.048 137.903 74.7205C137.903 37.3928 108.131 7.13281 71.4055 7.13281C34.6799 7.13281 4.90796 37.3928 4.90796 74.7205C4.90796 112.048 34.6799 142.308 71.4055 142.308Z" fill="#71B9F6"/>..<path fill-rule="evenodd" clip-rule="evenodd" d="M76.855 9.26584C40.7054 9.26584 11.4004 38.5709 11.4004 74.7205C11.4004 110.87 40.7054 140.175 76.855 140.175C113.005 140.175 142.31 110.87 142.31 74.7205C142.31 38.5709 113.005 9.26584 76.855 9.26584ZM9.26733 74.7205C9.26733 37.3928 39.5274 7.13281 76.855 7.13281C114.183 7.13281 144.443 37.3928 144.443 74.7205C144.443 112.048 114.183 142.308 76.855 142.308C39.5274 142.308 9.26733 112.048 9.26733 74.7205Z" fill="#041F41"/>..<path fill-rule="evenodd" clip-rule="evenodd" d="M88.4521 122.461L89.1929 119.131C89.2428 118.907 89.3798 118.711 89.5738 118.588C89.7677 118.465 90.0025 118.423 90.2269 118.473C94.361

C:\Users\user\AppData\Local\Temp\scoped_dir8756_1359693283\CRX_INSTALL\images\coupon.svg

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	16096
Entropy (8bit):	4.081737919965479
Encrypted:	false
SSDEEP:
MD5:	5DDFD5FEE805583AEC16A33B4D62C603
SHA1:	82E9CF5FC79A5C22F470346563CF4C3BE156CA0E
SHA-256:	57349D77D10B6CC641A502074EA5E3EB72BEA042D2A415ACFA5625E3F545C488
SHA-512:	D306D9F8657413DA7A77FE2D4A4E2D4F7AF1DB0F5A9C7FD8E9E40E918E51FB07ECA1632732554288F6954A9A73FDF2D66F90A84B831D5B9AAEDDD8DB6FC5AB56
Malicious:	false
Preview:	<svg width="290" height="290" viewBox="0 0 290 290" fill="none" xmlns="http://www.w3.org/2000/svg">..<path d="M145 276.093C213.895 276.093 269.745 220.242 269.745 151.348C269.745 82.4527 213.895 26.6025 145 26.6025C76.1051 26.6025 20.2549 82.4527 20.2549 151.348C20.2549 220.242 76.1051 276.093 145 276.093Z" fill="#DFF7DD"/>..<path d="M153.745 276.093C222.639 276.093 278.49 220.242 278.49 151.348C278.49 82.4527 222.639 26.6025 153.745 26.6025C84.8497 26.6025 28.9995 82.4527 28.9995 151.348C28.9995 220.242 84.8497 276.093 153.745 276.093Z" stroke="#48D085" stroke-width="4" stroke-miterlimit="3" stroke-linecap="round"/>..<path fill-rule="evenodd" clip-rule="evenodd" d="M176.249 239.618L177.628 233.419C177.721 233.001 177.976 232.638 178.337 232.408C178.699 232.179 179.136 232.102 179.553 232.195C187.251 233.908 229.59 243.327 237.284 245.039C237.707 245.133 238.067 245.387 238.296 245.748C238.526 246.109 238.605 246.547 238.512 246.965L231.68 277.673C231.587 278.091 231.33 278.453 230.969

C:\Users\user\AppData\Local\Temp\scoped_dir8756_1359693283\CRX_INSTALL\images\ebay-coupons.svg

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	8999
Entropy (8bit):	3.79659585539256
Encrypted:	false
SSDEEP:
MD5:	28005747A2B32B1C2F156C0C09B023AE
SHA1:	05056BB3103749644BD26D65F6226760160552C8
SHA-256:	8B17C2834273B88AE8A8EFDDDE3FB3760F4968714BE778D4B70AF5F248D80B9E
SHA-512:	4D58705793A25B2FE31EF390BF2E5F18CEC10B7517B82FFEF086150AE83342F540B24A9F87A08DCBBCBE5B2945F4711FE833771048F47258DFADE7ABBE8766DF
Malicious:	false
Preview:	<svg width="150" height="28" viewBox="0 0 150 28" fill="none" xmlns="http://www.w3.org/2000/svg">..<path d="M18.9485 16.9264C18.8299 17.9931 18.504 18.9017 17.9707 19.6524C17.4571 20.403 16.7954 21.0153 15.9855 21.4894C15.1954 21.9635 14.2867 22.2993 13.2596 22.4968C12.2522 22.7141 11.2053 22.8227 10.1188 22.8227C8.89415 22.8227 7.70896 22.6746 6.56328 22.3783C5.4176 22.1017 4.40032 21.6474 3.51143 21.0153C2.62254 20.3635 1.91143 19.5338 1.3781 18.5264C0.844763 17.519 0.578096 16.3042 0.578096 14.882C0.578096 13.4993 0.834886 12.3042 1.34847 11.2968C1.86205 10.2696 2.5534 9.43014 3.42254 8.77828C4.31143 8.10668 5.33859 7.61285 6.50402 7.2968C7.66945 6.98075 8.90402 6.82273 10.2077 6.82273C11.1954 6.82273 12.1732 6.91162 13.1411 7.08939C14.1287 7.26717 15.0176 7.57335 15.8077 8.00791C16.6176 8.44248 17.2991 9.0252 17.8522 9.75606C18.4053 10.4869 18.7509 11.3956 18.8892 12.482H13.8818C13.7238 11.4943 13.3188 10.7832 12.667 10.3487C12.0349 9.91409 11.2151 9.6968 10.2077 9.6968C8.84476 9.6

C:\Users\user\AppData\Local\Temp\scoped_dir8756_1359693283\CRX_INSTALL\images\etsy-coupons.svg

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	1120
Entropy (8bit):	4.374735133609216
Encrypted:	false
SSDEEP:
MD5:	3FE8C44238445244DF779F0BA1E986A4
SHA1:	520B47CE85C2B0CE9B742ECF296DCC569380CA1E
SHA-256:	3B39156DC92D3C6F4CB0C0E5B82051965A24405415761B8CB7D26C3D1DC7E2C4
SHA-512:	20473CD2928264913357F0BC6BA25F460123CD6294E46021797FA8905ECB5064EF49EB4666F23A0069FF47768A37BA77548176010692A0A7AE7221D0A83865A6
Malicious:	false
Preview:	<svg width="46" height="46" viewBox="0 0 46 46" fill="none" xmlns="http://www.w3.org/2000/svg">..<circle cx="23.0001" cy="22.8511" r="22.2222" fill="#2639C0"/>..<path d="M21.4029 34.5725C20.6807 34.5725 20.0141 34.2947 19.5141 33.7947L12.1252 26.4058C11.0696 25.3503 11.0696 23.6836 12.1252 22.628L22.0141 12.7391C22.9029 11.8503 24.5141 11.1836 25.7363 11.1836H32.0696C33.5141 11.1836 34.7363 12.4058 34.7363 13.8503V20.1836C34.7363 21.4058 34.0696 23.0169 33.1807 23.9058L23.2918 33.7947C22.7918 34.2947 22.1252 34.5725 21.4029 34.5725ZM25.7363 12.8503C24.9585 12.8503 23.7363 13.3503 23.1807 13.9058L13.2918 23.7947C12.9029 24.1836 12.9029 24.7947 13.2918 25.1836L20.6807 32.5725C21.0696 32.9614 21.7363 32.9614 22.0696 32.5725L31.9585 22.6836C32.5141 22.128 33.0141 20.9614 33.0141 20.128V13.7947C33.0141 13.2391 32.5696 12.7947 32.0141 12.7947H25.7363V12.8503Z" fill="white"/>..<path d="M28.0002 20.6278C26.4936 20.6278 25.2224 19.4037 25.2224 17.85C25.2224 16.3435 26.4465 15.0723 28.0002 15.07

C:\Users\user\AppData\Local\Temp\scoped_dir8756_1359693283\CRX_INSTALL\images\piggy-bank.png

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	PNG image data, 458 x 458, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	26801
Entropy (8bit):	7.896186797892801
Encrypted:	false
SSDEEP:
MD5:	F2EDFDFAD6F5471C1A5C0044F70BC66E
SHA1:	ACC7783635290C228A9C4E3710685356E0D70CAA
SHA-256:	846CB177C528FF63BF8F175FB1938C778861CE226CEAB1F1A32B8BE06770BE13
SHA-512:	D97F26551C7D016363724A52C78D3DBD2FC78CCEB9C68AE860E7C9E18AC25D85C6741018520B389E127E32CACF2F830120A19DDBB1B673FD90DDC0A08D7F1F07
Malicious:	false
Preview:	.PNG........IHDR.....................pHYs.................sRGB.........gAMA......a...hFIDATx......y....f.....}.E.II.R.-9N8t...%.....K.....b...K..^r\|..?.Nl.R..'v^,....e.m.m....DS.9\...4...Ru.......[.=....oNou........................................................................................................................................................................................................................................................................................................................................................................................................................................6'...`.q..1)_&.......k....0..<).T.)...3..T....pK.mY.}...N..}.B...Hf.8n/.>#G.II...XV.......7..L..Y.......@..P...._..8P.....M..D[.)^$.1..I..6....K.'r.....f..=..w3A3.k..#..=...0..eH@.1..z."........>......: ......)..)~.UE.."..D.x..V.C...}..W....o.H.-.kU.w.o...$..a..\..Es...y..G....u...*N.rt./.-.i.H....H....,.>...@(....'.X...../.........#..

C:\Users\user\AppData\Local\Temp\scoped_dir8756_1359693283\CRX_INSTALL\images\tag.png

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	PNG image data, 64 x 64, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	6139
Entropy (8bit):	7.937165039765014
Encrypted:	false
SSDEEP:
MD5:	741629C46CF0F9650DE6DDCC8D11AE2D
SHA1:	2E12FD35A3D95FFAAF4032385081B4511AED6056
SHA-256:	E034677AC3D57CC6B844CA644C9329F5CFBEE928BF17D15D7606072C1491A120
SHA-512:	A6C7D7B6372879EA017917070C5E1F049F6102DF43EC178FC26D78910122E39C4D231C571F1F854AEE288C8B8CC729FA836362477C1EFCFA9C342C6D018E9902
Malicious:	false
Preview:	.PNG........IHDR...@...@.....%.....TiCCPicc..H....TS....T.-....(R.H..E.t.....J..A...v.........Z...b...e],.Py....W.s.....[..@..+..Z.........T..1....."...d.VLL..mp.g{{. ..........2..H........(.x1O"-.....S.$..B...!.Pp...)8C.[.t.c... .s..,.4Z..Q..v4.Av..Eb.4u!..\>.x.#....<....@.............f..2..F...$..i.gi.w......]](..U..kx#'?\....Q.ZC~/.+...J.......1O........p..C.Q.yF.(.....t.....Z.P ..S....F.r...R...J...[.9.,...B.g..."a\|.d...P...Y...,'.\..Y...Q.:Ry."~+.L.84Pi.K....%y..\|........a\|..>.N.w ~....1+a.@..1.._.....k...T.b.$.....=....>N......d.q......9....IAL.2N<=.;6F..^.".........A6..u7v._....R....I%.\.40#..8P...$...u....P........-.X...C... .......yK...D.w..5.v..2..D.$.A...AMb01..F.!..F...G.k...8......>.1....p..A.9IT,...H...2..6c...t..q_h.Z..q#...A?,..zv.R.nE....P...\.Gq...a.....+5.4..(.m}..f.U.=4...7u..1.{Ml!..;....`..F...`M.y.....=4.-v ..hG.?....2.Z...O.9P .Z......iRQ.....o...#...pqvq.@.NQ>.z...+.C.9..0......,.5..!S.~........

C:\Users\user\AppData\Local\Temp\scoped_dir8756_1359693283\CRX_INSTALL\images\tag@2x.png

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	PNG image data, 128 x 128, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	11099
Entropy (8bit):	7.965378934238987
Encrypted:	false
SSDEEP:
MD5:	29241A7243F19A699714664DD583622A
SHA1:	9E889AED559C81709F6C23D69C6933EB0D7B74B0
SHA-256:	EA32FAF167C1AAB6FFE0949E5E75EFAA678658269FBBBD65ABA29D4EA85616DA
SHA-512:	CFA319E14C76179A541418C0AC6B4A64923553631AD8D155368765A54BB5F0DE602C0203F6B66349876B298B4A24380C51DCCA57EF08737528E7387AFB4948B9
Malicious:	false
Preview:	.PNG........IHDR.............L\.....\iCCPICC Profile..H....TS....T.-....(R.H..E.t.....J..A...v.........Z...b...e],.Py....W.s.....[..@..+..Z.........T..1....."...d.VLL..mp.g{{. ..........2..H........(.x1O"-.....S.$..B...!.Pp...)8C.[.t.c... .s..,.4Z..Q..v4.Av..Eb.4u!..\>.x.#....<....@.............f..2..F...$..i.gi.w......]](..U..kx#'?\....Q.ZC~/.+...J.......1O........p..C.Q.yF.(.....t.....Z.P ..S....F.r...R...J...[.9.,...B.g..."a\|.d...P...Y...,'.\..Y...Q.:Ry."~+.L.84Pi.K....%y..\|........a\|..>.N.w ~....1+a.@..1.._.....k...T.b.$.....=....>N......d.q......9....IAL.2N<=.;6F..^.".........A6..u7v._....R....I%.\.40#..8P...$...u....P........-.X...C... .......yK...D.w..5.v..2..D.$.A...AMb01..F.!..F...G.k...8......>.1....p..A.9IT,...H...2..6c...t..q_h.Z..q#...A?,..zv.R.nE....P...\.Gq...a.....+5.4..(.m}..f.U.=4...7u..1.{Ml!..;....`..F...`M.y.....=4.-v ..hG.?....2.Z...O.9P .Z......iRQ.....o...#...pqvq.@.NQ>.z...+.C.9..0......,.5..!S.~.

C:\Users\user\AppData\Local\Temp\scoped_dir8756_1359693283\CRX_INSTALL\manifest.json

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	JSON data
Category:	modified
Size (bytes):	1127
Entropy (8bit):	5.624397749390191
Encrypted:	false
SSDEEP:
MD5:	3E2477EE6074846F81D4B39C40945D48
SHA1:	4244025824F82383C6B7D0D8FE5F74148815A50F
SHA-256:	855D211F70DC1339B587651C91B2A0F9E47B8D43A77F4AECDE0EEF15CE7105AD
SHA-512:	29504FC874CC738967A08703680F6E005DFFF634C80C576555669727DA8EC769F4E136E27E7D0F90BA917607B605E049F4B3B8D243D3829C0FD56B29C5A1293E
Malicious:	false
Preview:	{.. "background": {.. "service_worker": "serviceWorker.js".. },.. "content_scripts": [ {.. "all_frames": false,.. "js": [ "page.js" ],.. "matches": [ "\u003Call_urls>" ],.. "run_at": "document_start".. } ],.. "description": "",.. "host_permissions": [ "https:///", "http:///" ],.. "key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8I7Tyz4D8/d7XZfz17tkceK6C4ndQ7uVkcV1BuKF8mIUjZiE0uQ4qrsJsENaN5mxIHCyiXlzIGm/VuswEDo3WqN2Vnz5C4h+5otg4ctdsqTtjn6cdwQ0/feH/9ZLmdVCo9Iko391CkCCWaqzjhe6Z5SDToftsdKnGoUm/uYUpo4s+dEU2QFni0aKLWamSQsfoSlNVw+CWGr1nT2NeXmnAZy5Sr0E9X6J8Kg4fV6bOL1CgAoT89jD5r1raJRO5F93PiunYUWScfRTzSATVdZFJ0rkKtC1i44XeWBIHmXwJRKlxmHEv3Rh1kw62CkLhpFNZCxtYeabEp7pYcVBFQT0FwIDAQAB",.. "manifest_version": 3,.. "name": "Capital One",.. "permissions": [ "storage", "alarms", "tabs", "scripting", "bookmarks", "cookies", "management", "activeTab" ],.. "update_url": "https://onestart.ai/chr/c1/ext/update",.. "version": "101.0.1.10",.. "web_access

C:\Users\user\AppData\Local\Temp\scoped_dir8756_1359693283\CRX_INSTALL\notification\coupert\main.js

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	ASCII text, with very long lines (637), with CRLF line terminators
Category:	dropped
Size (bytes):	2721
Entropy (8bit):	4.752336556759049
Encrypted:	false
SSDEEP:
MD5:	711D4FE39CF54406258D36D729F54E8D
SHA1:	748B930CB4AB95F19E0408011421100F42F29C0B
SHA-256:	27E0B005E5B6BED11499A88E57E38D50DE8298DCEA8BF8616FA96DAF8F13E09D
SHA-512:	0A1F1B23DD1096AB9BB5DDA1BEA5E7E961813DFC090E55F0CF26F5DFB33895B10AEFCD78D3E05C38EC139DD4E3238063AE5899E955949E2DBF835D6ADEFB9353
Malicious:	false
Preview:	(() => {.. "use strict";.. const e = "Want to find deals?",.. t = "Never miss a deal!",.. n = "Avoid paying full price - Coupert automatically applies available coupons to your shopping cart. It's 100% free. Try it now.";.... function o() {.. const e = new Proxy(new URLSearchParams(window.location.search), {.. get: (e, t) => e.get(t).. }).domainId;.. chrome.runtime.sendMessage({.. action: "offerAccepted",.. data: {.. domainId: e.. }.. }).. const fe = document.getElementById("offerCard");.. !!fe && (fe.classList.toggle("loading"), !0).. }.. window.onload = function() {.. var d, c, a, i;.. null === (d = document.getElementById("acceptBtn")) \|\| void 0 === d \|\| d.addEventListener("click", (function(e) {.. o(), e.stopPropagation().. })), null === (c = document.getElementById("offerCard")) \|\| void 0 === c \|\| c.addEventListener("clic

C:\Users\user\AppData\Local\Temp\scoped_dir8756_1359693283\CRX_INSTALL\notification\coupert\modal-1.html

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2069
Entropy (8bit):	4.408320764302692
Encrypted:	false
SSDEEP:
MD5:	B258FA47FD9FA05700D7E23F75D259F0
SHA1:	779CE364C0E10C918064B7030796B766E574B53D
SHA-256:	D7675217517D6B1973C22CB22E4FC42627113BE41661219DEE962D547C3F9319
SHA-512:	2ED4FE3046BCC2C84BDF633147DE06F9F470E2BC1E58AC91C88488C0C6277E80CB5F59E87DC97DB41657F970D2E885E37750621D2716FC075D293C6AE3BE64F9
Malicious:	false
Preview:	<!DOCTYPE html>..<html lang="en">....<head>.. <meta charset="UTF-8">.. <meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1.0">.. <link rel="preconnect" href="https://fonts.googleapis.com">.. <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>.. <link href="https://fonts.googleapis.com/css2?family=Roboto:wght@100;300;400;500;700;900&display=swap".. rel="stylesheet">.. <script type="text/javascript" src="../main.js"></script>.. <link rel='stylesheet' href='../style.css' type='text/css' />.. <title>Notification</title>..</head>....<body>.. <div class="main">.. <div id="offerCard" class="card">.. <div id="closeBtn"></div>.. <div class="coupon-container" style="height: 208px;">.. <div class="left-side">.. <img src="../../images/coupon.svg" alt="coupons" class="coupons-image">.. </div>..

C:\Users\user\AppData\Local\Temp\scoped_dir8756_1359693283\CRX_INSTALL\notification\coupert\modal-2.html

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1719
Entropy (8bit):	4.392076365813587
Encrypted:	false
SSDEEP:
MD5:	00BC5E2EC213CDB9EB94D98D04E856E2
SHA1:	4BAB21B324AE92DDE86E840F40D5856675423E48
SHA-256:	532664A6E147F6D1AC963EA2FB8C2511C45D11BBFD66081EB7DA623E53A75983
SHA-512:	90CF8DC4468D33E4D7ECA6500190B63E57E498BAB03DD63CC6C939FA37C530073BF9224E0438E354AC636E122D37EE449FA515D0ACC6506CB221D5836FD98588
Malicious:	false
Preview:	<!DOCTYPE html>..<html lang="en">..<head>.. <meta charset="UTF-8">.. <meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1.0">.. <link rel="preconnect" href="https://fonts.googleapis.com">.. <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>.. <link href="https://fonts.googleapis.com/css2?family=Roboto:wght@100;300;400;500;700;900&display=swap" rel="stylesheet">.. <script type="text/javascript" src="main.js"></script>.. <link rel='stylesheet' href='style.css' type='text/css' />.. <title>Notification</title>..</head>..<body>.. <div class="main">.. <div id="offerCard" class="card">.. <div style="height: 160px;">.. <div id="cardImage" class="tag-image"></div>.. <div id="closeBtn"></div>.. <div class="content">.. <span id="cardTitle" class="title"></span> -->.. <span id

C:\Users\user\AppData\Local\Temp\scoped_dir8756_1359693283\CRX_INSTALL\notification\coupert\modal-3.html

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2064
Entropy (8bit):	4.307700581419883
Encrypted:	false
SSDEEP:
MD5:	051BEF379186236CC8D168FB9DAC5BC2
SHA1:	9AE411FF2A442B00061DDDCD2A01A7235D502F56
SHA-256:	C729705D55B1CA2816F089018A9CA7DA50D23EBD60DFC4740B6BB1D3F6FD96C4
SHA-512:	2907498F6015C36E36E29489751581BAB91348FF9FDA6DC49BE1A5123EB3E19465E8E50C5A0E6E667609E1FC8725EEB95842E38F4B26C1C4F580370A71270264
Malicious:	false
Preview:	<!DOCTYPE html>..<html lang="en">....<head>.. <meta charset="UTF-8">.. <meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1.0">.. <link rel="preconnect" href="https://fonts.googleapis.com">.. <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>.. <link href="https://fonts.googleapis.com/css2?family=Roboto:wght@100;300;400;500;700;900&display=swap".. rel="stylesheet">.. <script type="text/javascript" src="main.js"></script>.. <link rel='stylesheet' href='style.css' type='text/css' />.. <title>Notification</title>..</head>....<body>.. <div class="main">.. <div id="offerCard" class="card">.. <div style="height: 280px;">.... <div id="closeBtn"></div>.. <div class="content flex-col">.. <img src="/images/coupert-logo.png" alt="Capital One Shopping" height="30px">.. <h1 id="cardTitleTwo"

C:\Users\user\AppData\Local\Temp\scoped_dir8756_1359693283\CRX_INSTALL\notification\coupert\modal-4.html

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2080
Entropy (8bit):	4.422865098968145
Encrypted:	false
SSDEEP:
MD5:	9C322626F0827D331CA40C2699E3437B
SHA1:	64CBF2B7133EE7A9CD870EB252741707A75E3ACE
SHA-256:	386C7A7349F003F0A13959172A384860BEDDC7EA0D3D1F1D5EF2271384DEF69E
SHA-512:	F157B36DA7D98A230E1CF5EA2BD1574F121FEA936F265F0B7165F4E9F0283BBC0A03C4F629E572F39465ED964C767659B47AFF62F7167245FD38DE0B10104E65
Malicious:	false
Preview:	<!DOCTYPE html>..<html lang="en">....<head>.. <meta charset="UTF-8">.. <meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1.0">.. <link rel="preconnect" href="https://fonts.googleapis.com">.. <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>.. <link href="https://fonts.googleapis.com/css2?family=Roboto:wght@100;300;400;500;700;900&display=swap".. rel="stylesheet">.. <script type="text/javascript" src="main.js"></script>.. <link rel='stylesheet' href='style.css' type='text/css' />.. <title>Notification</title>..</head>....<body>.. <div class="main">.. <div id="offerCard" class="card">.. <div style="height: 465px;">.... <div id="closeBtn"></div>.. <div class="content flex-col">.. <img src="../../images/coupert-logo.png" alt="Capital One Shopping" height="30px">.. <img src="../../

C:\Users\user\AppData\Local\Temp\scoped_dir8756_1359693283\CRX_INSTALL\notification\coupert\modal-5.html

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1657
Entropy (8bit):	4.510378995681847
Encrypted:	false
SSDEEP:
MD5:	20B7B288DDCEF77F79628257B72F7385
SHA1:	72F4CE9B6670AC5EE2223644085B3598C9FA203D
SHA-256:	BD18066E3AFF0E47D41279F5CF1FF7DE83D32A4245639EB123114A4951FFCB78
SHA-512:	3F2B46DF1D89664944DED0E909B3412E11443A33DED7A8923D68085D6D57B1AE72FB9E358C36587327997D4CDD4E4FFF38C24AC501D194B8F824917D8682DCF6
Malicious:	false
Preview:	<html lang="en"><head>.. <meta charset="UTF-8">.. <meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1.0">.. <link rel="preconnect" href="https://fonts.googleapis.com">.. <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin="">.. <link href="https://fonts.googleapis.com/css2?family=Roboto:wght@100;300;400;500;700;900&display=swap" rel="stylesheet">.. <script type="text/javascript" src="../main.js"></script>.. <link rel="stylesheet" href="../style.css" type="text/css">.. <title>Notification</title>..</head>....<body>.. <div class="main">.. <div id="offerCard" class="card">.. <div style="height: 130px;">.. .. <div id="closeBtn"></div>.. <div class="content flex-col">.. <button id="acceptBtn" style="border: 0px;padding-top: 16px;background: transparent;cursor: pointer;" >.. ..

C:\Users\user\AppData\Local\Temp\scoped_dir8756_1359693283\CRX_INSTALL\notification\coupert\style.css

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	13486
Entropy (8bit):	4.952840537318132
Encrypted:	false
SSDEEP:
MD5:	9C2689C4D9E363AC2A6921965028A3BC
SHA1:	C122F64E02B7DBEF185D6640A32E6801DBEA5E9F
SHA-256:	5FBA89AA68CB696F3C35EE2708143F5CD8E2FFBD8F96BADE9C797D064682A4AF
SHA-512:	8BEF5752AB8D408489FC190A8CA1700661432A5B352177DEB2094EE341B04E61153B6D5EC708F7CF824E05FCCFB28A13C14F795955F7BD137EB061169891B602
Malicious:	false
Preview:	/* @font-face {.. font-family: 'Amariya';.. src: url('/fonts/amariya-medium-ETSY.otf');..}....@font-face {.. font-family: 'Amazon-Ember';.. src: url('/fonts/amariya-medium-ETSY.otf') format('truetype');..}....@font-face {.. font-family: 'Bookerly';.. src: url('/fonts/Bookerly-Regular.ttf') format('truetype');..} /....html {.. overflow: hidden;..}....body {.. font-family: 'Roboto', sans-serif;.. margin: 0;..}.....main {.. margin: 0;..}.....card {.. display: block;.. position: absolute;.. bottom: 0;.. top: 0;.. left: 0;.. right: 0;.. height: fit-content;.. margin: 20px;.. background-color: white;.. box-shadow: 0 4px 8px 0 rgba(0, 0, 0, 0.2);.. transition: 0.3s;.. border-radius: 5px;..}.....card.rounder {.. border-radius: 20px;..}.....card:hover {.. / box-shadow: 0 6px 12px 0 rgba(0,0,0,0.2); */..}....#closeBtn {.. width: 16px;.. height: 16px;.. top: 10px;.. right: 10px;.. position: absolute;.. bac

C:\Users\user\AppData\Local\Temp\scoped_dir8756_1359693283\CRX_INSTALL\notification\domains.json

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	184675
Entropy (8bit):	4.392886256858905
Encrypted:	false
SSDEEP:
MD5:	B44310E2F811F6C884840B0CCDA6213E
SHA1:	AF53DF8491D917881AD9B79EC7E70508B86D1123
SHA-256:	88AA35A1E6A7A4DD2A7A9A4AD5E8BAB6C78D3F23EB174876EE1BC62296791794
SHA-512:	E146E9B7A58508923B993AD604E6E1971E123AB8FA67E7FF559C4D1158524C2CA98F96FCC139FFCDE71F15DDACF3B5C42A3D2B0E8F5D3E70F7250767D7811EAA
Malicious:	false
Preview:	[.. "www.amazon.com",.. "www.amazon.de",.. "www.amazon.fr",.. "www.ebay.com",.. "www.ebay.de",.. "www.ebay.fr",.. "pay.ebay.com",.. "www.walmart.com",.. "www.etsy.com",.. "www.kohls.com",.. "www.homedepot.com",.. "www.lowes.com",.. "www.nike.com",.. "www.bestbuy.com",.. "www.doordash.com",.. "www.target.com",.. "www.wayfair.com",.. "www.expedia.com",.. "www.booking.com",.. "www.macys.com",.. "www.tripadvisor.com",.. "www.southwest.com",.. "www.xfinity.com",.. "www.priceline.com",.. "www.aliexpress.com",.. "www.walgreens.com",.. "www.kroger.com",.. "www.jcpenney.com",.. "www.costco.com",.. "www.fiverr.com",.. "www.cox.com",.. "www.cvs.com",.. "www.marriott.com",.. "www.qvc.com",.. "www.samsclub.com",.. "www.carvana.com",.. "www.lego.com",.. "store.nvidia.com",.. "www.hilton.com",.. "www.instacart.com",.. "www.hotels.com",.. "www.kayak.com",.. "www.alibaba.com"

C:\Users\user\AppData\Local\Temp\scoped_dir8756_1359693283\CRX_INSTALL\notification\main.js

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	ASCII text, with very long lines (637), with CRLF line terminators
Category:	dropped
Size (bytes):	2734
Entropy (8bit):	4.758378922524033
Encrypted:	false
SSDEEP:
MD5:	0A875E53C47D61C5B76061A4EFB3096F
SHA1:	CA94BF99B3C55696BFCE5AC66EF5B9BCFBCD6FC3
SHA-256:	8268804267A28122E44ED915573811035593A581C437CC71255E2FD1B6DBCCA9
SHA-512:	3737A4B9233130C756D47D258B1A8E8093342B1701C56997155527F0CB204AC1A702BF911568D574ECDAB9B525D5BA4B0DB8098051CCD0AD8ADCF99A6F195BAA
Malicious:	false
Preview:	(() => {.. "use strict";.. const e = "Want to find deals?",.. t = "Never miss a deal!",.. n = "Avoid paying full price - Capital One Shopping automatically applies available coupons to your shopping cart. It's 100% free. Try it now.";.... function o() {.. const e = new Proxy(new URLSearchParams(window.location.search), {.. get: (e, t) => e.get(t).. }).domainId;.. chrome.runtime.sendMessage({.. action: "offerAccepted",.. data: {.. domainId: e.. }.. }).. const fe = document.getElementById("offerCard");.. !!fe && (fe.classList.toggle("loading"), !0).. }.. window.onload = function() {.. var d, c, a, i;.. null === (d = document.getElementById("acceptBtn")) \|\| void 0 === d \|\| d.addEventListener("click", (function(e) {.. o(), e.stopPropagation().. })), null === (c = document.getElementById("offerCard")) \|\| void 0 === c \|\| c.addEventL

C:\Users\user\AppData\Local\Temp\scoped_dir8756_1359693283\CRX_INSTALL\notification\modal-1.html

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2043
Entropy (8bit):	4.382065838016765
Encrypted:	false
SSDEEP:
MD5:	56EB8D610C02FD4AB94B058C727B1FBA
SHA1:	0FFD0553624A892944FEAA1A574C3D2435C6A1D9
SHA-256:	361C59C585C9986BE0546768022AB5B1ACB9834230424A6FDD239506C6C39968
SHA-512:	F8D9B3532B6884CC4109B1C66F4A0814D15B3E67F1A47C57EAF7D3DC7CFD62D4389773A0701FC4AA1FD1994CE1A70AC79D8E2700B345D615095A868986ECB114
Malicious:	false
Preview:	<!DOCTYPE html>..<html lang="en">....<head>.. <meta charset="UTF-8">.. <meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1.0">.. <link rel="preconnect" href="https://fonts.googleapis.com">.. <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>.. <link href="https://fonts.googleapis.com/css2?family=Roboto:wght@100;300;400;500;700;900&display=swap".. rel="stylesheet">.. <script type="text/javascript" src="main.js"></script>.. <link rel='stylesheet' href='style.css' type='text/css' />.. <title>Notification</title>..</head>....<body>.. <div class="main">.. <div id="offerCard" class="card">.. <div id="closeBtn"></div>.. <div class="coupon-container">.. <div class="left-side">.. <img src="/images/coupon.svg" alt="coupons" class="coupons-image">.. </div>.. <div class="dotted-vert

C:\Users\user\AppData\Local\Temp\scoped_dir8756_1359693283\CRX_INSTALL\notification\modal-2.html

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1718
Entropy (8bit):	4.393634682319629
Encrypted:	false
SSDEEP:
MD5:	7B2F67FE017D6661FC321C3DA9FDF089
SHA1:	D61D04034207ED660FA6CBCC5EDC5D8CE5A05DEA
SHA-256:	7742703B3EF109D2F6F3D9EDD3C6EE04913A94EEF51C8DCAA39263FDDF7C0416
SHA-512:	18537E9D183BC0C485524D083AFD88B1C1A9C1F593F30C37AED4D84A63CA06BC23CD06FB5A4E1F1D59D9EA69FED9AE27293B4EF5E12F812CEC9C16EB42B500CD
Malicious:	false
Preview:	<!DOCTYPE html>..<html lang="en">..<head>.. <meta charset="UTF-8">.. <meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1.0">.. <link rel="preconnect" href="https://fonts.googleapis.com">.. <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>.. <link href="https://fonts.googleapis.com/css2?family=Roboto:wght@100;300;400;500;700;900&display=swap" rel="stylesheet">.. <script type="text/javascript" src="main.js"></script>.. <link rel='stylesheet' href='style.css' type='text/css' />.. <title>Notification</title>..</head>..<body>.. <div class="main">.. <div id="offerCard" class="card">.. <div style="height: 160px;">.. <div id="cardImage" class="tag-image"></div>.. <div id="closeBtn"></div>.. <div class="content">.. <span id="cardTitle" class="title"></span> -->.. <span id=

C:\Users\user\AppData\Local\Temp\scoped_dir8756_1359693283\CRX_INSTALL\notification\modal-3.html

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2060
Entropy (8bit):	4.306922425027427
Encrypted:	false
SSDEEP:
MD5:	EA08865FFE60C41FBD5459C31A531FB6
SHA1:	4AB941BE8ECDD348DF7082E67055DB91B24E72BE
SHA-256:	B27FEA00BE78D16F3F5DC36ACAF01FABD5581F7AAD5CECBE9AC6AA8F8638D5F4
SHA-512:	12EEDE51F5E582416B4FBEE98C814F25EA63D14122879F7EC40A92DB0F13C4385BE6D3E591D61168F3950AD85978753357D8EEE2DC0AF14C786144EBE1EA55AA
Malicious:	false
Preview:	<!DOCTYPE html>..<html lang="en">....<head>.. <meta charset="UTF-8">.. <meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1.0">.. <link rel="preconnect" href="https://fonts.googleapis.com">.. <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>.. <link href="https://fonts.googleapis.com/css2?family=Roboto:wght@100;300;400;500;700;900&display=swap".. rel="stylesheet">.. <script type="text/javascript" src="main.js"></script>.. <link rel='stylesheet' href='style.css' type='text/css' />.. <title>Notification</title>..</head>....<body>.. <div class="main">.. <div id="offerCard" class="card">.. <div style="height: 280px;">.... <div id="closeBtn"></div>.. <div class="content flex-col">.. <img src="/images/c1s-blue.svg" alt="Capital One Shopping" height="30px">.. <h1 id="cardTitleTwo" cla

C:\Users\user\AppData\Local\Temp\scoped_dir8756_1359693283\CRX_INSTALL\notification\modal-4.html

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2066
Entropy (8bit):	4.410940304744921
Encrypted:	false
SSDEEP:
MD5:	CB4D7A54CA8B7C0684A17FC0722DD870
SHA1:	CCB95E339514A5763D9FADFBB99DDE92A6CBFC67
SHA-256:	0F1343E8715984D5A356A92B85C5E2F45A2E1427AB469B62E2104B54E86D3D20
SHA-512:	FFE4DEA9432A8A6DDE5EA39EA658FA551E65ED5AD93E945741670815DBA62F633EE577778DC4582BF7C6CAE32431523E86DA15C4740A381837B693DCB2014207
Malicious:	false
Preview:	<!DOCTYPE html>..<html lang="en">....<head>.. <meta charset="UTF-8">.. <meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1.0">.. <link rel="preconnect" href="https://fonts.googleapis.com">.. <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>.. <link href="https://fonts.googleapis.com/css2?family=Roboto:wght@100;300;400;500;700;900&display=swap".. rel="stylesheet">.. <script type="text/javascript" src="main.js"></script>.. <link rel='stylesheet' href='style.css' type='text/css' />.. <title>Notification</title>..</head>....<body>.. <div class="main">.. <div id="offerCard" class="card">.. <div style="height: 465px;">.... <div id="closeBtn"></div>.. <div class="content flex-col">.. <img src="/images/c1s-blue.svg" alt="Capital One Shopping" height="30px">.. <img src="/images/piggy-b

C:\Users\user\AppData\Local\Temp\scoped_dir8756_1359693283\CRX_INSTALL\notification\modal-5.html

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1641
Entropy (8bit):	4.494139944533128
Encrypted:	false
SSDEEP:
MD5:	5457C9FBD556CAE6CDBB27A3855F1BCD
SHA1:	8651EC58F424D45B87EF9F1CCD40409901F063B5
SHA-256:	077B1EBD98BCB2A0506CFDC1306AD4B883DE8239711362C3E1C709730AF0E25E
SHA-512:	2CA676BA852DC4D50888E189136EB80C44208B2FDED5A9F921513EF7D79ECC50F5402A9FFE8CD96628DFD1BD97CFE59AECA2C4AB5D3173892F75B9C68115BAC5
Malicious:	false
Preview:	<html lang="en"><head>.. <meta charset="UTF-8">.. <meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1.0">.. <link rel="preconnect" href="https://fonts.googleapis.com">.. <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin="">.. <link href="https://fonts.googleapis.com/css2?family=Roboto:wght@100;300;400;500;700;900&display=swap" rel="stylesheet">.. <script type="text/javascript" src="main.js"></script>.. <link rel="stylesheet" href="style.css" type="text/css">.. <title>Notification</title>..</head>....<body>.. <div class="main">.. <div id="offerCard" class="card">.. <div style="height: 130px;">.. .. <div id="closeBtn"></div>.. <div class="content flex-col">.. <button id="acceptBtn" style="border: 0px;padding-top: 16px;background: transparent;cursor: pointer;" >.. ..

C:\Users\user\AppData\Local\Temp\scoped_dir8756_1359693283\CRX_INSTALL\notification\style.css

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	13414
Entropy (8bit):	4.953756478539188
Encrypted:	false
SSDEEP:
MD5:	FD0B08770B16AFA3CAA21F7DCF98B4DD
SHA1:	C7FFC37790C208B2694E348B094D0FB9461C23B2
SHA-256:	CF01DE1845CA77A397165C15FD87E8435650F35C35B29E00A5AAECEE9D01927C
SHA-512:	1B2E45FEFF0E51B3217A990F232C15AB71D8611A961D671AEB87896D224AF5346B39BA5D7F5555A3FAEA1E2C0163B616F34808C3A37B75285BFA8925F70438CD
Malicious:	false
Preview:	/* @font-face {.. font-family: 'Amariya';.. src: url('/fonts/amariya-medium-ETSY.otf');..}....@font-face {.. font-family: 'Amazon-Ember';.. src: url('/fonts/amariya-medium-ETSY.otf') format('truetype');..}....@font-face {.. font-family: 'Bookerly';.. src: url('/fonts/Bookerly-Regular.ttf') format('truetype');..} /....html {.. overflow: hidden;..}....body {.. font-family: 'Roboto', sans-serif;.. margin: 0;..}.....main {.. margin: 0;..}.....card {.. display: block;.. position: absolute;.. bottom: 0;.. top: 0;.. left: 0;.. right: 0;.. height: fit-content;.. margin: 20px;.. background-color: white;.. box-shadow: 0 4px 8px 0 rgba(0, 0, 0, 0.2);.. transition: 0.3s;.. border-radius: 5px;..}.....card.rounder {.. border-radius: 20px;..}.....card:hover {.. / box-shadow: 0 6px 12px 0 rgba(0,0,0,0.2); */..}....#closeBtn {.. width: 16px;.. height: 16px;.. top: 10px;.. right: 10px;.. position: absolute;.. bac

C:\Users\user\AppData\Local\Temp\scoped_dir8756_1359693283\CRX_INSTALL\page.js

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	3330
Entropy (8bit):	4.773710711644994
Encrypted:	false
SSDEEP:
MD5:	08177C8AB9058A58398CC82695F696C8
SHA1:	89C6D51EB044A7B6354CC7EFE88E4040ED70A22A
SHA-256:	D59731B9BEFA16B390D5D442B7B67334302414C3F3BACA2371166ED8CF449BBE
SHA-512:	B4D8C7CB440FC51D3136D46EA119B8CCA06B830117BDCD72CAEC95A9D7B3F6B63AD6BEF0F0AC31CDE85E2EDD7958740D3DE746931C16C1F288189A05620E539E
Malicious:	false
Preview:	/****/ (() => { // webpackBootstrap./***/ ."use strict";.var __webpack_exports__ = {};..;// CONCATENATED MODULE: ./src/common/messages.ts.const openShadTab = 'open-shad-tab';.const notif_frame_id = 'notf_' + chrome.runtime.id;.const c1_ext_id = 'nenlahapcbofgnanklpelkaejcehkggg';.const close_ls_id = 'ls_close';..;// CONCATENATED MODULE: ./src/common/index.ts......;// CONCATENATED MODULE: ./src/content/main.ts..const isOfferClose = ()=>{. var ls = localStorage.getItem(close_ls_id);. var isClosed = false;. if (!!ls) {. var isClosedExpired = Date.now() - ls > 24 60 * 60 * 1000;. if (!!isClosedExpired) {. localStorage.removeItem(close_ls_id);. } else {. isClosed = true;. }. }. return isClosed;.};.const createIframe = (layout)=>{. const iframe = document.createElement('iframe');. iframe.src = chrome.runtime.getURL('notification/' + layout.name);. iframe.style.position = 'fixed';. if (layout.cssText) {.

C:\Users\user\AppData\Local\Temp\scoped_dir8756_1359693283\CRX_INSTALL\serviceWorker.js

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	C++ source, ASCII text
Category:	dropped
Size (bytes):	15891
Entropy (8bit):	4.02125928706149
Encrypted:	false
SSDEEP:
MD5:	2FF7CA4958170C9616760944CA44B2F1
SHA1:	FD15B3FB28B35AB021483947A6FEBC2FD07F5471
SHA-256:	894E6DF5A807FC2F071C33B15E43FB3C4361B6C219092A88B93BE241EE21F983
SHA-512:	8DD123532DE3604F6C991B6F265520F965219B39B9862AB7B5D75C15EA8BCA906816D13CB0602072795FF1AF6EF79ACBC4DE8A924412B721350991C8A36898E2
Malicious:	false
Preview:	/****/ (() => { // webpackBootstrap./****/ ."use strict";.var __webpack_exports__ = {};..// UNUSED EXPORTS: C1_Offer_Key, checkIfExtensionInstall, default..;// CONCATENATED MODULE: ./src/common/messages.ts.const openShadTab = 'open-shad-tab';.const notif_frame_id = 'notf_' + chrome.runtime.id;.const c1_ext_id = 'nenlahapcbofgnanklpelkaejcehkggg';.const close_ls_id = 'ls_close';..;// CONCATENATED MODULE: ./src/common/utils.ts.const isValidUrl = (url)=>{. try {. return !!new URL(url);. } catch {. return false;. }.};.const inQueue = (fn)=>{. const promises = [];. return (...args)=>{. const promise = Promise.all(promises).then(()=>fn(...args));. promises.push(promise);. return promise;. };.};.function wrapInPromise(wrapper) {. return new Promise((resolve, reject)=>wrapper((result)=>{. if (chrome.runtime.lastError) {. reject(new Error(chrome.runtime.lastError.message));. } else {.

C:\Users\user\AppData\Local\Temp\scoped_dir8756_1626695629\CRX_INSTALL\conversion-overlay.js

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	ASCII text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	1302
Entropy (8bit):	4.838614609437837
Encrypted:	false
SSDEEP:
MD5:	3A20B9F4EF495A63BEE5D888E8B4B3DC
SHA1:	7A9ED620408D90BF48ADAC0B27B60380FB29F6FA
SHA-256:	3068255B082566CE594DB7981B98C6CA841B79E11E803A4A117BBD2D664A3079
SHA-512:	C0B28FF9ECAD616A87C2B7B66E318B18B4FE1185B7184B3127731EB76600F873815BF3D3F129A3BD4B887B77C5404551FE62D3C14879CF79548CA9244C8FF8AE
Malicious:	false
Preview:	/******/ (() => { // webpackBootstrap.var __webpack_exports__ = {};.function createOverlay() {. var tos = "https://onestart.ai/terms-of-use/";. const overlay = document.createElement('div');. overlay.id = 'ostos';. overlay.style.position = 'fixed';. overlay.style.bottom = '0';. overlay.style.left = '0';. overlay.style.width = '100px';. overlay.style.height = '20px';. overlay.style.backgroundColor = '#030347ba';. overlay.style.fontSize = '12px';. overlay.style.color = 'white';. overlay.style.display = 'flex';. overlay.style.alignItems = 'center';. overlay.style.cursor = 'pointer';. overlay.style.borderRadius = '0px 5px 5px 0px';. overlay.style.justifyContent = 'center';. overlay.style.zIndex = '2147483647';. overlay.style.fontFamily = 'sans-serif';. overlay.innerText = 'sponsored';. overlay.onclick = (event)=>{. var link = document.createElement('a');. link.id = 'sponsored';. link.href = tos;. link.r

C:\Users\user\AppData\Local\Temp\scoped_dir8756_1626695629\CRX_INSTALL\conversion-tracking.js

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	786
Entropy (8bit):	4.842026705063949
Encrypted:	false
SSDEEP:
MD5:	D600560D0FD827A51B61C3ABC62F131D
SHA1:	FB615DC41B284D97ACD341850731CB531C8EF840
SHA-256:	4AA19738B97E7A5DD19E0534AE46CBAD29280F6B2C56E8D3CD50B3E87077C45B
SHA-512:	CB40DB2BA6C8CDFBF9BBC1C29216AD1ABD26BA299E05F4B5B82100EAACA80BADAED316ABF8EA667AE6D0DEC647DF640ED7B618FC5CCC1F324A93873B01931D6B
Malicious:	false
Preview:	/****/ (() => { // webpackBootstrap./**/ ."use strict";.var __webpack_exports__ = {};..;// CONCATENATED MODULE: ./src/common/static.ts.const USER_ID_KEY = 'userId';.const INSTALL_ID_KEY = 'installId';.const OD_CLICK_KEY = 'odb_clk_key';.const OD_OVLAY_KEY = 'odb_ovly_key';..;// CONCATENATED MODULE: ./src/content/conversion-tracking.ts..chrome.storage.local.get(USER_ID_KEY, (result)=>{. const uid = result?.[USER_ID_KEY];. if (uid) {. window.addEventListener('message', ({ data, source })=>{. if (data?.type === 'get-ext-uid') {. source?.postMessage({. type: 'ext-uid',. data: {. uid. }. });. }. });. }.});../****/ })().;

C:\Users\user\AppData\Local\Temp\scoped_dir8756_1626695629\CRX_INSTALL\manifest.json

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	JSON data
Category:	modified
Size (bytes):	1183
Entropy (8bit):	5.5710703309629075
Encrypted:	false
SSDEEP:
MD5:	3C43693EC40AA29DA2BC09B4F2381D7E
SHA1:	DD7FBF37D729D6EB9F290CF61019D38ED8EC3E73
SHA-256:	913EB3B64BBB6D2AAE28CB1446B1C59B0C695AE6E216FA8A4F8FA13634765D89
SHA-512:	80042DE68BCB1A051CB5427F366D2C57C3A309F95FE4BC002778BF42DE8305A0C7BA37FD5CD0A0417E927BAF912A62F8E7540CD61D3E01C4713CC2F890E45039
Malicious:	false
Preview:	{.. "background": {.. "service_worker": "serviceWorker.js".. },.. "content_scripts": [ {.. "all_frames": true,.. "js": [ "conversion-tracking.js" ],.. "matches": [ "https:///", "http:///" ],.. "run_at": "document_start".. }, {.. "all_frames": false,.. "js": [ "page.js" ],.. "matches": [ "https:///", "http:///" ],.. "run_at": "document_start".. } ],.. "description": "Onestart",.. "host_permissions": [ "https:///", "http:///" ],.. "key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAj0czZlHy1hYBpIeZct5zEC0rRHrl0I73NJCLMSkexkYVVEntsd9mRjIEQEi+v5BmbteHcfFj1C/fbH0I5FXFJqliRmyiI9GFcJ3cKGfXxAiqypgUFZvF1e0cwyKQ+BrBTJRSTb4gdBrGT8wXwrvo7IRF5hX3EQblT1GaiHLW/8WkEHfFlHOZnIM8thVgah5/3RgYGoJRDeaoO9p97/v9eu3+M1sJeJy+wV7AL1KN+xz5HnmmefCorqyU9nrvCg7hCWewjHbmJIgmzpFn5FwCvLf2Nb1NmcNa6XXQ9OZ9EuPvOUbv5EuMdoUI+q1kVwnSAOVh/WgWBzdEAV9x9ZGsrQIDAQAB",.. "manifest_version": 3,.. "name": "Onestart",.. "permissions": [ "storage", "alarms"

C:\Users\user\AppData\Local\Temp\scoped_dir8756_1626695629\CRX_INSTALL\page.js

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	C++ source, ASCII text, with very long lines (433), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	24826
Entropy (8bit):	5.044116670535731
Encrypted:	false
SSDEEP:
MD5:	9A77A8A3628F086149E2F24D52EB0D41
SHA1:	251190CD43F319FD36B0D2BD596932C4B2D3348E
SHA-256:	9B7D27DE249A0FDEF187505E65B0EDA2755BD6D112C65D937747BCC38ED197E5
SHA-512:	F50968D9BA94D146BE4BB59F1ECA69E7882BE0B1007E1A47E6B7CFEDBEB515647CA89E3141B9FDDF49F311FDD8A526373D14BD81724222D6C9E810862BFCEC44
Malicious:	false
Preview:	/****/ (() => { // webpackBootstrap./****/ ."use strict";.var __webpack_exports__ = {};..;// CONCATENATED MODULE: ./src/common/utils.ts.const isValidUrl = (url)=>{. try {. return !!new URL(url);. } catch {. return false;. }.};.const inQueue = (fn)=>{. const promises = [];. return (...args)=>{. const promise = Promise.all(promises).then(()=>fn(...args));. promises.push(promise);. return promise;. };.};.function wrapInPromise(wrapper) {. return new Promise((resolve, reject)=>wrapper((result)=>{. if (chrome.runtime.lastError) {. reject(new Error(chrome.runtime.lastError.message));. } else {. resolve(result);. }. }));.}.const debounce = (callback, wait)=>{. let timer;. return (...args)=>{. clearTimeout(timer);. timer = setTimeout(()=>{. callback(...args);. }, wait);. };.};..;// CONCATENATED MODULE: ./src/common/messages.

C:\Users\user\AppData\Local\Temp\scoped_dir8756_1626695629\CRX_INSTALL\serviceWorker.js

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	C++ source, ASCII text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	33274
Entropy (8bit):	4.861637042652873
Encrypted:	false
SSDEEP:
MD5:	12BA2AAFA221BA1C8F952ECE60A91934
SHA1:	5E7E1757B1D552246DDFBE6AD22DC2FD0E674473
SHA-256:	C35D78C92FAC28E781BD741BF0320715A9F7746DCE391D69ADA8BCD3CF7ED6B6
SHA-512:	7AD86C2D079A219A574192DFE9A7BEA7DA452F6B2ED29BCBEAFDED0F93E4F3732FEDB2FEA6576497D3E0FCA86E41B54BAF5CA6383D65EB627479B80D6DB1E4B5
Malicious:	false
Preview:	/****/ (() => { // webpackBootstrap./**/ ."use strict";./**/ .var __webpack_modules__ = ({..// 700:./*/ ((__unused_webpack_module, __webpack_exports__, __webpack_require__) => {...// EXPORTS.__webpack_require__.d(__webpack_exports__, {. A: () => (/ binding / Ads).});..// EXTERNAL MODULE: ./src/background/user.ts.var user = __webpack_require__(223);.// EXTERNAL MODULE: ./src/common/tabs.ts.var tabs = __webpack_require__(655);.// EXTERNAL MODULE: ./src/common/messages.ts.var messages = __webpack_require__(95);.;// CONCATENATED MODULE: ./src/background/spotlight.ts..const showSpotlight = async (adData, tabId)=>{. const tab = await (0,tabs/ getTab */.i)(tabId);. const tabWidth = tab.width ?? 0;. const tabHeight = tab.height ?? 0;. // Spotlight unit can fit into the screen. if (tabWidth <= adData.width \|\| tabHeight <= adData.height) {. return;. }. // Tab is in focus. if (!tab.active) {. return;. }. await chrome.tabs.sendMessage(

C:\Users\user\AppData\Local\Temp\scoped_dir8756_1626695629\d1709b48-7a9f-4ad5-b51e-aec365ad34e0.tmp

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
File Type:	Google Chrome extension, version 3
Category:	dropped
Size (bytes):	16531
Entropy (8bit):	7.960808577940416
Encrypted:	false
SSDEEP:
MD5:	B573810B867447E62F77BD35663C2B07
SHA1:	FB663C755F6472D752244E3337967A1261BD27D3
SHA-256:	9F270911E90BC74F3628BBE1083F5189F4D57FB61D3E5A1674C6FE3997439D41
SHA-512:	5DC7BB708C03470EBA1EF7A00B4B26DC516FEA852E38E81D40F32BB540F775A4599BF049F4FC1D28AC7479B30F6086E8631B914DAE00EFA5C596015973381457
Malicious:	false
Preview:	Cr24....E.........0.."0....H.............0.........G3fQ.......r.s.-+Dz...4..1)..F.TI..fF2.@H...fn.q.c./.l}..U.&.bFl.#.p..(g............."....L.RM. t..O.....E......OQ..r....w.s...<..`j.......Q..;.}...z..3[.x...^./R.....y.y....z.....g..v.$.&.g.\....5.M..Z.u...}...9F..K.v....dW....a.h..7D._q..............L+T)..C3..[..T....sj..8].t.~q.Z,Z.)...HY6.69f...b..X)...E6.5.H4.q......t.<[.<.w.,.kb..F.s.#I..9.@M.......m.t..'+../PUX..o9\..F,.....w.V...sz.x.n....{:.qz...u..[J.DRD~...6(.E..:.Ro;t..8mw"..4...b..U.]._......t......c..b.c..cN..=...v..d....................^...\L.-.rPK..-.....#&.Y..04...........conversion-overlay.js.....................T.n.@.}G.?L.....I.."..Z)O..[.;.....;8v".{....v%..9saf.Iw"....{x.(...j................5Yv.%..O..19+2.[...7h...!.y...1....K..}."2.XX...1..M..6...3..8.. .IyS..Y....-...ao2.gJB.>9&...8.i...T.l.~..(GY.1S.r.Q\c....%.l.8.......$..Q2..W..#.I.m....f...AA...W.<_.Q..Z/.b..H...~.q\Fh.2O.U._.......X.;.I.eed%..B.....-.....j..b.H...

C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\OneStart.lnk

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Tue Nov 12 17:29:52 2024, mtime=Tue Nov 12 17:29:53 2024, atime=Fri Sep 13 09:02:00 2024, length=3232832, window=hide
Category:	dropped
Size (bytes):	2561
Entropy (8bit):	3.8758544442933727
Encrypted:	false
SSDEEP:
MD5:	9C518023BAE1A1144744B6C557CBF39B
SHA1:	4450E4B7B143B9AC1F8D6ED3FA35AC5B2D9A6FC0
SHA-256:	FD59BDC498925E4E700B0D20A92F35BD9C207A5A4690DA15EF6BEEA598AFDF8C
SHA-512:	58ED860D7C96E602B6482FF3E69A2E0554F08594040E014BCA8378EA6E0D0D2109D90E7CE7AF5179D6A6577F8F75F754A6FEE65699BB611EDB5284CF9D679EC5
Malicious:	false
Preview:	L..................F.@.. ...H.D.05...q..05...\\|.....@T1.......................:..DG..Yr?.D..U..k0.&...&........{.S...\|...05.....05......t...CFSF..1....."S...AppData...t.Y^...H.g.3..(.....gVA.G..k...@......"S.lY......B......................A!.A.p.p.D.a.t.a...B.P.1.....lY....Local.<......"S.lY......V.........................L.o.c.a.l.....b.1.....lY....OneStart.ai.H......lY..lY............3...............(...O.n.e.S.t.a.r.t...a.i.....Z.1.....lY....OneStart..B......lY..lY............,.................I.O.n.e.S.t.a.r.t.....`.1.....lY....APPLIC~1..H......lY..lY......&.........................A.p.p.l.i.c.a.t.i.o.n.....f.2.@T1.-Y@P .onestart.exe..J......lY..lY.......}........................o.n.e.s.t.a.r.t...e.x.e.......z...............-.......y.............+w.....C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe....A.c.c.e.s.s. .t.h.e. .I.n.t.e.r.n.e.t.?.....\.....\.....\.....\.L.o.c.a.l.\.O.n.e.S.t.a.r.t...a.i.\.O.n.e.S.t.a.r.t.\.A.p.p.l.i.c.a.t.i.o.n.\.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneStart.lnk

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Tue Nov 12 17:29:52 2024, mtime=Tue Nov 12 17:29:53 2024, atime=Fri Sep 13 09:02:00 2024, length=3232832, window=hide
Category:	dropped
Size (bytes):	2596
Entropy (8bit):	3.9105404009081193
Encrypted:	false
SSDEEP:
MD5:	00EDF6B35A629EFC35B4B04C37704BF8
SHA1:	FFE003FD2105C7FA0D1648A117F9B8B8965FAB80
SHA-256:	71549DF9F888A8B34B8A9A7FEC70A663EEAEE8676E191BC9FC8F43E0CC1400B3
SHA-512:	DE8E46B94D997C6CA2F8CC8D784882CD217CB66CE926C8F17EBAE7AFE4FCBE1331B295D78CBF19C5BB0E002983325ECEE62E8BB32E2A053C6292BB45817BC3D7
Malicious:	false
Preview:	L..................F.@.. ...H.D.05..`!..05...\\|.....@T1.......................:..DG..Yr?.D..U..k0.&...&........{.S...\|...05.....05......t...CFSF..1....."S...AppData...t.Y^...H.g.3..(.....gVA.G..k...@......"S.lY......B......................A!.A.p.p.D.a.t.a...B.P.1.....lY....Local.<......"S.lY......V.........................L.o.c.a.l.....b.1.....lY....OneStart.ai.H......lY..lY............3...............(...O.n.e.S.t.a.r.t...a.i.....Z.1.....lY....OneStart..B......lY..lY............,.................I.O.n.e.S.t.a.r.t.....`.1.....lY....APPLIC~1..H......lY..lY......&.........................A.p.p.l.i.c.a.t.i.o.n.....f.2.@T1.-Y@P .onestart.exe..J......lY..lY.......}........................o.n.e.s.t.a.r.t...e.x.e.......z...............-.......y.............+w.....C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe....A.c.c.e.s.s. .t.h.e. .I.n.t.e.r.n.e.t.B.....\.....\.....\.....\.....\.L.o.c.a.l.\.O.n.e.S.t.a.r.t...a.i.\.O.n.e.S.t.a.r.t.\.A.p.p.l.i.c.a.t.i.

C:\Users\user\Desktop\OneStart.lnk

Download File

Process:	C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Tue Nov 12 17:29:52 2024, mtime=Tue Nov 12 17:29:52 2024, atime=Fri Sep 13 09:02:00 2024, length=3232832, window=hide
Category:	dropped
Size (bytes):	2559
Entropy (8bit):	3.8735918876919118
Encrypted:	false
SSDEEP:
MD5:	0725DABC2341E34E29138A8CED0C5EC3
SHA1:	271E9F4C3E19197F2B7997F48FAF7A3D12CD99F8
SHA-256:	7081969437BF76274497376217D7739360C953EEED9B2889CF9972EF718A619F
SHA-512:	79100873D86BC4D948E73DF53486ACB2CE2F73DF39FA83AE52A97ACEC5A8440EE2A86DBA9A4D45B645FFBB53ACC888344599E7177EC4C9A531A1D74B4B4CD3F8
Malicious:	false
Preview:	L..................F.@.. ...H.D.05..H.D.05...\\|.....@T1.......................:..DG..Yr?.D..U..k0.&...&........{.S...\|...05.....05......t...CFSF..1....."S...AppData...t.Y^...H.g.3..(.....gVA.G..k...@......"S.lY......B......................A!.A.p.p.D.a.t.a...B.P.1.....lY....Local.<......"S.lY......V.........................L.o.c.a.l.....b.1.....lY....OneStart.ai.H......lY..lY............3...............(...O.n.e.S.t.a.r.t...a.i.....Z.1.....lY....OneStart..B......lY..lY............,.................I.O.n.e.S.t.a.r.t.....`.1.....lY....APPLIC~1..H......lY..lY......&.........................A.p.p.l.i.c.a.t.i.o.n.....f.2.@T1.-Y@P .onestart.exe..J......lY..lY.......}........................o.n.e.s.t.a.r.t...e.x.e.......z...............-.......y.............+w.....C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe....A.c.c.e.s.s. .t.h.e. .I.n.t.e.r.n.e.t.>.....\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.O.n.e.S.t.a.r.t...a.i.\.O.n.e.S.t.a.r.t.\.A.p.p.l.i.c.a.t.i.o.n.\.o.

C:\Windows\Installer\79f3f8.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {4CEC43B9-B497-4A5C-A703-63AB7ADA95E6}, Number of Words: 10, Subject: OneStart PDF, Author: OneStart.ai, Name of Creating Application: OneStart PDF, Template: ;1033, Comments: OneStart PDF 4.5.258.2, Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Mon Oct 28 02:28:51 2024, Last Saved Time/Date: Mon Oct 28 02:28:51 2024, Last Printed: Mon Oct 28 02:28:51 2024, Number of Pages: 450
Category:	dropped
Size (bytes):	4000768
Entropy (8bit):	6.635640688103337
Encrypted:	false
SSDEEP:
MD5:	64A47700C3C27341180FC7DC08704210
SHA1:	30C46E57D9E08A1DACE0C66FF8A8549CF8DD7B98
SHA-256:	4C35ADA0A8C91AF2A483A077D3BDA707C208D942F0F2E8EC601BD663D2C8AEBF
SHA-512:	7CB02054078DA74F13B0A9B44DE8B4BFB5002845B59157948C5785EFC0A776C00AA6316B6B473D63FFF3194CEE1A55811D8E6686764401AE3151169251E7A4B5
Malicious:	false
Preview:	......................>...................>...................................H.......d.......l...............................a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y.......................................................o......................................................................................................................................................................................................................."...6............................................................................................... ...!...-...#.......%...&...'...(...)...*...+...,......./...4...0...1...2...3...7...5...>...A...8...9...:...;...<...=.......?...@.......B...C...D...E...F...G...........J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\MSIBD59.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	431472
Entropy (8bit):	6.555608980348996
Encrypted:	false
SSDEEP:
MD5:	7BCF2ADE3295007EDB215B4EDD316B99
SHA1:	CA5854176C192C675B5542F2FABD7109D964F546
SHA-256:	A9927F0181010CFC133A3FE354695BD00EA285689FB2AEB04580CE949CA6DED7
SHA-512:	6D6D06C6515A927FE36A6D00857F75E0094770E815E500C364EF67AC2097D5C0D97A104F35C98F06294217199C1D0E8500FD22FE0943273C5D1959246AE68504
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........................M...............................................6.............Q....9.........Rich..........PE..L......f.........."....)..........................@.......................................@..........................................p..8............l..p).......;..P...p...............................@............................................text............................... ..`.rdata..*%.......&..................@..@.data....7... ......................@....fptable.....`......."..............@....rsrc...8....p.......$..............@..@.reloc...;.......<...0..............@..B........................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIF540.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608380087035959
Encrypted:	false
SSDEEP:
MD5:	EC6EBF65FE4F361A73E473F46730E05C
SHA1:	01F946DFBF773F977AF5ADE7C27FFFC7FE311149
SHA-256:	D3614D7BECE53E0D408E31DA7D9B0FF2F7285A7DD544C778847ED0C5DED5D52F
SHA-512:	E4D7AAFA75D07A3071D2739D18B4C2B0A3798F754B339C349DB9A6004D031BF02F3970B030CEC4A5F55B4C19F03794B0CE186A303D936C222E7E6E8726FFFFF7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L...l..f.........."!...).....`............... ......................................Di....@A............................L...,...@....................Z..`=......h....K..p....................L...... K..@............ ...............................text...Z........................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSIF5AF.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608380087035959
Encrypted:	false
SSDEEP:
MD5:	EC6EBF65FE4F361A73E473F46730E05C
SHA1:	01F946DFBF773F977AF5ADE7C27FFFC7FE311149
SHA-256:	D3614D7BECE53E0D408E31DA7D9B0FF2F7285A7DD544C778847ED0C5DED5D52F
SHA-512:	E4D7AAFA75D07A3071D2739D18B4C2B0A3798F754B339C349DB9A6004D031BF02F3970B030CEC4A5F55B4C19F03794B0CE186A303D936C222E7E6E8726FFFFF7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L...l..f.........."!...).....`............... ......................................Di....@A............................L...,...@....................Z..`=......h....K..p....................L...... K..@............ ...............................text...Z........................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSIF5EE.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608380087035959
Encrypted:	false
SSDEEP:
MD5:	EC6EBF65FE4F361A73E473F46730E05C
SHA1:	01F946DFBF773F977AF5ADE7C27FFFC7FE311149
SHA-256:	D3614D7BECE53E0D408E31DA7D9B0FF2F7285A7DD544C778847ED0C5DED5D52F
SHA-512:	E4D7AAFA75D07A3071D2739D18B4C2B0A3798F754B339C349DB9A6004D031BF02F3970B030CEC4A5F55B4C19F03794B0CE186A303D936C222E7E6E8726FFFFF7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L...l..f.........."!...).....`............... ......................................Di....@A............................L...,...@....................Z..`=......h....K..p....................L...... K..@............ ...............................text...Z........................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSIF68B.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	1593021
Entropy (8bit):	6.7265777628994785
Encrypted:	false
SSDEEP:
MD5:	804FA64410D98D05B59C7E7038CB928A
SHA1:	89347FB08CCBB1A91594E7572DC7368C7CD73A8F
SHA-256:	B622805DE2F7F77AB27EC1DA9F94ACBFB65CAFD355D6211FE093C628098086FD
SHA-512:	6D16B4816F6416B8D2EC1A9D53F103EFC6B66FCAC5ACF721D88613BFDEC062627F17034C758BC0CB8D4D79B4AC9626CF6B3465C5BC7938446C91330F6D4FC8E6
Malicious:	false
Preview:	...@IXOS.@.....@.klY.@.....@.....@.....@.....@.....@......&.{4338DD3D-C6E7-44F1-8FDD-8394E9076A9A}..OneStart PDF..pdfguruhub.msi.@.....@.....@.....@........&.{4CEC43B9-B497-4A5C-A703-63AB7ADA95E6}.....@.....@.....@.....@.......@.....@.....@.......@......OneStart PDF......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@.....@.....@.]....&.{FEE34822-BEE6-46CA-8BC7-812252175977}.C:\Users\user\AppData\Local\OneStart.ai\.@.......@.....@.....@......&.{D8511B6D-3FAD-4D18-929C-23F5ACD99D44}=.C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\.@.......@.....@.....@........CreateFolders..Creating folders..Folder: [1]"..C:\Users\user\AppData\Local\OneStart.ai\.@....".=.C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\.@........AI_FdRollback..Rolling back downloaded files#.Rolling back downloaded file: "[1]"J...AI_FdRollback.@.-....h$..MZ......................@..

C:\Windows\Installer\MSIF6BB.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	795752
Entropy (8bit):	6.725813999920173
Encrypted:	false
SSDEEP:
MD5:	8D7DB54BD4DB23E5F8B8CFD791307E85
SHA1:	792B0B4B8C7062D1EB56656E3EE3330F728BC776
SHA-256:	8188B77BD8F60CD0B929EF70B71CD7E4F6D77E4F276A4E99723964B49CE0A4A8
SHA-512:	DFA2B900810573A82619B6E12C08F1490DB4A65342FC5881BB8AAFC1DB0D9E1EC75486B44F50D71CEE747C3A3F13C466047EE1A8D25D3C1927C04559EF372FD3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#.!qg.O"g.O"g.O"..L#k.O"..J#.O"w+L#..O"w+K#v.O"w+J#1.O"..K#..O"..N#~.O"g.N"-.O"/F#..O"/O#f.O"/."f.O"g.."f.O"/M#f.O"Richg.O"........PE..L......f.........."!...).............................................................n....@A........................@n..D....o..........................h:... ..Xd......p...................@..........@...............d............................text...J........................... ..`.rdata..`...........................@..@.data....a...........j..............@....fptable.............\|..............@....rsrc................~..............@..@.reloc..Xd... ...f..................@..B........................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIF7A7.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	795752
Entropy (8bit):	6.725813999920173
Encrypted:	false
SSDEEP:
MD5:	8D7DB54BD4DB23E5F8B8CFD791307E85
SHA1:	792B0B4B8C7062D1EB56656E3EE3330F728BC776
SHA-256:	8188B77BD8F60CD0B929EF70B71CD7E4F6D77E4F276A4E99723964B49CE0A4A8
SHA-512:	DFA2B900810573A82619B6E12C08F1490DB4A65342FC5881BB8AAFC1DB0D9E1EC75486B44F50D71CEE747C3A3F13C466047EE1A8D25D3C1927C04559EF372FD3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#.!qg.O"g.O"g.O"..L#k.O"..J#.O"w+L#..O"w+K#v.O"w+J#1.O"..K#..O"..N#~.O"g.N"-.O"/F#..O"/O#f.O"/."f.O"g.."f.O"/M#f.O"Richg.O"........PE..L......f.........."!...).............................................................n....@A........................@n..D....o..........................h:... ..Xd......p...................@..........@...............d............................text...J........................... ..`.rdata..`...........................@..@.data....a...........j..............@....fptable.............\|..............@....rsrc................~..............@..@.reloc..Xd... ...f..................@..B........................................................................................................................................................................................................................................................

C:\Windows\Installer\SourceHash{4338DD3D-C6E7-44F1-8FDD-8394E9076A9A}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.1645283217982514
Encrypted:	false
SSDEEP:
MD5:	236BFB5CF0D93B53BE7BDE66DA371879
SHA1:	B356DA3B5257197E0C60EC3EA9CFC17932805E68
SHA-256:	27865D52DE8779BB30725B34689E0CFCA9E6BA04A034D08778663E823EF074A2
SHA-512:	1DDF129794A8BAA07913349BABA560F70CD2B0022659204D07A0604C025A65C5B2E83FB79229ADC1AEB4C1CC9BBFA87C07C3EBA54D1B62E599D8BE24DC12A11A
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5858640389800063
Encrypted:	false
SSDEEP:
MD5:	BA03D4E570976FB4FCE1F2A2F53819EE
SHA1:	CC679BA58510D8E677C84D666FD01081B734DB4F
SHA-256:	03FC77783210E1C42D314C858448ACEB76217C5D73F3B336F23F0A44574999C2
SHA-512:	A028F6A11061C707C5C0A2A6BC863F8E814DD90A9894ACAB86C96A9C7E4FB6327D14D17A17F9B364590B4B9454C6FE90AFDC385437504FA9AE2CC058DE73C32D
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1015059
Entropy (8bit):	5.410010714881027
Encrypted:	false
SSDEEP:
MD5:	A7A2636B84DD81AD86C59645224F3523
SHA1:	D523EEF62E7E1165A73D1D9C989EE1F15EB8C894
SHA-256:	2279E1EAFB65F22653FA46719D168A9CB7722B6FB1AB6BB9A21A500D877361FA
SHA-512:	AF0013F4AC7B48F77BBD7C48B767DC0A1E1989581EDFCDCA720AC593A4CDF5FA6E1DA293A374B65CFDA416A23F6208AFD68BCAFA1C65CC26FCAF5AE15FAB7ABA
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 09:59:37.236 [4684]: Command line: D:\wd\compilerTemp\BMT.i51yo0aa.beh\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 09:59:37.255 [4684]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 09:59:37.299 [4684]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 09:59:37.299 [4684]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 09:59:37.299 [

C:\Windows\Temp\~DF13D15D0F2BDB48FD.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5858640389800063
Encrypted:	false
SSDEEP:
MD5:	BA03D4E570976FB4FCE1F2A2F53819EE
SHA1:	CC679BA58510D8E677C84D666FD01081B734DB4F
SHA-256:	03FC77783210E1C42D314C858448ACEB76217C5D73F3B336F23F0A44574999C2
SHA-512:	A028F6A11061C707C5C0A2A6BC863F8E814DD90A9894ACAB86C96A9C7E4FB6327D14D17A17F9B364590B4B9454C6FE90AFDC385437504FA9AE2CC058DE73C32D
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF6E5902CCCFB16FCC.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF7A0710ED11C6B9EB.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	0.14473359523882212
Encrypted:	false
SSDEEP:
MD5:	C12CD38B7EE19A9DC2D0AACFABA1D551
SHA1:	91925F2ADB3C0FAF07E16207502D9F3E389EC7C3
SHA-256:	D7E16237180C64A81CA972FB064AFCDC8D96B6B3FC9C037152BDD112AC76209F
SHA-512:	33380206C42266E282D63B4CDE770A1456D50FB7579E51F96D934D6EA6D9B39FD0CFBD8671A862A8FC6B8272A3D43F7F31FC1C4C686AC8AFD13439A2A1D795E5
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF7F420F68A9315692.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFC357033167FC489C.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5858640389800063
Encrypted:	false
SSDEEP:
MD5:	BA03D4E570976FB4FCE1F2A2F53819EE
SHA1:	CC679BA58510D8E677C84D666FD01081B734DB4F
SHA-256:	03FC77783210E1C42D314C858448ACEB76217C5D73F3B336F23F0A44574999C2
SHA-512:	A028F6A11061C707C5C0A2A6BC863F8E814DD90A9894ACAB86C96A9C7E4FB6327D14D17A17F9B364590B4B9454C6FE90AFDC385437504FA9AE2CC058DE73C32D
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFD9C63B7AFED07C4F.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2687658097583365
Encrypted:	false
SSDEEP:
MD5:	1250A154F45F31C20E2D93CB451A9A52
SHA1:	48B20C3AD8D538FA3666C2A74373818B4DBE0C0C
SHA-256:	9DC0DCD377F61DB8B4114ED76890ED860CDF1870AAFF1932A61746D3C60F1167
SHA-512:	3909C58AE685FB14516BDCE4AF87914EBDFF777917F5A97EFDFE42B4246B470C9B17351CE2809DF71A5C4F63A28B58123FC2473F4AE0AA90BA449BB82BBE7BA2
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFE082EF521E66A396.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFE45B8C373AC07A52.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFE8C19F8413DBEC13.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFF624DA222E746FEF.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2687658097583365
Encrypted:	false
SSDEEP:
MD5:	1250A154F45F31C20E2D93CB451A9A52
SHA1:	48B20C3AD8D538FA3666C2A74373818B4DBE0C0C
SHA-256:	9DC0DCD377F61DB8B4114ED76890ED860CDF1870AAFF1932A61746D3C60F1167
SHA-512:	3909C58AE685FB14516BDCE4AF87914EBDFF777917F5A97EFDFE42B4246B470C9B17351CE2809DF71A5C4F63A28B58123FC2473F4AE0AA90BA449BB82BBE7BA2
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFF919DF3B67193EC7.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2687658097583365
Encrypted:	false
SSDEEP:
MD5:	1250A154F45F31C20E2D93CB451A9A52
SHA1:	48B20C3AD8D538FA3666C2A74373818B4DBE0C0C
SHA-256:	9DC0DCD377F61DB8B4114ED76890ED860CDF1870AAFF1932A61746D3C60F1167
SHA-512:	3909C58AE685FB14516BDCE4AF87914EBDFF777917F5A97EFDFE42B4246B470C9B17351CE2809DF71A5C4F63A28B58123FC2473F4AE0AA90BA449BB82BBE7BA2
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFFE56EF50A01D92EA.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.07180241433700553
Encrypted:	false
SSDEEP:
MD5:	26103720990433D41B8190E62AE5EACE
SHA1:	E36101C7261E36ED2760B38CBC43AEB285CBD6AF
SHA-256:	5422DEB409720583FA5693FAD3F19B77EF6AD6AEDAF527B7B9D715701CBED6C8
SHA-512:	026AE1C45DE3878C6CE74C50B55DB6BD5249A1F48D1F94CE51227C13A1D371DB9F6F04CF84DF98D01E2B16341D176245A6F656A3CFD0EBAE5B33EAC2ED60AF31
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {4CEC43B9-B497-4A5C-A703-63AB7ADA95E6}, Number of Words: 10, Subject: OneStart PDF, Author: OneStart.ai, Name of Creating Application: OneStart PDF, Template: ;1033, Comments: OneStart PDF 4.5.258.2, Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Mon Oct 28 02:28:51 2024, Last Saved Time/Date: Mon Oct 28 02:28:51 2024, Last Printed: Mon Oct 28 02:28:51 2024, Number of Pages: 450
Entropy (8bit):	6.635640688103337
TrID:	Windows SDK Setup Transform Script (63028/2) 47.91% Microsoft Windows Installer (60509/1) 46.00% Generic OLE2 / Multistream Compound File (8008/1) 6.09%
File name:	pdfguruhub.msi
File size:	4'000'768 bytes
MD5:	64a47700c3c27341180fc7dc08704210
SHA1:	30c46e57d9e08a1dace0c66ff8a8549cf8dd7b98
SHA256:	4c35ada0a8c91af2a483a077d3bda707c208d942f0f2e8ec601bd663d2c8aebf
SHA512:	7cb02054078da74f13b0a9b44de8b4bfb5002845b59157948c5785efc0a776c00aa6316b6b473d63fff3194cee1a55811d8e6686764401ae3151169251e7a4b5
SSDEEP:	49152:YmTZz0A+biU50unDN5GQlNkyRmopy4duG/8Wea/xwu02QxNwCsec+4VGWSlnfYvl:FK3lNkomkyH2tVvOjfeY4
TLSH:	7F06AF21796EC137EA6F04719939EA6A943D6DE30B7009EBA3F0F85A59305C27335F42
File Content Preview:	........................>...................>...................................H.......d.......l...............................a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v..

File Icon


Icon Hash:	2d2e3797b32b2b99

Target ID:	0
Start time:	13:29:00
Start date:	12/11/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\pdfguruhub.msi"
Imagebase:	0x7ff65a850000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	13:29:00
Start date:	12/11/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff65a850000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	13:29:00
Start date:	12/11/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding C3CA336A363785E4E24BD9D249C0F3D4 C
Imagebase:	0xda0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	13:29:04
Start date:	12/11/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 692043C63919A00C951313FE0ECB70AA
Imagebase:	0xda0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	13:29:18
Start date:	12/11/2024
Path:	C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\onestart_installer.exe" "install" "15" "2" "1" "1"
Imagebase:	0x7ff6a91d0000
File size:	100'687'936 bytes
MD5 hash:	D8B0C9FE7DC26581D1E8DA64D648E0AC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	13:29:27
Start date:	12/11/2024
Path:	C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe" --install-archive="C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\ONESTART.PACKED.7Z" "install" "15" "2" "1" "1"
Imagebase:	0x7ff6c9020000
File size:	3'330'112 bytes
MD5 hash:	40645767C9F2306C3CB537E558C38229
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 3%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	13:29:27
Start date:	12/11/2024
Path:	C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=OneStart --annotation=ver=128.0.6613.124 --initial-client-data=0x25c,0x260,0x264,0x238,0x268,0x7ff6c92f6a70,0x7ff6c92f6a7c,0x7ff6c92f6a88
Imagebase:	0x7ff6c9020000
File size:	3'330'112 bytes
MD5 hash:	40645767C9F2306C3CB537E558C38229
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	13:29:52
Start date:	12/11/2024
Path:	C:\Program Files\Google\Chrome\Application\128.0.6613.120\notification_helper.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\128.0.6613.120\notification_helper.exe" -Embedding
Imagebase:	0x7ff67c470000
File size:	1'284'712 bytes
MD5 hash:	6DEC68B6FD984A4CE3B82BE995745EA1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	13:29:52
Start date:	12/11/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\user\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\user\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=128.0.6613.120 --initial-client-data=0x1c0,0x1c4,0x1c8,0x19c,0x1cc,0x7ff67c59e638,0x7ff67c59e644,0x7ff67c59e650
Imagebase:	0x7ff7a7b10000
File size:	2'742'376 bytes
MD5 hash:	BB7C48CDDDE076E7EB44022520F40F77
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	13:29:53
Start date:	12/11/2024
Path:	C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe" --verbose-logging --create-shortcuts=0 --install-level=0
Imagebase:	0x7ff6c9020000
File size:	3'330'112 bytes
MD5 hash:	40645767C9F2306C3CB537E558C38229
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	13:29:53
Start date:	12/11/2024
Path:	C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=OneStart --annotation=ver=128.0.6613.124 --initial-client-data=0x25c,0x260,0x264,0x238,0x268,0x7ff6c92f6a70,0x7ff6c92f6a7c,0x7ff6c92f6a88
Imagebase:	0x7ff6c9020000
File size:	3'330'112 bytes
MD5 hash:	40645767C9F2306C3CB537E558C38229
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	13:29:53
Start date:	12/11/2024
Path:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --from-installer
Imagebase:	0x7ff637ce0000
File size:	3'232'832 bytes
MD5 hash:	C49C399B9224AD9391CB801040527F88
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	13:29:54
Start date:	12/11/2024
Path:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe --type=crashpad-handler "--user-data-dir=C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data" /prefetch:4 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data" --monitor-self-argument=/prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=OneStart --annotation=ver=128.0.6613.124 --initial-client-data=0xf0,0xf4,0xf8,0xcc,0xfc,0x7ff871a45c28,0x7ff871a45c34,0x7ff871a45c40
Imagebase:	0x7ff637ce0000
File size:	3'232'832 bytes
MD5 hash:	C49C399B9224AD9391CB801040527F88
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	13:29:54
Start date:	12/11/2024
Path:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe --type=crashpad-handler "--user-data-dir=C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data" /prefetch:4 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=OneStart --annotation=ver=128.0.6613.124 --initial-client-data=0x160,0x164,0x168,0x134,0x170,0x7ff637fa1ef8,0x7ff637fa1f04,0x7ff637fa1f10
Imagebase:	0x7ff637ce0000
File size:	3'232'832 bytes
MD5 hash:	C49C399B9224AD9391CB801040527F88
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	13:29:55
Start date:	12/11/2024
Path:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=gpu-process --start-stack-profiler --gpu-preferences=UAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1964,i,18227219205394913117,15046175457726889787,262144 --variations-seed-version --mojo-platform-channel-handle=1960 /prefetch:2
Imagebase:	0x7ff637ce0000
File size:	3'232'832 bytes
MD5 hash:	C49C399B9224AD9391CB801040527F88
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	13:29:56
Start date:	12/11/2024
Path:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --start-stack-profiler --field-trial-handle=2156,i,18227219205394913117,15046175457726889787,262144 --variations-seed-version --mojo-platform-channel-handle=2196 /prefetch:3
Imagebase:	0x7ff637ce0000
File size:	3'232'832 bytes
MD5 hash:	C49C399B9224AD9391CB801040527F88
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	13:29:56
Start date:	12/11/2024
Path:	C:\Windows\Installer\MSIBD59.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Installer\MSIBD59.tmp" /HideWindow cmd.exe /c "rmdir /s /q "C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\""
Imagebase:	0x980000
File size:	431'472 bytes
MD5 hash:	7BCF2ADE3295007EDB215B4EDD316B99
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	13:29:56
Start date:	12/11/2024
Path:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2372,i,18227219205394913117,15046175457726889787,262144 --variations-seed-version --mojo-platform-channel-handle=2340 /prefetch:8
Imagebase:	0x7ff637ce0000
File size:	3'232'832 bytes
MD5 hash:	C49C399B9224AD9391CB801040527F88
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	22
Start time:	13:29:56
Start date:	12/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /c "rmdir /s /q "C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\""
Imagebase:	0x7ff694ee0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	13:29:57
Start date:	12/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7b93b0000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	13:29:57
Start date:	12/11/2024
Path:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --field-trial-handle=3736,i,18227219205394913117,15046175457726889787,262144 --variations-seed-version --mojo-platform-channel-handle=3748 /prefetch:8
Imagebase:	0x7ff637ce0000
File size:	3'232'832 bytes
MD5 hash:	C49C399B9224AD9391CB801040527F88
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	13:29:58
Start date:	12/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C "START /MIN /D "C:\Windows\system32\config\systemprofile\AppData\Local\OneStart.ai\OneStart\Application" onestart.exe --existing-window"
Imagebase:	0x7ff694ee0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	13:29:58
Start date:	12/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7b93b0000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	13:29:58
Start date:	12/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\cmd.exe /c ""%LOCALAPPDATA%\OneStart.ai\OneStart\Application\onestart.exe" --update"
Imagebase:	0x7ff694ee0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	13:29:58
Start date:	12/11/2024
Path:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --update
Imagebase:	0x7ff637ce0000
File size:	3'232'832 bytes
MD5 hash:	C49C399B9224AD9391CB801040527F88
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	13:29:58
Start date:	12/11/2024
Path:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --existing-window
Imagebase:	0x7ff637ce0000
File size:	3'232'832 bytes
MD5 hash:	C49C399B9224AD9391CB801040527F88
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	13:29:59
Start date:	12/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\cmd.exe" /c
Imagebase:	0xb50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	13:29:59
Start date:	12/11/2024
Path:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe --type=crashpad-handler "--user-data-dir=C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Local\OneStart.ai\OneStart\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=OneStart --annotation=ver=128.0.6613.124 --initial-client-data=0xf0,0xf4,0xf8,0xcc,0xfc,0x7ff871a45c28,0x7ff871a45c34,0x7ff871a45c40
Imagebase:	0x7ff637ce0000
File size:	3'232'832 bytes
MD5 hash:	C49C399B9224AD9391CB801040527F88
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	13:29:59
Start date:	12/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x960000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	13:29:59
Start date:	12/11/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff6feb80000
File size:	4'849'904 bytes
MD5 hash:	5EA66FF5AE5612F921BC9DA23BAC95F7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	34
Start time:	13:29:59
Start date:	12/11/2024
Path:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=renderer --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --time-ticks-at-unix-epoch=-1731434441047775 --launch-time-ticks=1758530130 --field-trial-handle=4236,i,18227219205394913117,15046175457726889787,262144 --variations-seed-version --mojo-platform-channel-handle=4244 /prefetch:1
Imagebase:	0x7ff637ce0000
File size:	3'232'832 bytes
MD5 hash:	C49C399B9224AD9391CB801040527F88
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	35
Start time:	13:30:00
Start date:	12/11/2024
Path:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=renderer --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1731434441047775 --launch-time-ticks=1758989874 --field-trial-handle=4276,i,18227219205394913117,15046175457726889787,262144 --variations-seed-version --mojo-platform-channel-handle=4500 /prefetch:1
Imagebase:	0x7ff637ce0000
File size:	3'232'832 bytes
MD5 hash:	C49C399B9224AD9391CB801040527F88
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	36
Start time:	13:30:00
Start date:	12/11/2024
Path:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=4484,i,18227219205394913117,15046175457726889787,262144 --variations-seed-version --mojo-platform-channel-handle=4216 /prefetch:8
Imagebase:	0x7ff637ce0000
File size:	3'232'832 bytes
MD5 hash:	C49C399B9224AD9391CB801040527F88
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	13:30:01
Start date:	12/11/2024
Path:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=4804,i,18227219205394913117,15046175457726889787,262144 --variations-seed-version --mojo-platform-channel-handle=4988 /prefetch:8
Imagebase:	0x7ff637ce0000
File size:	3'232'832 bytes
MD5 hash:	C49C399B9224AD9391CB801040527F88
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	13:30:04
Start date:	12/11/2024
Path:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=renderer --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --time-ticks-at-unix-epoch=-1731434441047775 --launch-time-ticks=1763197266 --field-trial-handle=5260,i,18227219205394913117,15046175457726889787,262144 --variations-seed-version --mojo-platform-channel-handle=3724 /prefetch:1
Imagebase:	0x7ff637ce0000
File size:	3'232'832 bytes
MD5 hash:	C49C399B9224AD9391CB801040527F88
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	39
Start time:	13:30:04
Start date:	12/11/2024
Path:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=5268,i,18227219205394913117,15046175457726889787,262144 --variations-seed-version --mojo-platform-channel-handle=5256 /prefetch:8
Imagebase:	0x7ff637ce0000
File size:	3'232'832 bytes
MD5 hash:	C49C399B9224AD9391CB801040527F88
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	13:30:06
Start date:	12/11/2024
Path:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=5000,i,18227219205394913117,15046175457726889787,262144 --variations-seed-version --mojo-platform-channel-handle=5552 /prefetch:8
Imagebase:	0x7ff637ce0000
File size:	3'232'832 bytes
MD5 hash:	C49C399B9224AD9391CB801040527F88
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	13:30:07
Start date:	12/11/2024
Path:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=5248,i,18227219205394913117,15046175457726889787,262144 --variations-seed-version --mojo-platform-channel-handle=5296 /prefetch:8
Imagebase:	0x7ff637ce0000
File size:	3'232'832 bytes
MD5 hash:	C49C399B9224AD9391CB801040527F88
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	13:30:07
Start date:	12/11/2024
Path:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=5712,i,18227219205394913117,15046175457726889787,262144 --variations-seed-version --mojo-platform-channel-handle=5616 /prefetch:8
Imagebase:	0x7ff637ce0000
File size:	3'232'832 bytes
MD5 hash:	C49C399B9224AD9391CB801040527F88
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	13:30:07
Start date:	12/11/2024
Path:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=4460,i,18227219205394913117,15046175457726889787,262144 --variations-seed-version --mojo-platform-channel-handle=5544 /prefetch:8
Imagebase:	0x7ff637ce0000
File size:	3'232'832 bytes
MD5 hash:	C49C399B9224AD9391CB801040527F88
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	13:30:08
Start date:	12/11/2024
Path:	C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\OneStart.ai\OneStart\Application\onestart.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=5576,i,18227219205394913117,15046175457726889787,262144 --variations-seed-version --mojo-platform-channel-handle=5304 /prefetch:8
Imagebase:	0x7ff637ce0000
File size:	3'232'832 bytes
MD5 hash:	C49C399B9224AD9391CB801040527F88
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Function 00007FF6A9286094 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF6A92860C0
GetCurrentThreadId.KERNEL32 ref: 00007FF6A92860CE
GetCurrentProcessId.KERNEL32 ref: 00007FF6A92860DA
QueryPerformanceCounter.KERNEL32 ref: 00007FF6A92860EA

Memory Dump Source

Source File: 00000007.00000002.17538687879.00007FF6A91D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF6A91D0000, based on PE: true

Associated: 00000007.00000002.17538657328.00007FF6A91D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.17538917328.00007FF6A92E8000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.17538981832.00007FF6A9320000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.17539012016.00007FF6A9321000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.17539037029.00007FF6A9322000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.17539074544.00007FF6A932E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.17539112356.00007FF6A9339000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.17539154006.00007FF6A9347000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.17539154006.00007FF6A9D47000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.17539154006.00007FF6AA747000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.17539154006.00007FF6AB147000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff6a91d0000_onestart_installer.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 3abe806c3b7da256e560b76ff29e791d04f2aeda76099ea54c577310bd415f64
Instruction ID: e1c6bf82ff4afb60fa3bbdb402808a6c894edd0ee99a2dddfa28c56ad43006af
Opcode Fuzzy Hash: 3abe806c3b7da256e560b76ff29e791d04f2aeda76099ea54c577310bd415f64
Instruction Fuzzy Hash: 0F111826B16F018AEB00CF60E8552A833B4FB19B58F541E35DA6DC67A4EF78D1588380

Analysis Process: setup.exePID: 8412, Parent PID: 8348COMMON

Execution Graph

Execution Coverage:	3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	10.4%
Total number of Nodes:	559
Total number of Limit Nodes:	39

Executed Functions

Function 00007FF6C91A485C Relevance: 10.6, APIs: 7, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32 ref: 00007FF6C91A486B
FlsGetValue.KERNEL32 ref: 00007FF6C91A4880
FlsSetValue.KERNEL32 ref: 00007FF6C91A48A1
FlsSetValue.KERNEL32 ref: 00007FF6C91A48CE
FlsSetValue.KERNEL32 ref: 00007FF6C91A48DF
FlsSetValue.KERNEL32 ref: 00007FF6C91A48F0
SetLastError.KERNEL32 ref: 00007FF6C91A490B

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 9c215e07966689fccacb168f234269f5bb2ba51e8c3e055530ba5e3d864a07b0
Instruction ID: 4cd909e14ffa656fa83a344e008502234a93242e1fd81198ecb058ea58604a18
Opcode Fuzzy Hash: 9c215e07966689fccacb168f234269f5bb2ba51e8c3e055530ba5e3d864a07b0
Instruction Fuzzy Hash: 74118124F1C28281F7585F76666213D2A526F88BF2F154734D9FEC7ADAEE6CE8054340

Function 00007FF6C9095BA0 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 387
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6C9170B30: GetLastError.KERNEL32(?,?,00000002,00007FF6C909566F,?,?,00000002,?,..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc,00000000,?,?,FFFFFFFF,?,00007FF6C91F239C), ref: 00007FF6C9170B4C
Part of subcall function 00007FF6C9170B30: SetLastError.KERNEL32(?,?,00000002,00007FF6C909566F,?,?,00000002,?,..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc,00000000,?,?,FFFFFFFF,?,00007FF6C91F239C), ref: 00007FF6C9170B57

OutputDebugStringA.KERNEL32 ref: 00007FF6C909602E
WriteFile.KERNELBASE ref: 00007FF6C9096189

Strings

W, xrefs: 00007FF6C9095ECC
LogMessage, xrefs: 00007FF6C90961BF
LOG_FATAL, xrefs: 00007FF6C909620C

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID: ErrorLast$DebugFileOutputStringWrite
String ID: LOG_FATAL$LogMessage$W
API String ID: 2864343081-2234279591
Opcode ID: aea4369b308fe3de4a8b4a353a104e1268e1305220c822c55c5ed0eba4838034
Instruction ID: 1df354c202298153b47f42894912f9b5223fcc05531f11e1a6fbfbdb30372c6a
Opcode Fuzzy Hash: aea4369b308fe3de4a8b4a353a104e1268e1305220c822c55c5ed0eba4838034
Instruction Fuzzy Hash: F302BF22B18B8285EB609F15E5512BA6BA0EF41B96F460039DECE83B96DF3DE445C700

Function 00007FF6C91F1B00 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 00007FF6C91F1B83
CreateFileW.KERNELBASE ref: 00007FF6C91F1C53
GetCurrentDirectoryW.KERNEL32 ref: 00007FF6C91F1C8F

Strings

debug.log, xrefs: 00007FF6C91F1BF7, 00007FF6C91F1CF7

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID: File$CreateCurrentDirectoryModuleName
String ID: debug.log
API String ID: 3818821825-600467936
Opcode ID: dc501bc356753078634e576c9c5a645d3bbd3ea8aa8bfb3630d8f735f2184a0d
Instruction ID: 9d3c42bc561e0e2b37b03a105acab83ee38ad5c942520202d24e5e0efdbcdd36
Opcode Fuzzy Hash: dc501bc356753078634e576c9c5a645d3bbd3ea8aa8bfb3630d8f735f2184a0d
Instruction Fuzzy Hash: 3751DA71A28A8680FB108F11EA593792BB1AF45FAAF004235CADD87BE0DF7DE1458300

Function 00007FF6C90F2150 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 101
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 00007FF6C90F21BE

Strings

CreateFile , xrefs: 00007FF6C90F2240
..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc, xrefs: 00007FF6C90F221E

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID: CreateFile
String ID: ..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc$CreateFile
API String ID: 823142352-2987130713
Opcode ID: 30d81d84b43e5267f7bf75bd6fe193a339a2d1c572c3f2e3c14d20f2cd2a8eee
Instruction ID: 1152d75f872e0501a6b95336cdda7b2b9172026545ebfe92708c6454328a598a
Opcode Fuzzy Hash: 30d81d84b43e5267f7bf75bd6fe193a339a2d1c572c3f2e3c14d20f2cd2a8eee
Instruction Fuzzy Hash: 2D31E022B0868242FF11CF15E6517BA6B60BB89BDAF440135DACD87BD5DF2CE2468B00

Function 00007FF6C90F24A0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNELBASE ref: 00007FF6C90F24F0
GetLastError.KERNEL32 ref: 00007FF6C90F254C

Strings

SetFilePointerEx, xrefs: 00007FF6C90F257A
..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc, xrefs: 00007FF6C90F2555

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: ..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc$SetFilePointerEx
API String ID: 2976181284-3423003897
Opcode ID: 844e05737310e890d8c91f416288aa82cb5c299eea38e7eff2b73318ecabe8e5
Instruction ID: 95642bb57e3ebdd3568a684c63886b1a58fbf4635cd4a4b8052220a45d42d2a6
Opcode Fuzzy Hash: 844e05737310e890d8c91f416288aa82cb5c299eea38e7eff2b73318ecabe8e5
Instruction Fuzzy Hash: 9821BE31B1C69240FB609F16A512BB92A90AF48BEAF800135CDDD87FC5CE2CE2438700

Function 00007FF6C90F25A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6C90F24A0: SetFilePointerEx.KERNELBASE ref: 00007FF6C90F24F0

SetEndOfFile.KERNELBASE ref: 00007FF6C90F25D2
GetLastError.KERNEL32 ref: 00007FF6C90F2609

Strings

SetEndOfFile, xrefs: 00007FF6C90F2637
..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc, xrefs: 00007FF6C90F2612

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID: File$ErrorLastPointer
String ID: ..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc$SetEndOfFile
API String ID: 841452515-359779137
Opcode ID: 674331e17bbd71cd14e59761385c21c09cd0443200d865423d61f4169f498cad
Instruction ID: 45988eedf4504a3f844d10eb3da527988fc7075b6abb6294f3d91fe3cfb61281
Opcode Fuzzy Hash: 674331e17bbd71cd14e59761385c21c09cd0443200d865423d61f4169f498cad
Instruction Fuzzy Hash: BE11E521B1C59641FB20AF25A9227BA2A519F89F8AF410134DDCEC7B86DE2DE5078740

Function 00007FF6C9199BEC Relevance: 6.2, APIs: 4, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,00007FF6C90BC4DA,?,00007FF6C90BC4DA,?,00007FF6C90BC4DA,00007FF6C90BC4DA,00007FF6C90BC4DA,00000000,00007FF6C9199FFF,00000000), ref: 00007FF6C9199D08
GetLastError.KERNEL32(?,?,?,?,?,?,00007FF6C90BC4DA,?,00007FF6C90BC4DA,?,00007FF6C90BC4DA,00007FF6C90BC4DA,00007FF6C90BC4DA,00000000,00007FF6C9199FFF,00000000), ref: 00007FF6C9199D93

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 2b0c3fa9d412db7a1a8ab71a01c912e6c097ce6e17a4349dac78b7eea43639fb
Instruction ID: 406e078e802c2ee58b6c00bafeef3e8d3b8cb0f13be1ce6b2c8a4689725ae507
Opcode Fuzzy Hash: 2b0c3fa9d412db7a1a8ab71a01c912e6c097ce6e17a4349dac78b7eea43639fb
Instruction Fuzzy Hash: D991C332F1865189FB509F6994812BD2FA0BB05F8AF154139DE8E97E94DF3CD886C700

Function 00007FF6C90F2660 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNELBASE ref: 00007FF6C90F267C
GetLastError.KERNEL32 ref: 00007FF6C90F26BB

Strings

CloseHandle, xrefs: 00007FF6C90F26E9
..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc, xrefs: 00007FF6C90F26C4

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID: ..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc$CloseHandle
API String ID: 918212764-1830217499
Opcode ID: bd69f308de9511593cad69c1eac52c47856b21cc925288134a9f31ea72cd6f3d
Instruction ID: 54840d61ecc035f27069308e20d951167ad782153ea51d2d527712a63746be8a
Opcode Fuzzy Hash: bd69f308de9511593cad69c1eac52c47856b21cc925288134a9f31ea72cd6f3d
Instruction Fuzzy Hash: 88019262B1869341FB20AF11AA527FA2A50AF89B95F410435DDCD8BBC5DE2CD946C640

Function 00007FF6C90F2A10 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

..\..\third_party\crashpad\crashpad\util\file\file_io.cc, xrefs: 00007FF6C90F2A9E
ReadFile, xrefs: 00007FF6C90F2AC3

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID: CloseHandle
String ID: ..\..\third_party\crashpad\crashpad\util\file\file_io.cc$ReadFile
API String ID: 2962429428-1347244036
Opcode ID: 30d89f1bbfdb8cd4f1505fd23aceacf41d9905e994a816dd0aa84fd6f31b860e
Instruction ID: 2149e9909e31cda4c1be82227d1fdf5edba75c0ae599882fc9cd15fc80696c66
Opcode Fuzzy Hash: 30d89f1bbfdb8cd4f1505fd23aceacf41d9905e994a816dd0aa84fd6f31b860e
Instruction Fuzzy Hash: 27112322F181C640FB20AF19A5123F91A50AF98BAAF400635DDCD8BBC6DE1CE6478700

Function 00007FF6C90F2010 Relevance: 4.6, APIs: 3, Instructions: 59
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE ref: 00007FF6C90F206E
GetFileType.KERNELBASE ref: 00007FF6C90F20A5
GetLastError.KERNEL32 ref: 00007FF6C90F20B6

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID: File$ErrorLastReadType
String ID:
API String ID: 291879748-0
Opcode ID: 443ccd3f952e52c5fa5255bd0580c556af1c3914ff954ab95faf65a1b50ec064
Instruction ID: 4116195d9c08aeb2b6c8aae9553b2157b6a60d98e6cbf9b49fcd1d305b32bf32
Opcode Fuzzy Hash: 443ccd3f952e52c5fa5255bd0580c556af1c3914ff954ab95faf65a1b50ec064
Instruction Fuzzy Hash: 5211C423B1858249F7218F26A94462AB790AF48B99F550635ED9DC7794CE3CD943CA00

Function 00007FF6C90F2930 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32 ref: 00007FF6C90F29C5

Strings

..\..\third_party\crashpad\crashpad\util\file\file_io.cc, xrefs: 00007FF6C90F29CE
WriteFile, xrefs: 00007FF6C90F29F3

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID: ErrorLast
String ID: ..\..\third_party\crashpad\crashpad\util\file\file_io.cc$WriteFile
API String ID: 1452528299-1292784012
Opcode ID: 179de11993113eb105d4fe59dc2ffbc84c64f5c5db04941f19f45d2b2279ad05
Instruction ID: 331f5b19496ed790b97b69d86cd3b7f9857fa4a7341ba57153e92b948ca88415
Opcode Fuzzy Hash: 179de11993113eb105d4fe59dc2ffbc84c64f5c5db04941f19f45d2b2279ad05
Instruction Fuzzy Hash: 2511CD21B1C68641FF159F11EA127F92A90AF48BD9F454039DDCD87B86DE2CE606C300

Function 00007FF6C90C9770 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 112
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TryAcquireSRWLockExclusive.KERNEL32 ref: 00007FF6C90CA57D

Strings

bitset reset argument out of range, xrefs: 00007FF6C90CA5FD

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID: AcquireExclusiveLock
String ID: bitset reset argument out of range
API String ID: 4021432409-1934458321
Opcode ID: 159fbb28b7af8420530e9c3a09efff8d30c77ccdfa5dcdcca061a6f0760330af
Instruction ID: 68c70a5f86572e19d6f2ff118962eb97861b60a9756b00faf17dc7f845a5a4ad
Opcode Fuzzy Hash: 159fbb28b7af8420530e9c3a09efff8d30c77ccdfa5dcdcca061a6f0760330af
Instruction Fuzzy Hash: 91318E52F14A4A41FF18AF16E9493B867129F44BE2F844135CEEEC7BD5DD2CE4818361

Function 00007FF6C919A48C Relevance: 3.1, APIs: 2, Instructions: 74
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE ref: 00007FF6C919A53F
GetLastError.KERNEL32 ref: 00007FF6C919A55B

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: 68a27524846d089f5ec425f48a5feb0e59f3a15ae69c702f4368ed9dee809199
Instruction ID: d8fff983364d0e03b95ab4b3cbdaeb3f9c3680efb1b406c7dc4f0cc5f86091b3
Opcode Fuzzy Hash: 68a27524846d089f5ec425f48a5feb0e59f3a15ae69c702f4368ed9dee809199
Instruction Fuzzy Hash: E831F532B18B818AEB109F15E4852A97BA0FB58B85F455032EBCEC7B54EF3CD416C700

Function 00007FF6C9193D28 Relevance: 3.0, APIs: 2, Instructions: 46COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,00000000,00007FF6C9199CA0,?,?,?,?,?,?,00007FF6C90BC4DA,?,00007FF6C90BC4DA), ref: 00007FF6C9193D74
GetLastError.KERNEL32(?,?,?,?,00000000,00007FF6C9199CA0,?,?,?,?,?,?,00007FF6C90BC4DA,?,00007FF6C90BC4DA), ref: 00007FF6C9193D7E

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 955987040b5e1f3cd9ada3e38491c711b894e32cc637ffb5b4d0f1e3ee7f0414
Instruction ID: df599d9d8531ebd273a46bc5f53fad8f69db04082729dac6b3d9ad7d025e3a3d
Opcode Fuzzy Hash: 955987040b5e1f3cd9ada3e38491c711b894e32cc637ffb5b4d0f1e3ee7f0414
Instruction Fuzzy Hash: AC110422618A8185EB209F25E4040696BA1EB41FF5F584331EEBD87BD9CF3CD0418740

Function 00007FF6C9085690 Relevance: 3.0, APIs: 2, Instructions: 37registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,?,?,?,00000000,00000000,?,00007FF6C9056678,?,?,?,?,?,?,?), ref: 00007FF6C90856C6
RegCloseKey.ADVAPI32(?,?,?,?,00000000,00000000,?,00007FF6C9056678,?,?,?,?,?,?,?), ref: 00007FF6C9085702

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID: CloseOpen
String ID:
API String ID: 47109696-0
Opcode ID: 1b45fec8eeae5ab7eb531375cc05bb643b2247f9ebeecbba943f5b46a548d667
Instruction ID: 9d11baaf4b25d187287a475e22751ddf572348239aa7b7b61a6a63692f6c1ee4
Opcode Fuzzy Hash: 1b45fec8eeae5ab7eb531375cc05bb643b2247f9ebeecbba943f5b46a548d667
Instruction Fuzzy Hash: 02016272B29A5282FB544F15E95176A67A0FB88B95F014035EECF87750DE3CD8518740

Function 00007FF6C90CA0E0 Relevance: 2.5, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,00000040000B0050,-0000000400000000,?,00007FF6C90B8811), ref: 00007FF6C90CA0EA
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000040000B0050,-0000000400000000,?,00007FF6C90B8811), ref: 00007FF6C90CA0F4

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID: ErrorFreeLastVirtual
String ID:
API String ID: 499627090-0
Opcode ID: 73818c80937deb4832c471d99414fc7ff2eeaff62bfd5e719b1526dabfdcc212
Instruction ID: c4556b923349a6dfab87c672e7eba8a6d73739182f90ed374908bbfadd765bb2
Opcode Fuzzy Hash: 73818c80937deb4832c471d99414fc7ff2eeaff62bfd5e719b1526dabfdcc212
Instruction Fuzzy Hash: 12D01251F1954245F7542F726D4133428546F25B87F81483CC68CD6650EE1CD085C711

Function 00007FF6C90F20D0 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE ref: 00007FF6C90F211C

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d1b69eb38a61535727279d59207186c3acebad48a70d119754322408c0ea9445
Instruction ID: a4ad43877a53264d5a2d4d949b190572637b1bba2d2094a4d76f6ae8b55ade27
Opcode Fuzzy Hash: d1b69eb38a61535727279d59207186c3acebad48a70d119754322408c0ea9445
Instruction Fuzzy Hash: 5CF0A022B1868186FB208F18EA543292B61FB9974AF148035C6CE86758CF3DD206C704

Function 00007FF6C90CA110 Relevance: 1.3, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,?,?,?,00007FF6C90CA57A), ref: 00007FF6C90CA11A

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 729bc3b487c0e236f1f9432a8cba691968bfbe638ef20b7cc4d40f35a75d4ca4
Instruction ID: 304ba27627395a038b00af4b72523cef5c6b9e108a87de5bdbf7f8f48d5f17f6
Opcode Fuzzy Hash: 729bc3b487c0e236f1f9432a8cba691968bfbe638ef20b7cc4d40f35a75d4ca4
Instruction Fuzzy Hash: CBC08C54F2C80680FB283F22694133409102F28B43F822C38C79E9BB80ED1DE2078B22

Non-executed Functions

Function 00007FF6C9146D00 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 174threadtimeCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00007FF6C9146D30
QueryThreadCycleTime.KERNEL32 ref: 00007FF6C9146D3E
GetCurrentThread.KERNEL32 ref: 00007FF6C9146DC5
GetThreadPriority.KERNEL32 ref: 00007FF6C9146DCA
GetCurrentThread.KERNEL32 ref: 00007FF6C9146DD2
SetThreadPriority.KERNEL32 ref: 00007FF6C9146DDC
QueryPerformanceCounter.KERNEL32 ref: 00007FF6C9146E42
GetCurrentThread.KERNEL32 ref: 00007FF6C9146E4B
SetThreadPriority.KERNEL32 ref: 00007FF6C9146E56
QueryPerformanceFrequency.KERNEL32 ref: 00007FF6C9146E64
QueryPerformanceCounter.KERNEL32 ref: 00007FF6C9146F48

Strings

%s (errno: %d, %s), xrefs: 00007FF6C9146FA0, 00007FF6C9146FF2
PERFETTO_CHECK(tsc_now >= tsc_initial), xrefs: 00007FF6C9146FE6
PERFETTO_CHECK(perf_counter_now >= perf_counter_initial), xrefs: 00007FF6C9146F94
..\..\third_party\perfetto\src\base\time.cc, xrefs: 00007FF6C9146F7F, 00007FF6C9146FD1

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID: Thread$CurrentQuery$PerformancePriority$Counter$CycleFrequencyTime
String ID: %s (errno: %d, %s)$..\..\third_party\perfetto\src\base\time.cc$PERFETTO_CHECK(perf_counter_now >= perf_counter_initial)$PERFETTO_CHECK(tsc_now >= tsc_initial)
API String ID: 649842374-3408761757
Opcode ID: de432c121d9762614cbf4ba3aa36bff704b534f44ecf2d0cb4b272247977c08a
Instruction ID: 809e4a2005fd723fc584d526b9bf61b356839fbb730a3a9acbb58c3cf07d1178
Opcode Fuzzy Hash: de432c121d9762614cbf4ba3aa36bff704b534f44ecf2d0cb4b272247977c08a
Instruction Fuzzy Hash: 0881C421928A4285F711DF20EA512797B60FF49B9AF154235D9CED7BA5DF3CE442C700

Function 00007FF6C9159750 Relevance: 9.5, Strings: 7, Instructions: 774COMMON

Download Yara Rule

Strings

%s (errno: %d, %s), xrefs: 00007FF6C915A3A8
33333333, xrefs: 00007FF6C915A4CA
33333333, xrefs: 00007FF6C91599FB
PERFETTO_CHECK(false), xrefs: 00007FF6C915A39C
..\..\third_party\perfetto\include\perfetto\tracing\track_event_interned_data_index.h, xrefs: 00007FF6C915A387
UUUUUUUU, xrefs: 00007FF6C915A4B7
UUUUUUUU, xrefs: 00007FF6C91599E8

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID:
String ID: %s (errno: %d, %s)$..\..\third_party\perfetto\include\perfetto\tracing\track_event_interned_data_index.h$33333333$33333333$PERFETTO_CHECK(false)$UUUUUUUU$UUUUUUUU
API String ID: 0-1816856866
Opcode ID: e239688874aef640866cded79b8107091afeb1143afd2fae25cf95bb86b14071
Instruction ID: 0084767c5dd0ba08260353e24a011c040c4ede54f14e52e3f75bbbf6c612eb1d
Opcode Fuzzy Hash: e239688874aef640866cded79b8107091afeb1143afd2fae25cf95bb86b14071
Instruction Fuzzy Hash: 3A728C72B19B8581EB698F05E0453AA77A1FB88B81F458132CADD97B98DF3CE491C701

Function 00007FF6C91A9EEC Relevance: 9.2, APIs: 6, Instructions: 171COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6C91A46E4: GetLastError.KERNEL32 ref: 00007FF6C91A46F3
Part of subcall function 00007FF6C91A46E4: FlsGetValue.KERNEL32 ref: 00007FF6C91A4708
Part of subcall function 00007FF6C91A46E4: SetLastError.KERNEL32 ref: 00007FF6C91A4793

Part of subcall function 00007FF6C91A46E4: FlsSetValue.KERNEL32 ref: 00007FF6C91A4729

GetUserDefaultLCID.KERNEL32(?,00000000,00000092,?), ref: 00007FF6C91AA05C

Part of subcall function 00007FF6C91A46E4: FlsSetValue.KERNEL32 ref: 00007FF6C91A4756
Part of subcall function 00007FF6C91A46E4: FlsSetValue.KERNEL32 ref: 00007FF6C91A4767
Part of subcall function 00007FF6C91A46E4: FlsSetValue.KERNEL32 ref: 00007FF6C91A4778

EnumSystemLocalesW.KERNEL32(?,00000000,00000092,?,?,00000000,?,00007FF6C918F279), ref: 00007FF6C91AA043
IsValidCodePage.KERNEL32 ref: 00007FF6C91AA098
IsValidLocale.KERNEL32 ref: 00007FF6C91AA0AE
GetLocaleInfoW.KERNEL32 ref: 00007FF6C91AA10A
GetLocaleInfoW.KERNEL32 ref: 00007FF6C91AA126

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID: Value$Locale$ErrorInfoLastValid$CodeDefaultEnumLocalesPageSystemUser
String ID:
API String ID: 1706690794-0
Opcode ID: fc7311b086ce6fd43b0eb301339a6b3cc1f08fc7bd23cc236602390b1e8bbbb3
Instruction ID: 67901dfb2fb77a510e2397a38f0577ed87fcffa6a76ad8f25fe7823e4d32b112
Opcode Fuzzy Hash: fc7311b086ce6fd43b0eb301339a6b3cc1f08fc7bd23cc236602390b1e8bbbb3
Instruction Fuzzy Hash: 85718E62B186429AFF109F60D8526BD3BB1BF44B46F444036CA9E93B95EF3CE849C350

Function 00007FF6C9195B80 Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF6C9195BF9
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6C9195C11
RtlVirtualUnwind.KERNEL32 ref: 00007FF6C9195C4C
IsDebuggerPresent.KERNEL32 ref: 00007FF6C9195C85
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6C9195C8F
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6C9195C9A

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 49f356e329ffe9317a02f37c9929f3f11b56c8c09c740634a9a27b444624c1bf
Instruction ID: 2d89929f6b2b5e1de59c62758e17a49baa08a0162dc4cae138fb188dfddb7d08
Opcode Fuzzy Hash: 49f356e329ffe9317a02f37c9929f3f11b56c8c09c740634a9a27b444624c1bf
Instruction Fuzzy Hash: F7317132A18F8186EB60CF25E8412AE77A5FB88B59F504135EADD87B98DF3CC545CB00

Function 00007FF6C91F20F0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 134windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32 ref: 00007FF6C91F213F
LocalFree.KERNEL32 ref: 00007FF6C91F21B0
GetLastError.KERNEL32 ref: 00007FF6C91F230F

Strings

Error (0x%lX) while retrieving error. (0x%lX), xrefs: 00007FF6C91F2315
(0x%lX), xrefs: 00007FF6C91F21C2

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID: (0x%lX)$Error (0x%lX) while retrieving error. (0x%lX)
API String ID: 1365068426-3206765257
Opcode ID: 03ae5f3285c97a230daa055b4265b5a4f214d8776a24798a67af573410803d93
Instruction ID: 36fb1c9a274894a7fb984df395a3db2f5e4c0a04ae3b89599e530ed43e6856fa
Opcode Fuzzy Hash: 03ae5f3285c97a230daa055b4265b5a4f214d8776a24798a67af573410803d93
Instruction Fuzzy Hash: 9C51AD32A0DBC681EB218F25E4513AAABA0FF88B95F444135DACD87B99DF3CE045C700

Function 00007FF6C91AA798 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,?,00007FF6C91AA08B), ref: 00007FF6C91AA7ED
GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,?,00007FF6C91AA08B), ref: 00007FF6C91AA81A
GetACP.KERNEL32(?,?,?,?,?,?,?,00007FF6C91AA08B), ref: 00007FF6C91AA830

Strings

ACP, xrefs: 00007FF6C91AA7B9
OCP, xrefs: 00007FF6C91AA7C9

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: b57b358656b6c5e522c07b9433039294d2a61d4965a7f805eed9d0eed18eb55b
Instruction ID: 0ebe323de0f884bab371b4a420940bf8bf64792fecca6ecc780dc2e739c55a70
Opcode Fuzzy Hash: b57b358656b6c5e522c07b9433039294d2a61d4965a7f805eed9d0eed18eb55b
Instruction Fuzzy Hash: 2A11B121A1868382FB649F51E50257A6BA1FF44B93F808035DACAC3A55DF2CEC4AC740

Function 00007FF6C9157630 Relevance: 7.6, APIs: 2, Strings: 2, Instructions: 563COMMON

Download Yara Rule

Strings

bcryptprimitives.dll, xrefs: 00007FF6C915766E
ProcessPrng, xrefs: 00007FF6C9157680

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID: ErrorLastOnce$ExecuteInitValue
String ID: ProcessPrng$bcryptprimitives.dll
API String ID: 2797425889-2667675608
Opcode ID: 8442186f380c735674eda46b954956d777aa1d416e1b0d53cb53bbbffd159fa7
Instruction ID: fb77cb451d86ff375606058f2524c50e4ea93081d289e97234deb9a527e21627
Opcode Fuzzy Hash: 8442186f380c735674eda46b954956d777aa1d416e1b0d53cb53bbbffd159fa7
Instruction Fuzzy Hash: C0429C72A086C286E725CF15A5493FA6BA4EB99B8AF454035DFCD83B95DF7CD180CB00

Function 00007FF6C91B2230 Relevance: 7.5, Strings: 5, Instructions: 1226COMMON

Download Yara Rule

Strings

MZx, xrefs: 00007FF6C91B290B, 00007FF6C91B2970, 00007FF6C91B2D2E, 00007FF6C91B2DF1, 00007FF6C91B2E5D, 00007FF6C91B3188
1#INF, xrefs: 00007FF6C91B23A7
1#IND, xrefs: 00007FF6C91B236B
1#SNAN, xrefs: 00007FF6C91B238E
1#QNAN, xrefs: 00007FF6C91B2397

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID:
String ID: 1#IND$1#INF$1#QNAN$1#SNAN$MZx
API String ID: 0-2638907429
Opcode ID: 0f677892d46d531a80dea54d3cc29a352665caa5c376f0d94dc3f28d3ef9f3ff
Instruction ID: 21b36fc9d609d35bd8792c2777279d6373c1ecfa085e511e8cc97a967a559685
Opcode Fuzzy Hash: 0f677892d46d531a80dea54d3cc29a352665caa5c376f0d94dc3f28d3ef9f3ff
Instruction Fuzzy Hash: D0B2D2B2A182C28AE7258E24D4427FD3BB2FB54B8AF505535DA49D7F84DF38A905CB40

Function 00007FF6C9147A90 Relevance: 6.1, APIs: 1, Strings: 2, Instructions: 894COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6C914B3D0: GetCurrentProcessId.KERNEL32(-5555555555555556,?,?,00007FF6C9147B23), ref: 00007FF6C914B413

GetCurrentProcessId.KERNEL32 ref: 00007FF6C91483AE

Strings

@, xrefs: 00007FF6C9148923
thread_time, xrefs: 00007FF6C9147B56

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID: CurrentProcess
String ID: @$thread_time
API String ID: 2050909247-694944393
Opcode ID: 9cb998c32efe91a33d9ba4673a7e9581a9556bf2f2aef9cd55f1d25730124240
Instruction ID: c4965bc7141ba458bbdb9b0e1f2de2044fdbb61097ef3579e2ef7811119aa591
Opcode Fuzzy Hash: 9cb998c32efe91a33d9ba4673a7e9581a9556bf2f2aef9cd55f1d25730124240
Instruction Fuzzy Hash: 5B929D62A1CAC285EB219F15D0063EE6BA1FB89F89F844571DACD87B95DF3CE145CB00

Function 00007FF6C9189370 Relevance: 5.6, Strings: 3, Instructions: 1888COMMON

Download Yara Rule

Strings

MZx, xrefs: 00007FF6C91893A3, 00007FF6C9189919, 00007FF6C91899D6, 00007FF6C9189E7C, 00007FF6C918A182, 00007FF6C918A1B9, 00007FF6C918A55F, 00007FF6C918A618, 00007FF6C918A746, 00007FF6C918A7B6, 00007FF6C918A7ED, 00007FF6C918ABE6
, xrefs: 00007FF6C918ADD3
, xrefs: 00007FF6C918AF00

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID:
String ID: $ $MZx
API String ID: 0-1186325740
Opcode ID: 4f717ae3fb17ee34d67f62c6920566bd6384c23b7ee25c79816f1dfc35d2f996
Instruction ID: 50012f3bd7d914501dda1a2a82e38d0dbf9eabf6263db94a9a8c013953898c98
Opcode Fuzzy Hash: 4f717ae3fb17ee34d67f62c6920566bd6384c23b7ee25c79816f1dfc35d2f996
Instruction Fuzzy Hash: FE03E472A182C14FE7798E24D9417FA3B91FB44B89F415136EA4A97F44DF39EA00DB04

Function 00007FF6C9059D50 Relevance: 5.4, Strings: 4, Instructions: 396COMMON

Download Yara Rule

Strings

%s (errno: %d, %s), xrefs: 00007FF6C9059E08, 00007FF6C9059FCE
PERFETTO_CHECK(cur_packet_->is_finalized()), xrefs: 00007FF6C9059FC2
PERFETTO_CHECK(protobuf_stream_writer_.bytes_available() != 0), xrefs: 00007FF6C9059DFC
..\..\third_party\perfetto\src\tracing\core\trace_writer_impl.cc, xrefs: 00007FF6C9059DE7, 00007FF6C9059FAD

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID:
String ID: %s (errno: %d, %s)$..\..\third_party\perfetto\src\tracing\core\trace_writer_impl.cc$PERFETTO_CHECK(cur_packet_->is_finalized())$PERFETTO_CHECK(protobuf_stream_writer_.bytes_available() != 0)
API String ID: 0-1822074035
Opcode ID: 9e80047485c98ea16c846ba4238addfc000e8619cde9641ba7b09b5040f021a4
Instruction ID: b38fe18b26959ee3a36dc10c9b5253e1d5d8d9535ea0140967c7c19a1aec6d00
Opcode Fuzzy Hash: 9e80047485c98ea16c846ba4238addfc000e8619cde9641ba7b09b5040f021a4
Instruction Fuzzy Hash: A1F1BF22709B8292EB15CF29D1453697BA0FB48B85F458139DBCD87BA1DF3CE4A5C304

Function 00007FF6C9096340 Relevance: 5.3, Strings: 4, Instructions: 310COMMON

Download Yara Rule

Strings

UUUUUUUU, xrefs: 00007FF6C9096721
33333333, xrefs: 00007FF6C9096563
33333333, xrefs: 00007FF6C9096734
UUUUUUUU, xrefs: 00007FF6C9096550

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID:
String ID: 33333333$33333333$UUUUUUUU$UUUUUUUU
API String ID: 0-1344069251
Opcode ID: 2eefef0ed7bd3aef655af7f9094a751d39f3b18b7890478c3d6a871eefdcce98
Instruction ID: 9451e27e1891ef2175d8a0551514b90292735d98289db4f06d288ed8447f9aa4
Opcode Fuzzy Hash: 2eefef0ed7bd3aef655af7f9094a751d39f3b18b7890478c3d6a871eefdcce98
Instruction Fuzzy Hash: 0AB12762B1A70986EF15CF6295013786B91AF59FD1B0BC53ADE8E97784EF3CF0908200

Function 00007FF6C917C698 Relevance: 4.5, APIs: 3, Instructions: 13COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?,?,?,00007FF6C917C5AD), ref: 00007FF6C917C6A3
UnhandledExceptionFilter.KERNEL32(?,?,?,00007FF6C917C5AD), ref: 00007FF6C917C6AC
GetCurrentProcess.KERNEL32(?,?,?,00007FF6C917C5AD), ref: 00007FF6C917C6B2

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CurrentProcess
String ID:
API String ID: 1249254920-0
Opcode ID: 75fb027aa209bb165c04b8bee70471f9bb8473a21186148b4958a4a511c8a558
Instruction ID: 3f48bb041e6336f7dba6b5e63577f01a379c76b25ef7837d20fc941f93d3cadc
Opcode Fuzzy Hash: 75fb027aa209bb165c04b8bee70471f9bb8473a21186148b4958a4a511c8a558
Instruction Fuzzy Hash: E4D09E57A2850786F7581F61AA150351610AF58B46B041434DDDA857149D3C5485C650

Function 00007FF6C91A6FB8 Relevance: 3.9, Strings: 3, Instructions: 195COMMON

Download Yara Rule

Strings

e+000, xrefs: 00007FF6C91A70C5
-, xrefs: 00007FF6C91A71FB
gfff, xrefs: 00007FF6C91A7142

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID:
String ID: -$e+000$gfff
API String ID: 0-2620144452
Opcode ID: aeb6a6a8d45bb7b7742d496ee3eda4a19a22b2f02cc6120375bd3ba4a367a0dc
Instruction ID: ef9481936b26e75795130e8e62ebf4b4e772fca8fbd7720212d2776db3a0c22d
Opcode Fuzzy Hash: aeb6a6a8d45bb7b7742d496ee3eda4a19a22b2f02cc6120375bd3ba4a367a0dc
Instruction Fuzzy Hash: 5E711132B187C586E7208F25A941769BBA5F745F94F488231DBE88BF85CF3DD9498B00

Function 00007FF6C9198594 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 135timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,?,00000000,00000000,?,00007FF6C9198B70), ref: 00007FF6C919868B

Strings

@, xrefs: 00007FF6C91985DB

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID: InformationTimeZone
String ID: @
API String ID: 565725191-2766056989
Opcode ID: 249c8ac1f5eb54b4e30d4c903682f1931a283dee96b54b397ae3489eed5ab5fa
Instruction ID: b18527de3a1ca99943a18a9942c0ccc41dbec17eb6730db40db4d2c6ee90cf88
Opcode Fuzzy Hash: 249c8ac1f5eb54b4e30d4c903682f1931a283dee96b54b397ae3489eed5ab5fa
Instruction Fuzzy Hash: 1351A532A1865246F710DF22E9824B96FA1BF88B89F454175EACDC7F96DF3CE5408700

Function 00007FF6C91A5164 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,?,?,?,?,00007FF6C918F452), ref: 00007FF6C91A51D8

Strings

GetLocaleInfoEx, xrefs: 00007FF6C91A5180, 00007FF6C91A5191

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: b9dfbb4ba747d41c3ae77e58327a2b192f3a29f89a9f3d223f5f59345b93f7f5
Instruction ID: 3c078bd80411753bca74a9dd25249f026114db1788a577ec58170b32543d53b4
Opcode Fuzzy Hash: b9dfbb4ba747d41c3ae77e58327a2b192f3a29f89a9f3d223f5f59345b93f7f5
Instruction Fuzzy Hash: 76018F22B18B8185EB089F56B5015AABA60EF94FC1F584036DECD83B55CE3CD9458340

Function 00007FF6C91ADBF8 Relevance: 2.9, Strings: 2, Instructions: 358COMMON

Download Yara Rule

Strings

a/p, xrefs: 00007FF6C91ADF12
am/pm, xrefs: 00007FF6C91ADEA7

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID:
String ID: a/p$am/pm
API String ID: 0-3206640213
Opcode ID: 2d48b5e10062134f603c0d3a6a1cb4e93d93b2ae3319c77cf98950af5879b4e4
Instruction ID: 4bfa7e0a609e088293f5790e516a73dc728006f33a6acbec5a2fa9d954fb5064
Opcode Fuzzy Hash: 2d48b5e10062134f603c0d3a6a1cb4e93d93b2ae3319c77cf98950af5879b4e4
Instruction Fuzzy Hash: D1E1FE26A18A4281F7A48F2482566BD3BA0FF51B86F554136EA8D87EC4DF3CED59C304

Function 00007FF6C9149B30 Relevance: 2.1, Strings: 1, Instructions: 860COMMON

Download Yara Rule

Strings

`, xrefs: 00007FF6C9149E64

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: eb2a5ea28730109016a184947776e092dcfdc8061f992a488635ae48407d3789
Instruction ID: 02d17e50134bd4e331edcc6a56489b7c75515c01c07ffac3f51134fb4dbf52f1
Opcode Fuzzy Hash: eb2a5ea28730109016a184947776e092dcfdc8061f992a488635ae48407d3789
Instruction Fuzzy Hash: 5A925A72A08B9685E7618F11A0453EE7BE4F798F89F994131DACD97B88CF38E451CB40

Function 00007FF6C91ABC00 Relevance: 2.0, APIs: 1, Instructions: 462COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor
String ID:
API String ID: 1010374628-0
Opcode ID: 58837e363d9d879ca75d7f04a58ad4afdd0e658539ab043d4b2800839d3c092b
Instruction ID: ccbeebac0383bdde33bc47a20b004543bd37fc291c6a210f155d74a1c23ca7f7
Opcode Fuzzy Hash: 58837e363d9d879ca75d7f04a58ad4afdd0e658539ab043d4b2800839d3c092b
Instruction Fuzzy Hash: 2802D221F1D68240FB559F22A5122792E81AF01FE6F494635DDEDC7BD2EE7DEA058300

Function 00007FF6C914EEE0 Relevance: 1.8, Strings: 1, Instructions: 568COMMON

Download Yara Rule

Strings

__next_prime overflow, xrefs: 00007FF6C914F761

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID:
String ID: __next_prime overflow
API String ID: 0-822664188
Opcode ID: b8653f9a857e2045567bcabfbbc70515d3c5879f1addb57031887c4dcc7fde32
Instruction ID: 9870d9df163157d7735a09ddbe29c0bec25ee4ad74c5ba8ea27985a4d7e34ec4
Opcode Fuzzy Hash: b8653f9a857e2045567bcabfbbc70515d3c5879f1addb57031887c4dcc7fde32
Instruction Fuzzy Hash: 4102D226F5B60912FF298F5996160B4A6438BACFD594CC833CD8E82F88DE7CF562C510

Function 00007FF6C91AFAD4 Relevance: 1.7, APIs: 1, Instructions: 227COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32 ref: 00007FF6C91AFD34

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 1d3d62ff8349e7b4ac41b2577c6ecbb042567382d4a2e9b31de58c5c224c4d73
Instruction ID: 8fb84419b0bbd4380f7fe32e7485aa1846f84f9f8df45087471ecfa8dc5e9d44
Opcode Fuzzy Hash: 1d3d62ff8349e7b4ac41b2577c6ecbb042567382d4a2e9b31de58c5c224c4d73
Instruction Fuzzy Hash: E3B15C73604B888BE755CF29C48636C7BA0F744F89F148921DAAD87BA8CF39D865C710

Function 00007FF6C91AA1EC Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6C91A46E4: GetLastError.KERNEL32 ref: 00007FF6C91A46F3
Part of subcall function 00007FF6C91A46E4: FlsGetValue.KERNEL32 ref: 00007FF6C91A4708
Part of subcall function 00007FF6C91A46E4: SetLastError.KERNEL32 ref: 00007FF6C91A4793

EnumSystemLocalesW.KERNEL32(?,?,?,00007FF6C91A9FEF,?,00000000,00000092,?,?,00000000,?,00007FF6C918F279), ref: 00007FF6C91AA28A

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystemValue
String ID:
API String ID: 3029459697-0
Opcode ID: 08c760cafacbed555b6c6fd8c9bf5b5dc0fdcc92b412410a6d2177c9827cf409
Instruction ID: 6115c2c8189b31f0348014a6980ac871bce8ddf3d8180f5bbd2a3562b0fea787
Opcode Fuzzy Hash: 08c760cafacbed555b6c6fd8c9bf5b5dc0fdcc92b412410a6d2177c9827cf409
Instruction Fuzzy Hash: D9110273A186418AEB108F65D1412A83FE1FB90FA2F448136C6A9837C0CE39DAE9C740

Function 00007FF6C91AA508 Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6C91A46E4: GetLastError.KERNEL32 ref: 00007FF6C91A46F3
Part of subcall function 00007FF6C91A46E4: FlsGetValue.KERNEL32 ref: 00007FF6C91A4708
Part of subcall function 00007FF6C91A46E4: SetLastError.KERNEL32 ref: 00007FF6C91A4793

EnumSystemLocalesW.KERNEL32(?,?,?,00007FF6C91A9FAB,?,00000000,00000092,?,?,00000000,?,00007FF6C918F279), ref: 00007FF6C91AA586

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystemValue
String ID:
API String ID: 3029459697-0
Opcode ID: 428f53633430f3a9d4cb6134a105b465d30e688d677cf4ffc36f63e0792f1712
Instruction ID: 9b7a8be9b5bbebae205e63160ef4895837bb82e75b4a82463723d740a76c9b9b
Opcode Fuzzy Hash: 428f53633430f3a9d4cb6134a105b465d30e688d677cf4ffc36f63e0792f1712
Instruction Fuzzy Hash: B5012D72F0C2414AE7104F15E8417B97AD2EB40FA2F458231D6A8876C4DF7CDC88C704

Function 00007FF6C91A5A78 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(?,?,00000000,00007FF6C91A5073,?,?,?,?,?,?,?,?,00000000,00007FF6C91A9C14), ref: 00007FF6C91A5AC7

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 830844ce24f82d1ac8ec67463e507976754c54178d7ad88a51c68b9d56764d9c
Instruction ID: fa9c3ff739bc0d54330fb54d6cbada718b676bfd2add424d73c60e2d33eb7c7d
Opcode Fuzzy Hash: 830844ce24f82d1ac8ec67463e507976754c54178d7ad88a51c68b9d56764d9c
Instruction Fuzzy Hash: E2F06972B18A8583FB04CF25E9811A93B62EB99B82F548035EACDC3765CE3CD961C300

Function 00007FF6C91A73B0 Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

gfffffff, xrefs: 00007FF6C91A76F2

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID:
String ID: gfffffff
API String ID: 0-1523873471
Opcode ID: f6dda8f873e7cdc8e9b58656d6e65b50f4ebb5c3bcffdf17fab95f2de66b9f64
Instruction ID: 925ae3b1d3383ddb6afc943c2a46b5454529b3baccb4fcdcace0315221cbf304
Opcode Fuzzy Hash: f6dda8f873e7cdc8e9b58656d6e65b50f4ebb5c3bcffdf17fab95f2de66b9f64
Instruction Fuzzy Hash: 5CA13662E087C646EB22CF29A4117AA7F91AB50F85F048131DE8D87B95DE3DEA09C701

Function 00007FF6C902AE40 Relevance: .6, Instructions: 646COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44b6302aede2dd13ff882eb9c1be377701c721944b08f923b62188f15a2c4496
Instruction ID: 97c7f7f437d2f640aafba7a17c0d252dfad6de8e3a6e3aa64cab5eb2e1a3a825
Opcode Fuzzy Hash: 44b6302aede2dd13ff882eb9c1be377701c721944b08f923b62188f15a2c4496
Instruction Fuzzy Hash: 68324C770B46004BD31FCE2ED99158AB292F744AA2709F238FE57C7B54E67CEE158604

Function 00007FF6C9025980 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ad987277e8095284215c95a372eb5f6cf80c1776cf31727849157876eab2a9f
Instruction ID: ce34c794ba1a3ceb282f2fc435362a804526ededbdfdc118f2c5a09e0b5aae4d
Opcode Fuzzy Hash: 0ad987277e8095284215c95a372eb5f6cf80c1776cf31727849157876eab2a9f
Instruction Fuzzy Hash: D43267B6B90B6596DB048F16E94178D7B64F319BC9F89852ADF8C83B54EB38E471C300

Function 00007FF6C90225D0 Relevance: .5, Instructions: 510COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 621dddc85820b6b9669c90c1ac098aea83f3a6e1c9f60fd3a8c13654824637f4
Instruction ID: 22b0566a39ecef48080333c33ea5c403387aa0d165cce6c36038287519120c70
Opcode Fuzzy Hash: 621dddc85820b6b9669c90c1ac098aea83f3a6e1c9f60fd3a8c13654824637f4
Instruction Fuzzy Hash: 2D22A612E08FEA52E6234B79C4071B66710EFB7B88F01E717FED8B1592DF75A9859200

Function 00007FF6C9021D60 Relevance: .5, Instructions: 452COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0d8db660dafa7654a1594341d234b86c4b903bc484b0369b76a9fc2ccc5b30d
Instruction ID: 9c347f7502813cf2d48fff9f39745edf98abfb4bf7d6bfdbe5df6908b9273323
Opcode Fuzzy Hash: c0d8db660dafa7654a1594341d234b86c4b903bc484b0369b76a9fc2ccc5b30d
Instruction Fuzzy Hash: 35229722D0CFCA51E6224B79D0065B56720BFB7294B00D32BFFC9B1872EB76B6919611

Function 00007FF6C915B2F0 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 504bc672de84d86b575e5438c7767dfee128b17fd9ae9144e57f362a9b4b0cf7
Instruction ID: 92466b1fa949a08b1779f3d0aea407e6d09729e405256d1ed5aacb8f73edb31e
Opcode Fuzzy Hash: 504bc672de84d86b575e5438c7767dfee128b17fd9ae9144e57f362a9b4b0cf7
Instruction Fuzzy Hash: 07D11162B5965282FB258F11E5066797E61AF10FE2F524231DAEE87FD1EE6CF6018300

Function 00007FF6C91800A0 Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70a06d24f4e4940138e54c62e0154ea061a3ee66c185b8a310f74e54335d7676
Instruction ID: 816eaf69e6fca0a75da85a51598bd62d6f3a006a7b90971c75979ddd698cd7b3
Opcode Fuzzy Hash: 70a06d24f4e4940138e54c62e0154ea061a3ee66c185b8a310f74e54335d7676
Instruction Fuzzy Hash: CDE1E732A0860ACDE76D8E28C1563FD2B91EF46F55F164236CE8D96AD5CF2DE841D304

Function 00007FF6C9188950 Relevance: .3, Instructions: 340COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b8bf175057eecc36b28bd10acfb2b7c2b2d39238efee46203f608f236714316
Instruction ID: a263e1beef6820103b84c738a87c6a5577517230759729c8378a58b0432d322e
Opcode Fuzzy Hash: 6b8bf175057eecc36b28bd10acfb2b7c2b2d39238efee46203f608f236714316
Instruction Fuzzy Hash: 37C11972B1928687D738CF19A04566ABB91F794F85F458276DB9E83B84DF3CE801CB04

Function 00007FF6C918F0C8 Relevance: .3, Instructions: 339COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID: ErrorLast$CodePageValidValue
String ID:
API String ID: 1184045147-0
Opcode ID: 439e94ed522c7d50e1c3058a5210592d689b5f06cd86d690d4c2dd28b3d20cef
Instruction ID: 8a7e5c13aea781d79627d5ff81e7b9d44cce15e1bf2030f4cfdeaea771aeed94
Opcode Fuzzy Hash: 439e94ed522c7d50e1c3058a5210592d689b5f06cd86d690d4c2dd28b3d20cef
Instruction Fuzzy Hash: 8AD1D566B0868285EB649F6294023BA2BA1FB94F89F414032DECDC7F88EE3CD555D344

Function 00007FF6C902BBC0 Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02140bbe0d57d6640f0ddbc5c71dd3ff2052700b542f9c89a293695cee4a1ea7
Instruction ID: 133e587e1093e381037f9032b7dd63b80cd6229d81d7162dfb33f64b8ad3e5d2
Opcode Fuzzy Hash: 02140bbe0d57d6640f0ddbc5c71dd3ff2052700b542f9c89a293695cee4a1ea7
Instruction Fuzzy Hash: D8D1AC9BC28FDA45F313573D54436A2E610AFFB5D9A20E307FDF471A22EB50B2956220

Function 00007FF6C9184624 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40bb43c91830abca7e1becee402df8ca7a42ac664639fca77be1c8283726474e
Instruction ID: b4e9852209e5013b4e57d01ab86e0118a877dc19a4b8c7b451f128a0d5cd3cc1
Opcode Fuzzy Hash: 40bb43c91830abca7e1becee402df8ca7a42ac664639fca77be1c8283726474e
Instruction Fuzzy Hash: 0CD1C526E0864285EB7CCE27814227D2BA1EB46F49F164237CE8D87ED5DF39D841E748

Function 00007FF6C9144B00 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce4dcb85168ef72083772bcc6d0097c9f0164d29974ad0d9bafd6e8d9792e487
Instruction ID: ec11a52fb80718819106b90e14d5e38a047d87c9274d5eaf2d5eec0330bcb6d1
Opcode Fuzzy Hash: ce4dcb85168ef72083772bcc6d0097c9f0164d29974ad0d9bafd6e8d9792e487
Instruction Fuzzy Hash: 9AA1BAD2F8163D43DE088F96A8628A89B46B798FD4708B133DE0E5B799DC3CD596C204

Function 00007FF6C9021760 Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daf0e0dfe6573bd52038698bb5992c6f245c2f2e0251e08476892236e289c43a
Instruction ID: 61df29a3f86fe829a4946aee54a25193bc0ff13d4233ed7e73842b50ce85ed18
Opcode Fuzzy Hash: daf0e0dfe6573bd52038698bb5992c6f245c2f2e0251e08476892236e289c43a
Instruction Fuzzy Hash: 45F1F912D1CFC593E6654F3996053BA6720FBB9348F02E715EFD922962DF28F2E59200

Function 00007FF6C9188E64 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ded8975a88d75110e26b69e6b7a23fe0d1fc6eacc2f389e709bc412cb0a8441d
Instruction ID: f055e669c2a8657e739100268336f5f4f85b2c23488875696a502f25a1c199ef
Opcode Fuzzy Hash: ded8975a88d75110e26b69e6b7a23fe0d1fc6eacc2f389e709bc412cb0a8441d
Instruction Fuzzy Hash: 84913622B1C24646FF6C4E2594127B92A90AF50F95F06063ADDAEC7FC5DE3CE505EB08

Function 00007FF6C920EFD0 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c93305d311a4ad55f2c22c3e63d2a65f5b3ca997788a3affb052b1963b69c19b
Instruction ID: f70aefd6257e95a2277afe4ad5938a7f976174b2b7fa02f7dcd38ee80a1e024f
Opcode Fuzzy Hash: c93305d311a4ad55f2c22c3e63d2a65f5b3ca997788a3affb052b1963b69c19b
Instruction Fuzzy Hash: 0ED15F62D58FC582F7226F39A5033FAE360AFE6749F10E311FED431655EF69A2918240

Function 00007FF6C915B880 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee1d4240526fd9477c2d5b6fbcfe79e1984c8ac7f3301b5f3c82ba07d6db62e7
Instruction ID: b327b354576e82e79f3139c1bb01827d830c0bda4b5a7d6e20f5c8080aa69899
Opcode Fuzzy Hash: ee1d4240526fd9477c2d5b6fbcfe79e1984c8ac7f3301b5f3c82ba07d6db62e7
Instruction Fuzzy Hash: DFA14322B5D29242FB248E2A9116B7D7E81DB51FE5F524731DAEE87FD5CE2CE2418300

Function 00007FF6C915AEC0 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dadd2df3bcfee6bcc6739c5a9117bea721475d8aea82fb002f18e46e209621c9
Instruction ID: 7dfa3ffc8ecf70d08bdaf109c9688140818a2031b75ceb17428a78b3af2c6493
Opcode Fuzzy Hash: dadd2df3bcfee6bcc6739c5a9117bea721475d8aea82fb002f18e46e209621c9
Instruction Fuzzy Hash: 23A13722B5D28242FB248E2AA15677D6E91DB51FE5F514731DAAF87FD1CE2CE242C300

Function 00007FF6C917FAF0 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 206321cfd669b1f4ecd37dfe83d50a70ae25f76088157eb8ef2700a0dd6a6188
Instruction ID: 0b9740829e25484900a03f0df06aa59cbe66eece2d262933f3065a2acaecc6a6
Opcode Fuzzy Hash: 206321cfd669b1f4ecd37dfe83d50a70ae25f76088157eb8ef2700a0dd6a6188
Instruction Fuzzy Hash: 7DB1A07290865686E7648F39C05227E3FA0FB49F49F290136CE9D87B99CF39E460C740

Function 00007FF6C9090400 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3dd0d05d94dea45520dd2044245033f2654b7bbbbc2e435c5a22874bb534910
Instruction ID: a3e502c276009f97c245c60049c8a84b174690a06c8d588c19437c183e9d67dc
Opcode Fuzzy Hash: c3dd0d05d94dea45520dd2044245033f2654b7bbbbc2e435c5a22874bb534910
Instruction Fuzzy Hash: 8271AF62B09B41C1EB189F15E4812A977B0FB98F84F268539DA9C477A0DF38E5E2C340

Function 00007FF6C9184088 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3dd65075f5474d2932e0dd00c996a13f6ac7be8f9bc31c0e17eae7b207f5d0e
Instruction ID: efbd2ca070bb5c5c6cf06873683c0dc63bbd1fd1ab7a822e7fea521a2ee149c3
Opcode Fuzzy Hash: e3dd65075f5474d2932e0dd00c996a13f6ac7be8f9bc31c0e17eae7b207f5d0e
Instruction Fuzzy Hash: 0BB19E72A0C75585E768CF2A905227C3FA1EB45F49F2A0136CE8E87BD5CF29E441E748

Function 00007FF6C9210200 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23c9bc8189861f349365d6e65091a462a4c7f6b56464f9cead88a0efeff6166a
Instruction ID: 8640f6822c34127442347f30cde247d92b14e444473dbc47368b2e030119307d
Opcode Fuzzy Hash: 23c9bc8189861f349365d6e65091a462a4c7f6b56464f9cead88a0efeff6166a
Instruction Fuzzy Hash: 25A1C766D28FD941E323563EA4037B7D714AFFB1D8E10E313BEC471C62DB658242A658

Function 00007FF6C919E1E8 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f63dcb270745f5ab8b422d81bef87c92a6dd6a980e9b201f8ab3f6948ed6883b
Instruction ID: b915fa4aef8744dd14915a9c163282ac6aeb3d8cdece888f1c49bfa756695219
Opcode Fuzzy Hash: f63dcb270745f5ab8b422d81bef87c92a6dd6a980e9b201f8ab3f6948ed6883b
Instruction Fuzzy Hash: 0B81A032B08A1186EB648E29D49237D2B61FB84FD5F158636EEAED7B85CF38D5418300

Function 00007FF6C91A6CD0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 796e77c46208386cc5a27e3e8accf46bf8400296c1101f634ff94af8a696bdb2
Instruction ID: f7e9e4dc73dc87b0b18df888acf8b399b0af7b3858df39b8a9c6dabcf6c4d7db
Opcode Fuzzy Hash: 796e77c46208386cc5a27e3e8accf46bf8400296c1101f634ff94af8a696bdb2
Instruction Fuzzy Hash: 5281E272A0878186EB74CF29945237A6E91FB45FD4F144235DACD83F89DE3CD9088B00

Function 00007FF6C902A4E0 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 943d49a28179acb6b17e54598dc5f3c7297a0172a48014cdfa5047513f315c58
Instruction ID: 42858ce704e87d82e7337dbb5c1b4504bf1351e8323591d66745dc42e29d66d4
Opcode Fuzzy Hash: 943d49a28179acb6b17e54598dc5f3c7297a0172a48014cdfa5047513f315c58
Instruction Fuzzy Hash: A86107E6F50F9883DB548B9EA402B886760F719FC5F55511AEE2C67301EA3DE9A3C340

Function 00007FF6C902A7A0 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d6523ba8e4505282c919c1d35e15f27044c6a44fab965eb172d8ea98f7d2704
Instruction ID: da7cff74ec7fdd3f23c44029e7e5cb4f6e3f0f44d058c844f84f206ffc1f1dbc
Opcode Fuzzy Hash: 0d6523ba8e4505282c919c1d35e15f27044c6a44fab965eb172d8ea98f7d2704
Instruction Fuzzy Hash: BA51BAF3B62B9485D7918FA9E444BC837A8F329F95F215115EB4C6B351DB328A62C301

Function 00007FF6C9183A3C Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a44eade12fb25c0b6b3d1970539dbd63ce4cfea2bd2f3de80bc6d28ae1977503
Instruction ID: 2e9bd5ae870f63518ce041d9333e2221eb7eee881a76d237bda894bc494c1312
Opcode Fuzzy Hash: a44eade12fb25c0b6b3d1970539dbd63ce4cfea2bd2f3de80bc6d28ae1977503
Instruction Fuzzy Hash: 2251D776A1869186E7288F29C05523C3BA0EB44F59F294132DECD97F94CF3AE853D744

Function 00007FF6C9187964 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90a7dcf2a20d29642ed3440abb071f0ab2de8843fddcd5ae8a54076427a05279
Instruction ID: 3f33e964f34fb2b40117bd48d7459f89f04b6b9281580f75c0d3ea4811335559
Opcode Fuzzy Hash: 90a7dcf2a20d29642ed3440abb071f0ab2de8843fddcd5ae8a54076427a05279
Instruction Fuzzy Hash: DA519736A18A5185E7298F29C0412383BA1EB45F69F294132CECD97B94CF7AED43D744

Function 00007FF6C9183C40 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d99f4c310266a10571c1ef14fcf6fac6d3318a8f62ba7010a15682cfc8561ae
Instruction ID: 7204df8f074a60c9a6d4eaface8aa826d7d75193f470ea2983eaf0bb077fd6c8
Opcode Fuzzy Hash: 5d99f4c310266a10571c1ef14fcf6fac6d3318a8f62ba7010a15682cfc8561ae
Instruction Fuzzy Hash: 0B519432A1869186E7288F29D0452383BA1EB45F59F694133CE8D97F94CF3AEC43E744

Function 00007FF6C9187B68 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c702b0eb3b94447290dc41a75d2a5eeb4934156a0ec8217464ae20878b18c10f
Instruction ID: dea22eddd2fb745602a2f1b6d56c59f9bca312602096a5c564e86f2e30f8741b
Opcode Fuzzy Hash: c702b0eb3b94447290dc41a75d2a5eeb4934156a0ec8217464ae20878b18c10f
Instruction Fuzzy Hash: 0351B837A1865286E7288F29C0456383BA1EB45F5DF255132CE8C97B94DF3AEC43E744

Function 00007FF6C9183E44 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a63e871cf49a8e94c90b7a2cc03a23c1f105e093a6c08225001c73726cdc9446
Instruction ID: 5d3b8d23546b5ffed4c469940728114cc6dd4203394e42852862196d3ec9c33f
Opcode Fuzzy Hash: a63e871cf49a8e94c90b7a2cc03a23c1f105e093a6c08225001c73726cdc9446
Instruction Fuzzy Hash: 07519432A2869185E7298F29C44523C3BA0EB45F59F294132DECD97F94CF3AE843D784

Function 00007FF6C9187D6C Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c892b269753ff62801476638f2041f9d580d7c4eafb56b718dff3a8df8e2fc0a
Instruction ID: 31cd2e9936c25b43ebac707c4d45c6ee1357173117f9c865e704c9be76ec58dd
Opcode Fuzzy Hash: c892b269753ff62801476638f2041f9d580d7c4eafb56b718dff3a8df8e2fc0a
Instruction Fuzzy Hash: 3C51B372A1865186E7298F29C0512383BA0EB45F59F264132DECD97F94DF3AEC43E784

Function 00007FF6C90232C0 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fc2bf2b83032198a67ac61c1ea21eb8dc61060c81777fcccf0e456d18e70d14
Instruction ID: 04e0dd40d304b70ff55a24ebedb6b19b60862df5a37a5444e5a3e11032c799b3
Opcode Fuzzy Hash: 3fc2bf2b83032198a67ac61c1ea21eb8dc61060c81777fcccf0e456d18e70d14
Instruction Fuzzy Hash: CA510226D1DF5642F7132F3A58023659A00AFE3664F50D73BEDF975EA0EB29F644A200

Function 00007FF6C902B880 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42d2853d6d25c8ac8fa8aa2bb5f43d153a020d42525510b9c7ef5fa25c1213e0
Instruction ID: c8dc9ec1bb276ffac69ae66f4721eca2174aeeb9cd89f5fe9c712396583f1c52
Opcode Fuzzy Hash: 42d2853d6d25c8ac8fa8aa2bb5f43d153a020d42525510b9c7ef5fa25c1213e0
Instruction Fuzzy Hash: EC41E3EAC29FA945E723A33A6D43286D9009EF7989550E303FCF439E65F701B4D13224

Function 00007FF6C920FF90 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc3f05929c8900878139d05e44900f0fdb1ed16f7cb359513cb1362922af60e2
Instruction ID: 776a61ef53efef4063384809d2e7d4bc70e894416faa90e86caf87253d664a0a
Opcode Fuzzy Hash: bc3f05929c8900878139d05e44900f0fdb1ed16f7cb359513cb1362922af60e2
Instruction Fuzzy Hash: 90514E6AD29FC946F3135B3D64032B7E318AEF7598A10E317FED434C65EB5692436208

Function 00007FF6C902CDD0 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c5488b7b858f44f52b2a6e2295f82b78b601d236fdbb6e7d3615c35d984c3b7
Instruction ID: f601ed426ded3b3665a4c972a4dc792d957e644e3daf039143f50ff32babf80a
Opcode Fuzzy Hash: 2c5488b7b858f44f52b2a6e2295f82b78b601d236fdbb6e7d3615c35d984c3b7
Instruction Fuzzy Hash: AE4160A9D19FAA42FB13673D680332396009FF3698E42D71BFDF439DA9D716B6006214

Function 00007FF6C902CBA8 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 524ca352175f30e95ae32374966962862c036f33d1e389b35ce814727406d4fe
Instruction ID: a1d21f1f43cc94e000e979e45ce57693035a8b91be38fe369a64fc10ceb128b7
Opcode Fuzzy Hash: 524ca352175f30e95ae32374966962862c036f33d1e389b35ce814727406d4fe
Instruction Fuzzy Hash: 28414FA9D1EFA902EB03A73A680332796109FF3649E42D71BFDF439EA5D706B5006214

Function 00007FF6C90238E0 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6d1ae9f7e43592ba1c1284e986eae7d93285f5d9ad7d21aa12871fea0bcb32f
Instruction ID: d0def387222fd67eb652dbba82e8bdc37066e6ee8f65d6f7aaf70619802043bc
Opcode Fuzzy Hash: f6d1ae9f7e43592ba1c1284e986eae7d93285f5d9ad7d21aa12871fea0bcb32f
Instruction Fuzzy Hash: A641F42BE2CFD721F31387396403536E6005FF729AA81E72FFDE4B5862AB6553416218

Function 00007FF6C90B9780 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71940e01a306be8021bfe6deac28e9421aa0f22438bb7322794df82a37aecf2b
Instruction ID: ee15b470aeae1768e87aba3a1a312f3c471041230fed93a14db8e76aea5f2dea
Opcode Fuzzy Hash: 71940e01a306be8021bfe6deac28e9421aa0f22438bb7322794df82a37aecf2b
Instruction Fuzzy Hash: C951531260CBC251E3968B3ED60936F6F50A706379F4983A8C7F84A5D3DF68A275C342

Function 00007FF6C918BC7C Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f872824676dc175e1c92aa5085edc5dafc5ba610c863b9d594a52ea5f7c3fbd
Instruction ID: 53e85ff1faa72b740a34cd7531edfa17017c13c5c6cec724656b8bd67c9886a7
Opcode Fuzzy Hash: 7f872824676dc175e1c92aa5085edc5dafc5ba610c863b9d594a52ea5f7c3fbd
Instruction Fuzzy Hash: D331E222ECC14295F7BD5D2981576791D02DF82F0AF268A33C48D82E99CD2DB742F50C

Function 00007FF6C9023B70 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84790bd1b19cc18e8f02bb118646ca6f24fd432bb03637ddac122ddf76455e2b
Instruction ID: ef4bd028065b045220355e1b4f4c14e33514c0b31c0c5baff8eb13b34d0e5b44
Opcode Fuzzy Hash: 84790bd1b19cc18e8f02bb118646ca6f24fd432bb03637ddac122ddf76455e2b
Instruction Fuzzy Hash: 3C31272AD2DFD751F7138B3E5407515DA14AFF2286A90E31FF9E835822FB159345A308

Function 00007FF6C9023D10 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b58520b1b2c3b678515e7f28fde9ddbefe3515ff2f8870b67273e2c75d3a57e5
Instruction ID: e7ed4fd28a86f7ed41601300bad3845993b4b6d33f6bb16ecb169093edf1b703
Opcode Fuzzy Hash: b58520b1b2c3b678515e7f28fde9ddbefe3515ff2f8870b67273e2c75d3a57e5
Instruction Fuzzy Hash: 56316A11E18F4781F74A3F78640A2B99A116F91B0AF42D33EF5DCB9CD2DF2CA9456105

Function 00007FF6C9023780 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c91bd90ac82afa8cacc4507911d468d29f4101c42a25a2cbb571c5c9a6c81ae4
Instruction ID: dcf1c6bae12d6b2da0828c15335ff3af24f99d557c5b011f32970a15429d3f93
Opcode Fuzzy Hash: c91bd90ac82afa8cacc4507911d468d29f4101c42a25a2cbb571c5c9a6c81ae4
Instruction Fuzzy Hash: 3A21F22AD2DFD751F7138B3E6507516DA00AFF3285A90E72FF9E834C62EB1587806218

Function 00007FF6C902BAF2 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1df720d5b6f1e8d342d501bb9f1ff367afbcdeb628d678a28b087f0942a46ab2
Instruction ID: a9de76b14921159b761a56edb312754a4468a1fd009fa0938f4f3ee1e11b900d
Opcode Fuzzy Hash: 1df720d5b6f1e8d342d501bb9f1ff367afbcdeb628d678a28b087f0942a46ab2
Instruction Fuzzy Hash: FD0146EAC24FBA42E723A3396943286D910AEF3589520E307FDF434E15F301B5E07224

Function 00007FF6C9095630 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 310threadtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6C9170B30: GetLastError.KERNEL32(?,?,00000002,00007FF6C909566F,?,?,00000002,?,..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc,00000000,?,?,FFFFFFFF,?,00007FF6C91F239C), ref: 00007FF6C9170B4C
Part of subcall function 00007FF6C9170B30: SetLastError.KERNEL32(?,?,00000002,00007FF6C909566F,?,?,00000002,?,..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc,00000000,?,?,FFFFFFFF,?,00007FF6C91F239C), ref: 00007FF6C9170B57

GetCurrentThreadId.KERNEL32 ref: 00007FF6C9095735
GetLocalTime.KERNEL32(?,?,00000002,?,..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc,00000000,?,?,FFFFFFFF,?,00007FF6C91F239C), ref: 00007FF6C9095776

Strings

UNKNOWN, xrefs: 00007FF6C9095A2F
)] , xrefs: 00007FF6C9095916
:\/, xrefs: 00007FF6C90958D4
..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc, xrefs: 00007FF6C9095639
VERBOSE, xrefs: 00007FF6C9095A62

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID: ErrorLast$CurrentLocalThreadTime
String ID: )] $..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc$:\/$UNKNOWN$VERBOSE
API String ID: 359520752-2521604196
Opcode ID: 01f367ec5f9e9eb59d691373b697e9a042bcc1b7c6773b7304142ee292cb34b2
Instruction ID: 1f0ee3adbd5c15d3a86d17d8e7c5ae77a6aa7afc29a2e763a48f0ba94dcafd3c
Opcode Fuzzy Hash: 01f367ec5f9e9eb59d691373b697e9a042bcc1b7c6773b7304142ee292cb34b2
Instruction Fuzzy Hash: AED1C321B1968284EF14DF16E4552BA6F90EB89FCAF864439DECD8B792DE3DE141C700

Function 00007FF6C91A5880 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 117libraryloaderCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00000000,00007FF6C91A566C,?,?,00000000,00007FF6C91A7E63,?,?,00000003,00007FF6C918E33D), ref: 00007FF6C91A59FC
GetProcAddress.KERNEL32(?,?,00000000,00007FF6C91A566C,?,?,00000000,00007FF6C91A7E63,?,?,00000003,00007FF6C918E33D), ref: 00007FF6C91A5A08

Strings

ext-ms-, xrefs: 00007FF6C91A5959
MZx, xrefs: 00007FF6C91A589F, 00007FF6C91A5985, 00007FF6C91A59E5
api-ms-, xrefs: 00007FF6C91A5946

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: MZx$api-ms-$ext-ms-
API String ID: 3013587201-2431898299
Opcode ID: 13f8f4d5adfa5fe98ff9d75ff434922d7620d7c2fd455643e412e673fb3db0a4
Instruction ID: 50d4bff8499593dca60688d9916a3521f2f01dd5395462f61b2aa2c891212baf
Opcode Fuzzy Hash: 13f8f4d5adfa5fe98ff9d75ff434922d7620d7c2fd455643e412e673fb3db0a4
Instruction Fuzzy Hash: DC41E322B29B4285FB16CF1699456792B91BF55BA2F094135DD8DCBB84EE3CEC49C200

Function 00007FF6C91B0DC4 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 88libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000012,?,00007FF6C91B0CEB,?,?,00000000,00007FF6C91A0A72,?,?,?,00007FF6C917DDA9), ref: 00007FF6C91B0E49
GetLastError.KERNEL32(?,00000012,?,00007FF6C91B0CEB,?,?,00000000,00007FF6C91A0A72,?,?,?,00007FF6C917DDA9), ref: 00007FF6C91B0E57
LoadLibraryExW.KERNEL32(?,00000012,?,00007FF6C91B0CEB,?,?,00000000,00007FF6C91A0A72,?,?,?,00007FF6C917DDA9), ref: 00007FF6C91B0E81
FreeLibrary.KERNEL32(?,00000012,?,00007FF6C91B0CEB,?,?,00000000,00007FF6C91A0A72,?,?,?,00007FF6C917DDA9), ref: 00007FF6C91B0EEF
GetProcAddress.KERNEL32(?,00000012,?,00007FF6C91B0CEB,?,?,00000000,00007FF6C91A0A72,?,?,?,00007FF6C917DDA9), ref: 00007FF6C91B0EFB

Strings

MZx, xrefs: 00007FF6C91B0DE2, 00007FF6C91B0E92, 00007FF6C91B0ED8
..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc, xrefs: 00007FF6C91B0DD8
api-ms-, xrefs: 00007FF6C91B0E69

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: ..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc$MZx$api-ms-
API String ID: 2559590344-3539208823
Opcode ID: 4297d0d72445a5ed14222d767aff36e0ccd66d9d2c0f99644abded0481749379
Instruction ID: a08a293f5a06761c69f735fb3f6120f768f654cb584aa394f4ee392bdd8861a2
Opcode Fuzzy Hash: 4297d0d72445a5ed14222d767aff36e0ccd66d9d2c0f99644abded0481749379
Instruction Fuzzy Hash: 6F31C162B1AB42C9FF119F12A5015752BA5BF48FA2F490535DD9D8BB88DF3CE4858304

Function 00007FF6C90EABB0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNEL32(?,?,00000000,00000000,..\..\third_party\boringssl\src\crypto\mem.c,?,00007FF6C922A4D9,?,?,?,0000000E,00007FF6C922A509), ref: 00007FF6C90EABF3
GetLastError.KERNEL32(?,?,?,0000000E,00007FF6C922A509), ref: 00007FF6C90EAC0E
TlsGetValue.KERNEL32(?,?,?,0000000E,00007FF6C922A509), ref: 00007FF6C90EAC1C
SetLastError.KERNEL32(?,?,?,0000000E,00007FF6C922A509), ref: 00007FF6C90EAC27
TlsSetValue.KERNEL32(?,?,?,0000000E,00007FF6C922A509), ref: 00007FF6C90EAC52
AcquireSRWLockExclusive.KERNEL32(?,?,?,0000000E,00007FF6C922A509), ref: 00007FF6C90EAC66
ReleaseSRWLockExclusive.KERNEL32(?,?,?,0000000E,00007FF6C922A509), ref: 00007FF6C90EAC7D

Strings

..\..\third_party\boringssl\src\crypto\mem.c, xrefs: 00007FF6C90EABB2

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID: ErrorExclusiveLastLockOnceValue$AcquireExecuteInitRelease
String ID: ..\..\third_party\boringssl\src\crypto\mem.c
API String ID: 389898287-3521738057
Opcode ID: 967fd5c76b4b0f57fde2daf56290db014900a64f721b7223f059e74187000840
Instruction ID: deab6c1db8a8555a80899cde34018235a216c8e3104a68a4273e7310fdb232b4
Opcode Fuzzy Hash: 967fd5c76b4b0f57fde2daf56290db014900a64f721b7223f059e74187000840
Instruction Fuzzy Hash: D0317E22B2961296FB40DF11EA556793B94AF49B9BF460039DCCEC77A1DE3CE449C380

Function 00007FF6C9057D20 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 155libraryloaderthreadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00007FF6C9057D84
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6C9058535,?,?,?,?,?,?), ref: 00007FF6C9057E6B
GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6C9058535,?,?,?,?,?,?), ref: 00007FF6C9057EC2
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6C9058535,?,?,?,?,?,?), ref: 00007FF6C9057ED2

Strings

GetThreadDescription, xrefs: 00007FF6C9057EC8
Kernel32.dll, xrefs: 00007FF6C9057EBB

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID: AddressCurrentFreeHandleLocalModuleProcThread
String ID: GetThreadDescription$Kernel32.dll
API String ID: 4205643583-415897907
Opcode ID: 1e186edd2776d1896afa59f4117647d973993565de39774fba5899ca52d97945
Instruction ID: 924da906f0170f1086d7dcff4f683be56b35e3eb7c4ef7dc0f4a428673468fa9
Opcode Fuzzy Hash: 1e186edd2776d1896afa59f4117647d973993565de39774fba5899ca52d97945
Instruction Fuzzy Hash: F351AF32B18B4281FB10DF15E9411B97BA1EF48BE6F554235DADE87BA5DE3CE8418700

Function 00007FF6C91A46E4 Relevance: 10.6, APIs: 7, Instructions: 62COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6C91A46F3
FlsGetValue.KERNEL32 ref: 00007FF6C91A4708
FlsSetValue.KERNEL32 ref: 00007FF6C91A4729
FlsSetValue.KERNEL32 ref: 00007FF6C91A4756
FlsSetValue.KERNEL32 ref: 00007FF6C91A4767
FlsSetValue.KERNEL32 ref: 00007FF6C91A4778
SetLastError.KERNEL32 ref: 00007FF6C91A4793

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 41b5958701493da588de957a310c25c635e8a11efb66ac24fd9486dc90d30bd0
Instruction ID: d52e9cdd42addfcb46d98bfd61c1e2f5b3e2fe956e7051b7f6a999ea7500922a
Opcode Fuzzy Hash: 41b5958701493da588de957a310c25c635e8a11efb66ac24fd9486dc90d30bd0
Instruction Fuzzy Hash: CC217C24F0C28281FB58AF76565213D6A526F45BF2F150A34D9FEC6EDAEE2CEC054280

Function 00007FF6C91B351C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF6C91B354D
GetLastError.KERNEL32 ref: 00007FF6C91B3559
CloseHandle.KERNEL32 ref: 00007FF6C91B3571
CreateFileW.KERNEL32 ref: 00007FF6C91B359C
WriteConsoleW.KERNEL32 ref: 00007FF6C91B35BB

Strings

CONOUT$, xrefs: 00007FF6C91B357D

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 352ad203f3a051f1809320f21ee2bf24d8655c668510723fd4d908605e4da839
Instruction ID: 5f5ebdce087cd9ea4726591fbef1967709864ae4166ac027930352489cc9927d
Opcode Fuzzy Hash: 352ad203f3a051f1809320f21ee2bf24d8655c668510723fd4d908605e4da839
Instruction Fuzzy Hash: 83118472A28A8186F7509F22E9443297AA0FB88FE6F400234D9DEC7B94CF7CD455C740

Function 00007FF6C90EAEC0 Relevance: 9.1, APIs: 6, Instructions: 112COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 00007FF6C90EAEF8
TlsSetValue.KERNEL32 ref: 00007FF6C90EAF24
TlsSetValue.KERNEL32 ref: 00007FF6C90EAF52
TlsFree.KERNEL32 ref: 00007FF6C90EAF9E

Part of subcall function 00007FF6C91292D0: TlsAlloc.KERNEL32(?,?,?,00007FF6C90EAE3F,?,?,?,?,?,?,?,?,00007FF6C916C65E), ref: 00007FF6C91292D8

TlsFree.KERNEL32 ref: 00007FF6C90EAFD2
TlsGetValue.KERNEL32(?,?,?,?,00007FF6C90EAE3F,?,?,?,?,?,?,?,?,00007FF6C916C65E), ref: 00007FF6C90EB002

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID: Value$Free$Alloc
String ID:
API String ID: 4173863045-0
Opcode ID: 2dfee3b73742b931610fb220fb3e05290e81009dcbcda51c2658139d21a19019
Instruction ID: a9f6dbb7460f6c70f43b6cebfea8230845bb44a2e7b3f005cabfb0d1a11b222e
Opcode Fuzzy Hash: 2dfee3b73742b931610fb220fb3e05290e81009dcbcda51c2658139d21a19019
Instruction Fuzzy Hash: 3A31D431B185424AF7649F25E5021797A619F897A6F004338EAED87BD5CE3CE542CB40

Function 00007FF6C919A014 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF6C919A093
WriteFile.KERNEL32 ref: 00007FF6C919A35B
WriteFile.KERNEL32 ref: 00007FF6C919A3A1
GetLastError.KERNEL32 ref: 00007FF6C919A457

Strings

MZx, xrefs: 00007FF6C919A06A, 00007FF6C919A0EB, 00007FF6C919A1A0

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID: MZx
API String ID: 2718003287-2575928145
Opcode ID: 3f9a4d962f3682551a42740c76d16857cc1f7354d3bf491627a76f20b6ada767
Instruction ID: afc7abaa173a9bac71a56c5870f869d4072ff8779e3f8c275393f6c6c9dba964
Opcode Fuzzy Hash: 3f9a4d962f3682551a42740c76d16857cc1f7354d3bf491627a76f20b6ada767
Instruction Fuzzy Hash: E8D10232B18B8189E711DF79D4442AC3BB2FB54B99B058236CE9D97F99DE38D50AC300

Function 00007FF6C922EA30 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 168fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF6C922EA7F
GetLastError.KERNEL32 ref: 00007FF6C922EAA4
GetLastError.KERNEL32 ref: 00007FF6C922EBCD

Strings

CreateFile , xrefs: 00007FF6C922EACF, 00007FF6C922EBF8
..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc, xrefs: 00007FF6C922EAAD, 00007FF6C922EBD6

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID: ErrorLast$CreateFile
String ID: ..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc$CreateFile
API String ID: 1722934493-2987130713
Opcode ID: 74a659072a881366ec01bdbdf2963224488b8312d8b12616a529507f2ec76428
Instruction ID: 662a0370a970df7b70c06c0ce029b590cfb606f7b47e749d58dcc4f5e73248d7
Opcode Fuzzy Hash: 74a659072a881366ec01bdbdf2963224488b8312d8b12616a529507f2ec76428
Instruction Fuzzy Hash: 6C51F522B2CA9241FB119F11E2553BA6B61AF89BE5F040531EEDD8BFD5CF2CE1458740

Function 00007FF6C9058C00 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 136threadCOMMON

Download Yara Rule

APIs

SwitchToThread.KERNEL32(?), ref: 00007FF6C9058D0A

Strings

%s (errno: %d, %s), xrefs: 00007FF6C9058D5C, 00007FF6C9058DAA
PERFETTO_CHECK(chunk.size() == page_chunk_size), xrefs: 00007FF6C9058D50
PERFETTO_CHECK(chunk_state == expected_chunk_state), xrefs: 00007FF6C9058D9E
..\..\third_party\perfetto\src\tracing\core\shared_memory_abi.cc, xrefs: 00007FF6C9058D3B, 00007FF6C9058D89

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID: SwitchThread
String ID: %s (errno: %d, %s)$..\..\third_party\perfetto\src\tracing\core\shared_memory_abi.cc$PERFETTO_CHECK(chunk.size() == page_chunk_size)$PERFETTO_CHECK(chunk_state == expected_chunk_state)
API String ID: 115865932-3916303389
Opcode ID: 07d9ed0c1875b51bd5ab2eb666b6058fa0cd84b3aab4342cdd98731b53ec3783
Instruction ID: 0ebc553aebd02c2586f7e00086fa90defe1e4da25579d7142a13a537a923da80
Opcode Fuzzy Hash: 07d9ed0c1875b51bd5ab2eb666b6058fa0cd84b3aab4342cdd98731b53ec3783
Instruction Fuzzy Hash: FF410472B1854142E7249F11E8126B83F91FB94BA6F46423ADE9E87BD1DF3CD846C304

Function 00007FF6C918E2C4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF6C918E2E9
GetProcAddress.KERNEL32 ref: 00007FF6C918E2FF
FreeLibrary.KERNEL32 ref: 00007FF6C918E326

Strings

CorExitProcess, xrefs: 00007FF6C918E2F8
mscoree.dll, xrefs: 00007FF6C918E2E0

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: a9cac37bfe261094b8dc3b22efd67b94b8f954481e9b60e8c58e3bcd1fa20611
Instruction ID: ffb01d5ed37271b118a1fd50316bfd704764c54d15579d31d66e1571a703f1a6
Opcode Fuzzy Hash: a9cac37bfe261094b8dc3b22efd67b94b8f954481e9b60e8c58e3bcd1fa20611
Instruction Fuzzy Hash: B3F09662B29B4281FB189F24E5453396B20EF44B63F55063ADAED8A7E4DF3CE444D708

Function 00007FF6C91A47B8 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF6C91A47C9
FlsSetValue.KERNEL32 ref: 00007FF6C91A47E8
FlsSetValue.KERNEL32 ref: 00007FF6C91A4810
FlsSetValue.KERNEL32 ref: 00007FF6C91A4821
FlsSetValue.KERNEL32 ref: 00007FF6C91A4832

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: adc86de3a61ec4bc6766ae0da6590d9ccbb7d9bd1b9f56830393b6ac0f2e4d43
Instruction ID: b0c597b8e4067e0999e1a86ff660d74eb1a58e5b3749803cd2f4112a946a8279
Opcode Fuzzy Hash: adc86de3a61ec4bc6766ae0da6590d9ccbb7d9bd1b9f56830393b6ac0f2e4d43
Instruction Fuzzy Hash: FB112E10F5C28381FB68AE7655631792A415F45BB2F150B38D9FECAAD7ED2CFC094281

Function 00007FF6C90F22E0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54fileCOMMON

Download Yara Rule

APIs

LockFileEx.KERNEL32 ref: 00007FF6C90F232F
GetLastError.KERNEL32 ref: 00007FF6C90F2355

Strings

LockFileEx, xrefs: 00007FF6C90F23AB
..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc, xrefs: 00007FF6C90F2381

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID: ErrorFileLastLock
String ID: ..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc$LockFileEx
API String ID: 1811722133-445818742
Opcode ID: 6ffc84015dee84a4ba2bd97ad0156444c272a122fa8a2de69a3506069068795c
Instruction ID: e4ffd6009bd071fb850f93d82d039d9c681f517191ed1d83007b8d31a279e155
Opcode Fuzzy Hash: 6ffc84015dee84a4ba2bd97ad0156444c272a122fa8a2de69a3506069068795c
Instruction Fuzzy Hash: B6212732B1C69280F7309F24E4127F96B60BF497AAF400635D9CD87BD5DE2CD6468700

Function 00007FF6C90F23D0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49fileCOMMON

Download Yara Rule

APIs

UnlockFileEx.KERNEL32 ref: 00007FF6C90F2411
GetLastError.KERNEL32 ref: 00007FF6C90F244D

Strings

UnlockFileEx, xrefs: 00007FF6C90F247B
..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc, xrefs: 00007FF6C90F2456

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID: ErrorFileLastUnlock
String ID: ..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc$UnlockFileEx
API String ID: 3655728120-3540829929
Opcode ID: 74321f8b8f7d5f58ae51096d1de463f0c0a745a8cd725a1752318707e6174bb1
Instruction ID: 457acc310c6ed852cfe88686b4ddc0d5cb63585794e68b35bfd8789033213aed
Opcode Fuzzy Hash: 74321f8b8f7d5f58ae51096d1de463f0c0a745a8cd725a1752318707e6174bb1
Instruction Fuzzy Hash: A7110832B18A8240FB309F25F5027F66B91AF88799F404235DDCD87BD5EE2CD2868700

Function 00007FF6C90EAD10 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6C9174780: InitOnceExecuteOnce.KERNEL32(?,?,?,?,?,?,00007FF6C917488A,?,?,?,00007FF6C916BF52), ref: 00007FF6C91747A7

TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,00007FF6C916C65E), ref: 00007FF6C90EAD7C
TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,00007FF6C916C65E), ref: 00007FF6C90EADB9
ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,00007FF6C916C65E), ref: 00007FF6C90EAE23

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID: ExclusiveLockOnce$AcquireExecuteInitReleaseValue
String ID:
API String ID: 4082486125-0
Opcode ID: 4c6aad0a1df59b3207a946212c4d2f0cd38ad6f04063da0a8a63a93113706dcd
Instruction ID: a3abbcda286b2d607bc9d1a21bf61b2e62c63b33aae4c871c9de8d4fb1789530
Opcode Fuzzy Hash: 4c6aad0a1df59b3207a946212c4d2f0cd38ad6f04063da0a8a63a93113706dcd
Instruction Fuzzy Hash: D7415931E1861386FB149F55EA423B93BA1AF89B96F454139D9CEC37A1DF3CA485C340

Function 00007FF6C91A4924 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

FlsSetValue.KERNEL32(?,?,00001002,00007FF6C9195DF7,?,?,00000000,00007FF6C9195D0E), ref: 00007FF6C91A4962
FlsSetValue.KERNEL32(?,?,00001002,00007FF6C9195DF7,?,?,00000000,00007FF6C9195D0E), ref: 00007FF6C91A498A
FlsSetValue.KERNEL32(?,?,00001002,00007FF6C9195DF7,?,?,00000000,00007FF6C9195D0E), ref: 00007FF6C91A499B
FlsSetValue.KERNEL32(?,?,00001002,00007FF6C9195DF7,?,?,00000000,00007FF6C9195D0E), ref: 00007FF6C91A49AC

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 82f3305764a4c9534af9f6a213f7bdfcadc34aed1809c91b5c0ae16c2b4c1711
Instruction ID: 8510fc550f17b74507357b3115de9db5334ce447a972859b7c4d67942ccef582
Opcode Fuzzy Hash: 82f3305764a4c9534af9f6a213f7bdfcadc34aed1809c91b5c0ae16c2b4c1711
Instruction Fuzzy Hash: A5117F20F0C24281FB58AF3756521392A526F48BB2F154734D9FEC6ADAEE2CEC194244

Function 00007FF6C91747D0 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF6C917488A), ref: 00007FF6C917480A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF6C917488A), ref: 00007FF6C917481D
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF6C917488A), ref: 00007FF6C917482B
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF6C917488A), ref: 00007FF6C9174836

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID: ErrorLastOnce$ExecuteInitValue
String ID:
API String ID: 2797425889-0
Opcode ID: a7f580a1db86c0691c8a1048bdce57d947ebae8b0d093fb778288a7fb17cac4e
Instruction ID: 062ca3ab146848a90d57c9bebf2abdb0b06caaf3c09460400372b0a1ad8e3bd1
Opcode Fuzzy Hash: a7f580a1db86c0691c8a1048bdce57d947ebae8b0d093fb778288a7fb17cac4e
Instruction Fuzzy Hash: 73117026A28A5786FB609F15EA466692B51AF48F9AF450135C8CD83BA0DE3CE545C340

Function 00007FF6C917CA54 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF6C917CA80
GetCurrentThreadId.KERNEL32 ref: 00007FF6C917CA8E
GetCurrentProcessId.KERNEL32 ref: 00007FF6C917CA9A
QueryPerformanceCounter.KERNEL32 ref: 00007FF6C917CAAA

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 3133d9487d0477d4e1ccef10edea34fdc8a106d0f9a2bfd49347af14973d681d
Instruction ID: dee25f7acb87df73a7205f725f8190650a1a22af90f59da3c73d7ef3d9f372dd
Opcode Fuzzy Hash: 3133d9487d0477d4e1ccef10edea34fdc8a106d0f9a2bfd49347af14973d681d
Instruction Fuzzy Hash: F4111C22B25B418AFB00CF60E9552A937A4FB1975AF440E31DAAD86BA4DF7CD554C380

Function 00007FF6C91A94C8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6C91A46E4: GetLastError.KERNEL32 ref: 00007FF6C91A46F3
Part of subcall function 00007FF6C91A46E4: FlsGetValue.KERNEL32 ref: 00007FF6C91A4708
Part of subcall function 00007FF6C91A46E4: SetLastError.KERNEL32 ref: 00007FF6C91A4793

GetACP.KERNEL32(?,?,?,00000000,00000092,00007FF6C918F280), ref: 00007FF6C91A95B4
IsValidCodePage.KERNEL32(?,?,?,00000000,00000092,00007FF6C918F280), ref: 00007FF6C91A95EC

Strings

utf8, xrefs: 00007FF6C91A96D0

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID: ErrorLast$CodePageValidValue
String ID: utf8
API String ID: 1184045147-905460609
Opcode ID: a098707e0e397dbba8808c8e8636d6b2b0134b7177fc512126497e28f255d04b
Instruction ID: c16cd17fe9e97481ce367a9c743de3a0f2512b2a692d09cafa3d3a442bc99207
Opcode Fuzzy Hash: a098707e0e397dbba8808c8e8636d6b2b0134b7177fc512126497e28f255d04b
Instruction Fuzzy Hash: 56618D36A0874281FB24AF6199122B92AA4AF44F82F444031DE8DC7FD5EF7CED89C710

Function 00007FF6C919A6AC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF6C919A7C3
GetLastError.KERNEL32 ref: 00007FF6C919A7E5

Strings

U, xrefs: 00007FF6C919A76F

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: a8a422de85bc080689bc33c2ae296ae64a68efb0952aaa768e0d0158310de667
Instruction ID: 908bcf3fded9d0e8faa8465431f74dfbceb6630113cce7ba673d9ce51035ef01
Opcode Fuzzy Hash: a8a422de85bc080689bc33c2ae296ae64a68efb0952aaa768e0d0158310de667
Instruction Fuzzy Hash: 2841C522728A8185EB109F25E4463B97BA1FB98B85F514031EECDC7B98EF3DD405C740

Function 00007FF6C917CBDC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6C917B64F), ref: 00007FF6C917CC2C
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6C917B64F), ref: 00007FF6C917CC6D

Strings

csm, xrefs: 00007FF6C917CC5A

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 6069ad5b81e3bc1f2d8a70c0aad8b9ed6a44de4b6d1ca3e4fb3a3b470db0722c
Instruction ID: acf116d5936066f9c5bc4d1ac57575fb0b3d47943844f268883a37b1bfeeee74
Opcode Fuzzy Hash: 6069ad5b81e3bc1f2d8a70c0aad8b9ed6a44de4b6d1ca3e4fb3a3b470db0722c
Instruction Fuzzy Hash: A9116D72618B8182EB248F15F540269BBE4FB88B95F598230DECC47B68DF3CC951CB00

Function 00007FF6C9056350 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNEL32(?,?,?,00007FF6C9056818,?,?,?,00007FF6C91B6EED,?,?,?,?,?,?,00000001), ref: 00007FF6C905636E
WaitForSingleObject.KERNEL32(?,?,?,00007FF6C9056818,?,?,?,00007FF6C91B6EED,?,?,?,?,?,?,00000001), ref: 00007FF6C9056385

Strings

{A946A6A9-917E-4949-B9BC-6BADA8C7FD63}, xrefs: 00007FF6C9056363

Memory Dump Source

Source File: 00000008.00000002.17533132630.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000008.00000002.17533097995.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533880137.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17533963138.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534092509.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534127885.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534167469.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534199815.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534242226.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.17534269242.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff6c9020000_setup.jbxd

Similarity

API ID: CreateMutexObjectSingleWait
String ID: {A946A6A9-917E-4949-B9BC-6BADA8C7FD63}
API String ID: 3113225513-1352562265
Opcode ID: 1e3acc4879c1dcc9391b7b265de8a9a87ffdb80975c288b4ae9e2d009255d884
Instruction ID: dd609383003b474679814c064d18abde2318e35cb1b48e03c8812aad7e6597b6
Opcode Fuzzy Hash: 1e3acc4879c1dcc9391b7b265de8a9a87ffdb80975c288b4ae9e2d009255d884
Instruction Fuzzy Hash: D7E04822B1979181FB599F7AB94437526909F48B05F59C078D5CD87750DF3CD486C350

Analysis Process: setup.exePID: 8432, Parent PID: 8412COMMON

Execution Graph

Execution Coverage:	1.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	204
Total number of Limit Nodes:	20

Executed Functions

Function 00007FF6C91A485C Relevance: 10.6, APIs: 7, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32 ref: 00007FF6C91A486B
FlsGetValue.KERNEL32 ref: 00007FF6C91A4880
FlsSetValue.KERNEL32 ref: 00007FF6C91A48A1
FlsSetValue.KERNEL32 ref: 00007FF6C91A48CE
FlsSetValue.KERNEL32 ref: 00007FF6C91A48DF
FlsSetValue.KERNEL32 ref: 00007FF6C91A48F0
SetLastError.KERNEL32 ref: 00007FF6C91A490B

Memory Dump Source

Source File: 00000009.00000002.17535816929.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000009.00000002.17535783150.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536290510.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536372772.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536397328.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536423196.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536503376.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536547112.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536576070.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff6c9020000_setup.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 9c215e07966689fccacb168f234269f5bb2ba51e8c3e055530ba5e3d864a07b0
Instruction ID: 4cd909e14ffa656fa83a344e008502234a93242e1fd81198ecb058ea58604a18
Opcode Fuzzy Hash: 9c215e07966689fccacb168f234269f5bb2ba51e8c3e055530ba5e3d864a07b0
Instruction Fuzzy Hash: 74118124F1C28281F7585F76666213D2A526F88BF2F154734D9FEC7ADAEE6CE8054340

Function 00007FF6C90F2A10 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

..\..\third_party\crashpad\crashpad\util\file\file_io.cc, xrefs: 00007FF6C90F2A9E
ReadFile, xrefs: 00007FF6C90F2AC3

Memory Dump Source

Source File: 00000009.00000002.17535816929.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000009.00000002.17535783150.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536290510.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536372772.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536397328.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536423196.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536503376.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536547112.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536576070.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff6c9020000_setup.jbxd

Similarity

API ID: CloseHandle
String ID: ..\..\third_party\crashpad\crashpad\util\file\file_io.cc$ReadFile
API String ID: 2962429428-1347244036
Opcode ID: 30d89f1bbfdb8cd4f1505fd23aceacf41d9905e994a816dd0aa84fd6f31b860e
Instruction ID: 2149e9909e31cda4c1be82227d1fdf5edba75c0ae599882fc9cd15fc80696c66
Opcode Fuzzy Hash: 30d89f1bbfdb8cd4f1505fd23aceacf41d9905e994a816dd0aa84fd6f31b860e
Instruction Fuzzy Hash: 27112322F181C640FB20AF19A5123F91A50AF98BAAF400635DDCD8BBC6DE1CE6478700

Function 00007FF6C90F2010 Relevance: 4.6, APIs: 3, Instructions: 59
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE ref: 00007FF6C90F206E
GetFileType.KERNEL32 ref: 00007FF6C90F20A5
GetLastError.KERNEL32 ref: 00007FF6C90F20B6

Memory Dump Source

Source File: 00000009.00000002.17535816929.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000009.00000002.17535783150.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536290510.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536372772.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536397328.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536423196.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536503376.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536547112.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536576070.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff6c9020000_setup.jbxd

Similarity

API ID: File$ErrorLastReadType
String ID:
API String ID: 291879748-0
Opcode ID: 443ccd3f952e52c5fa5255bd0580c556af1c3914ff954ab95faf65a1b50ec064
Instruction ID: 4116195d9c08aeb2b6c8aae9553b2157b6a60d98e6cbf9b49fcd1d305b32bf32
Opcode Fuzzy Hash: 443ccd3f952e52c5fa5255bd0580c556af1c3914ff954ab95faf65a1b50ec064
Instruction Fuzzy Hash: 5211C423B1858249F7218F26A94462AB790AF48B99F550635ED9DC7794CE3CD943CA00

Function 00007FF6C9085690 Relevance: 3.0, APIs: 2, Instructions: 37
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,?,?,?,00000000,00000000,?,00007FF6C9056678,?,?,?,?,?,?,?), ref: 00007FF6C90856C6
RegCloseKey.ADVAPI32(?,?,?,?,00000000,00000000,?,00007FF6C9056678,?,?,?,?,?,?,?), ref: 00007FF6C9085702

Memory Dump Source

Source File: 00000009.00000002.17535816929.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000009.00000002.17535783150.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536290510.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536372772.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536397328.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536423196.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536503376.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536547112.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536576070.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff6c9020000_setup.jbxd

Similarity

API ID: CloseOpen
String ID:
API String ID: 47109696-0
Opcode ID: 1b45fec8eeae5ab7eb531375cc05bb643b2247f9ebeecbba943f5b46a548d667
Instruction ID: 9d11baaf4b25d187287a475e22751ddf572348239aa7b7b61a6a63692f6c1ee4
Opcode Fuzzy Hash: 1b45fec8eeae5ab7eb531375cc05bb643b2247f9ebeecbba943f5b46a548d667
Instruction Fuzzy Hash: 02016272B29A5282FB544F15E95176A67A0FB88B95F014035EECF87750DE3CD8518740

Function 00007FF6C90CA0E0 Relevance: 2.5, APIs: 2, Instructions: 22
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualFree.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,-0000000400000000,?,00007FF6C90B8811), ref: 00007FF6C90CA0EA
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,-0000000400000000,?,00007FF6C90B8811), ref: 00007FF6C90CA0F4

Memory Dump Source

Source File: 00000009.00000002.17535816929.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000009.00000002.17535783150.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536290510.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536372772.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536397328.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536423196.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536503376.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536547112.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536576070.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff6c9020000_setup.jbxd

Similarity

API ID: ErrorFreeLastVirtual
String ID:
API String ID: 499627090-0
Opcode ID: 73818c80937deb4832c471d99414fc7ff2eeaff62bfd5e719b1526dabfdcc212
Instruction ID: c4556b923349a6dfab87c672e7eba8a6d73739182f90ed374908bbfadd765bb2
Opcode Fuzzy Hash: 73818c80937deb4832c471d99414fc7ff2eeaff62bfd5e719b1526dabfdcc212
Instruction Fuzzy Hash: 12D01251F1954245F7542F726D4133428546F25B87F81483CC68CD6650EE1CD085C711

Non-executed Functions

Function 00007FF6C91A9EEC Relevance: 9.2, APIs: 6, Instructions: 171COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6C91A46E4: GetLastError.KERNEL32 ref: 00007FF6C91A46F3
Part of subcall function 00007FF6C91A46E4: FlsGetValue.KERNEL32 ref: 00007FF6C91A4708
Part of subcall function 00007FF6C91A46E4: SetLastError.KERNEL32 ref: 00007FF6C91A4793

Part of subcall function 00007FF6C91A46E4: FlsSetValue.KERNEL32 ref: 00007FF6C91A4729

GetUserDefaultLCID.KERNEL32(?,00000000,00000092,?), ref: 00007FF6C91AA05C

Part of subcall function 00007FF6C91A46E4: FlsSetValue.KERNEL32 ref: 00007FF6C91A4756
Part of subcall function 00007FF6C91A46E4: FlsSetValue.KERNEL32 ref: 00007FF6C91A4767
Part of subcall function 00007FF6C91A46E4: FlsSetValue.KERNEL32 ref: 00007FF6C91A4778

EnumSystemLocalesW.KERNEL32(?,00000000,00000092,?,?,00000000,?,00007FF6C918F279), ref: 00007FF6C91AA043
IsValidCodePage.KERNEL32 ref: 00007FF6C91AA098
IsValidLocale.KERNEL32 ref: 00007FF6C91AA0AE
GetLocaleInfoW.KERNEL32 ref: 00007FF6C91AA10A
GetLocaleInfoW.KERNEL32 ref: 00007FF6C91AA126

Memory Dump Source

Source File: 00000009.00000002.17535816929.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000009.00000002.17535783150.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536290510.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536372772.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536397328.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536423196.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536503376.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536547112.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536576070.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff6c9020000_setup.jbxd

Similarity

API ID: Value$Locale$ErrorInfoLastValid$CodeDefaultEnumLocalesPageSystemUser
String ID:
API String ID: 1706690794-0
Opcode ID: fc7311b086ce6fd43b0eb301339a6b3cc1f08fc7bd23cc236602390b1e8bbbb3
Instruction ID: 67901dfb2fb77a510e2397a38f0577ed87fcffa6a76ad8f25fe7823e4d32b112
Opcode Fuzzy Hash: fc7311b086ce6fd43b0eb301339a6b3cc1f08fc7bd23cc236602390b1e8bbbb3
Instruction Fuzzy Hash: 85718E62B186429AFF109F60D8526BD3BB1BF44B46F444036CA9E93B95EF3CE849C350

Function 00007FF6C9195B80 Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF6C9195BF9
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6C9195C11
RtlVirtualUnwind.KERNEL32 ref: 00007FF6C9195C4C
IsDebuggerPresent.KERNEL32 ref: 00007FF6C9195C85
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6C9195C8F
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6C9195C9A

Memory Dump Source

Source File: 00000009.00000002.17535816929.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000009.00000002.17535783150.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536290510.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536372772.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536397328.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536423196.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536503376.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536547112.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536576070.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff6c9020000_setup.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 49f356e329ffe9317a02f37c9929f3f11b56c8c09c740634a9a27b444624c1bf
Instruction ID: 2d89929f6b2b5e1de59c62758e17a49baa08a0162dc4cae138fb188dfddb7d08
Opcode Fuzzy Hash: 49f356e329ffe9317a02f37c9929f3f11b56c8c09c740634a9a27b444624c1bf
Instruction Fuzzy Hash: F7317132A18F8186EB60CF25E8412AE77A5FB88B59F504135EADD87B98DF3CC545CB00

Function 00007FF6C91AA798 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,?,00007FF6C91AA08B), ref: 00007FF6C91AA7ED
GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,?,00007FF6C91AA08B), ref: 00007FF6C91AA81A
GetACP.KERNEL32(?,?,?,?,?,?,?,00007FF6C91AA08B), ref: 00007FF6C91AA830

Strings

OCP, xrefs: 00007FF6C91AA7C9
ACP, xrefs: 00007FF6C91AA7B9

Memory Dump Source

Source File: 00000009.00000002.17535816929.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000009.00000002.17535783150.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536290510.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536372772.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536397328.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536423196.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536503376.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536547112.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536576070.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff6c9020000_setup.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: b57b358656b6c5e522c07b9433039294d2a61d4965a7f805eed9d0eed18eb55b
Instruction ID: 0ebe323de0f884bab371b4a420940bf8bf64792fecca6ecc780dc2e739c55a70
Opcode Fuzzy Hash: b57b358656b6c5e522c07b9433039294d2a61d4965a7f805eed9d0eed18eb55b
Instruction Fuzzy Hash: 2A11B121A1868382FB649F51E50257A6BA1FF44B93F808035DACAC3A55DF2CEC4AC740

Function 00007FF6C9146D00 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 174threadtimeCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00007FF6C9146D30
QueryThreadCycleTime.KERNEL32 ref: 00007FF6C9146D3E
GetCurrentThread.KERNEL32 ref: 00007FF6C9146DC5
GetThreadPriority.KERNEL32 ref: 00007FF6C9146DCA
GetCurrentThread.KERNEL32 ref: 00007FF6C9146DD2
SetThreadPriority.KERNEL32 ref: 00007FF6C9146DDC
QueryPerformanceCounter.KERNEL32 ref: 00007FF6C9146E42
GetCurrentThread.KERNEL32 ref: 00007FF6C9146E4B
SetThreadPriority.KERNEL32 ref: 00007FF6C9146E56
QueryPerformanceFrequency.KERNEL32 ref: 00007FF6C9146E64
QueryPerformanceCounter.KERNEL32 ref: 00007FF6C9146F48

Strings

PERFETTO_CHECK(perf_counter_now >= perf_counter_initial), xrefs: 00007FF6C9146F94
..\..\third_party\perfetto\src\base\time.cc, xrefs: 00007FF6C9146F7F, 00007FF6C9146FD1
PERFETTO_CHECK(tsc_now >= tsc_initial), xrefs: 00007FF6C9146FE6
%s (errno: %d, %s), xrefs: 00007FF6C9146FA0, 00007FF6C9146FF2

Memory Dump Source

Source File: 00000009.00000002.17535816929.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000009.00000002.17535783150.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536290510.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536372772.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536397328.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536423196.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536503376.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536547112.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536576070.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff6c9020000_setup.jbxd

Similarity

API ID: Thread$CurrentQuery$PerformancePriority$Counter$CycleFrequencyTime
String ID: %s (errno: %d, %s)$..\..\third_party\perfetto\src\base\time.cc$PERFETTO_CHECK(perf_counter_now >= perf_counter_initial)$PERFETTO_CHECK(tsc_now >= tsc_initial)
API String ID: 649842374-3408761757
Opcode ID: de432c121d9762614cbf4ba3aa36bff704b534f44ecf2d0cb4b272247977c08a
Instruction ID: 809e4a2005fd723fc584d526b9bf61b356839fbb730a3a9acbb58c3cf07d1178
Opcode Fuzzy Hash: de432c121d9762614cbf4ba3aa36bff704b534f44ecf2d0cb4b272247977c08a
Instruction Fuzzy Hash: 0881C421928A4285F711DF20EA512797B60FF49B9AF154235D9CED7BA5DF3CE442C700

Function 00007FF6C9095630 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 310threadtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6C9170B30: GetLastError.KERNEL32(?,?,00000002,00007FF6C909566F,?,?,00000002,?,..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc,00000000,?,?,FFFFFFFF,?,00007FF6C91F239C), ref: 00007FF6C9170B4C
Part of subcall function 00007FF6C9170B30: SetLastError.KERNEL32(?,?,00000002,00007FF6C909566F,?,?,00000002,?,..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc,00000000,?,?,FFFFFFFF,?,00007FF6C91F239C), ref: 00007FF6C9170B57

GetCurrentThreadId.KERNEL32 ref: 00007FF6C9095735
GetLocalTime.KERNEL32(?,?,00000002,?,..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc,00000000,?,?,FFFFFFFF,?,00007FF6C91F239C), ref: 00007FF6C9095776

Strings

:\/, xrefs: 00007FF6C90958D4
UNKNOWN, xrefs: 00007FF6C9095A2F
..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc, xrefs: 00007FF6C9095639
VERBOSE, xrefs: 00007FF6C9095A62
)] , xrefs: 00007FF6C9095916

Memory Dump Source

Source File: 00000009.00000002.17535816929.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000009.00000002.17535783150.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536290510.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536372772.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536397328.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536423196.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536503376.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536547112.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536576070.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff6c9020000_setup.jbxd

Similarity

API ID: ErrorLast$CurrentLocalThreadTime
String ID: )] $..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc$:\/$UNKNOWN$VERBOSE
API String ID: 359520752-2521604196
Opcode ID: 5dfdffcdaea2802536fc1caccdd984f063ad85b05c93528b024443df42e35709
Instruction ID: 1f0ee3adbd5c15d3a86d17d8e7c5ae77a6aa7afc29a2e763a48f0ba94dcafd3c
Opcode Fuzzy Hash: 5dfdffcdaea2802536fc1caccdd984f063ad85b05c93528b024443df42e35709
Instruction Fuzzy Hash: AED1C321B1968284EF14DF16E4552BA6F90EB89FCAF864439DECD8B792DE3DE141C700

Function 00007FF6C91A5880 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 117libraryloaderCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00000000,00007FF6C91A566C,?,?,00000000,00007FF6C91A7E63,?,?,00000003,00007FF6C918E33D), ref: 00007FF6C91A59FC
GetProcAddress.KERNEL32(?,?,00000000,00007FF6C91A566C,?,?,00000000,00007FF6C91A7E63,?,?,00000003,00007FF6C918E33D), ref: 00007FF6C91A5A08

Strings

ext-ms-, xrefs: 00007FF6C91A5959
api-ms-, xrefs: 00007FF6C91A5946
MZx, xrefs: 00007FF6C91A589F, 00007FF6C91A5985, 00007FF6C91A59E5

Memory Dump Source

Source File: 00000009.00000002.17535816929.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000009.00000002.17535783150.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536290510.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536372772.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536397328.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536423196.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536503376.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536547112.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536576070.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff6c9020000_setup.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: MZx$api-ms-$ext-ms-
API String ID: 3013587201-2431898299
Opcode ID: 13f8f4d5adfa5fe98ff9d75ff434922d7620d7c2fd455643e412e673fb3db0a4
Instruction ID: 50d4bff8499593dca60688d9916a3521f2f01dd5395462f61b2aa2c891212baf
Opcode Fuzzy Hash: 13f8f4d5adfa5fe98ff9d75ff434922d7620d7c2fd455643e412e673fb3db0a4
Instruction Fuzzy Hash: DC41E322B29B4285FB16CF1699456792B91BF55BA2F094135DD8DCBB84EE3CEC49C200

Function 00007FF6C91B0DC4 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 88libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000012,?,00007FF6C91B0CEB,?,?,00000000,00007FF6C91A0A72,?,?,?,00007FF6C917DDA9), ref: 00007FF6C91B0E49
GetLastError.KERNEL32(?,00000012,?,00007FF6C91B0CEB,?,?,00000000,00007FF6C91A0A72,?,?,?,00007FF6C917DDA9), ref: 00007FF6C91B0E57
LoadLibraryExW.KERNEL32(?,00000012,?,00007FF6C91B0CEB,?,?,00000000,00007FF6C91A0A72,?,?,?,00007FF6C917DDA9), ref: 00007FF6C91B0E81
FreeLibrary.KERNEL32(?,00000012,?,00007FF6C91B0CEB,?,?,00000000,00007FF6C91A0A72,?,?,?,00007FF6C917DDA9), ref: 00007FF6C91B0EEF
GetProcAddress.KERNEL32(?,00000012,?,00007FF6C91B0CEB,?,?,00000000,00007FF6C91A0A72,?,?,?,00007FF6C917DDA9), ref: 00007FF6C91B0EFB

Strings

api-ms-, xrefs: 00007FF6C91B0E69
..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc, xrefs: 00007FF6C91B0DD8
MZx, xrefs: 00007FF6C91B0DE2, 00007FF6C91B0E92, 00007FF6C91B0ED8

Memory Dump Source

Source File: 00000009.00000002.17535816929.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000009.00000002.17535783150.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536290510.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536372772.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536397328.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536423196.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536503376.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536547112.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536576070.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff6c9020000_setup.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: ..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc$MZx$api-ms-
API String ID: 2559590344-3539208823
Opcode ID: 4297d0d72445a5ed14222d767aff36e0ccd66d9d2c0f99644abded0481749379
Instruction ID: a08a293f5a06761c69f735fb3f6120f768f654cb584aa394f4ee392bdd8861a2
Opcode Fuzzy Hash: 4297d0d72445a5ed14222d767aff36e0ccd66d9d2c0f99644abded0481749379
Instruction Fuzzy Hash: 6F31C162B1AB42C9FF119F12A5015752BA5BF48FA2F490535DD9D8BB88DF3CE4858304

Function 00007FF6C90EABB0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNEL32(?,?,00000000,00000000,..\..\third_party\boringssl\src\crypto\mem.c,?,00007FF6C922A4D9,?,?,?,0000000E,00007FF6C922A509), ref: 00007FF6C90EABF3
GetLastError.KERNEL32(?,?,?,0000000E,00007FF6C922A509), ref: 00007FF6C90EAC0E
TlsGetValue.KERNEL32(?,?,?,0000000E,00007FF6C922A509), ref: 00007FF6C90EAC1C
SetLastError.KERNEL32(?,?,?,0000000E,00007FF6C922A509), ref: 00007FF6C90EAC27
TlsSetValue.KERNEL32(?,?,?,0000000E,00007FF6C922A509), ref: 00007FF6C90EAC52
AcquireSRWLockExclusive.KERNEL32(?,?,?,0000000E,00007FF6C922A509), ref: 00007FF6C90EAC66
ReleaseSRWLockExclusive.KERNEL32(?,?,?,0000000E,00007FF6C922A509), ref: 00007FF6C90EAC7D

Strings

..\..\third_party\boringssl\src\crypto\mem.c, xrefs: 00007FF6C90EABB2

Memory Dump Source

Source File: 00000009.00000002.17535816929.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000009.00000002.17535783150.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536290510.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536372772.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536397328.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536423196.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536503376.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536547112.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536576070.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff6c9020000_setup.jbxd

Similarity

API ID: ErrorExclusiveLastLockOnceValue$AcquireExecuteInitRelease
String ID: ..\..\third_party\boringssl\src\crypto\mem.c
API String ID: 389898287-3521738057
Opcode ID: 967fd5c76b4b0f57fde2daf56290db014900a64f721b7223f059e74187000840
Instruction ID: deab6c1db8a8555a80899cde34018235a216c8e3104a68a4273e7310fdb232b4
Opcode Fuzzy Hash: 967fd5c76b4b0f57fde2daf56290db014900a64f721b7223f059e74187000840
Instruction Fuzzy Hash: D0317E22B2961296FB40DF11EA556793B94AF49B9BF460039DCCEC77A1DE3CE449C380

Function 00007FF6C9057D20 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 155libraryloaderthreadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00007FF6C9057D84
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6C9058535,?,?,?,?,?,?), ref: 00007FF6C9057E6B
GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6C9058535,?,?,?,?,?,?), ref: 00007FF6C9057EC2
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6C9058535,?,?,?,?,?,?), ref: 00007FF6C9057ED2

Strings

GetThreadDescription, xrefs: 00007FF6C9057EC8
Kernel32.dll, xrefs: 00007FF6C9057EBB

Memory Dump Source

Source File: 00000009.00000002.17535816929.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000009.00000002.17535783150.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536290510.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536372772.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536397328.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536423196.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536503376.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536547112.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536576070.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff6c9020000_setup.jbxd

Similarity

API ID: AddressCurrentFreeHandleLocalModuleProcThread
String ID: GetThreadDescription$Kernel32.dll
API String ID: 4205643583-415897907
Opcode ID: 1431db880a5370f0177e697da9e28eeb2d8691677737784a01d1455ca778c1c8
Instruction ID: 924da906f0170f1086d7dcff4f683be56b35e3eb7c4ef7dc0f4a428673468fa9
Opcode Fuzzy Hash: 1431db880a5370f0177e697da9e28eeb2d8691677737784a01d1455ca778c1c8
Instruction Fuzzy Hash: F351AF32B18B4281FB10DF15E9411B97BA1EF48BE6F554235DADE87BA5DE3CE8418700

Function 00007FF6C91A46E4 Relevance: 10.6, APIs: 7, Instructions: 62COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6C91A46F3
FlsGetValue.KERNEL32 ref: 00007FF6C91A4708
FlsSetValue.KERNEL32 ref: 00007FF6C91A4729
FlsSetValue.KERNEL32 ref: 00007FF6C91A4756
FlsSetValue.KERNEL32 ref: 00007FF6C91A4767
FlsSetValue.KERNEL32 ref: 00007FF6C91A4778
SetLastError.KERNEL32 ref: 00007FF6C91A4793

Memory Dump Source

Source File: 00000009.00000002.17535816929.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000009.00000002.17535783150.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536290510.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536372772.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536397328.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536423196.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536503376.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536547112.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536576070.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff6c9020000_setup.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 41b5958701493da588de957a310c25c635e8a11efb66ac24fd9486dc90d30bd0
Instruction ID: d52e9cdd42addfcb46d98bfd61c1e2f5b3e2fe956e7051b7f6a999ea7500922a
Opcode Fuzzy Hash: 41b5958701493da588de957a310c25c635e8a11efb66ac24fd9486dc90d30bd0
Instruction Fuzzy Hash: CC217C24F0C28281FB58AF76565213D6A526F45BF2F150A34D9FEC6EDAEE2CEC054280

Function 00007FF6C91B351C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF6C91B354D
GetLastError.KERNEL32 ref: 00007FF6C91B3559
CloseHandle.KERNEL32 ref: 00007FF6C91B3571
CreateFileW.KERNEL32 ref: 00007FF6C91B359C
WriteConsoleW.KERNEL32 ref: 00007FF6C91B35BB

Strings

CONOUT$, xrefs: 00007FF6C91B357D

Memory Dump Source

Source File: 00000009.00000002.17535816929.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000009.00000002.17535783150.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536290510.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536372772.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536397328.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536423196.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536503376.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536547112.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536576070.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff6c9020000_setup.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 352ad203f3a051f1809320f21ee2bf24d8655c668510723fd4d908605e4da839
Instruction ID: 5f5ebdce087cd9ea4726591fbef1967709864ae4166ac027930352489cc9927d
Opcode Fuzzy Hash: 352ad203f3a051f1809320f21ee2bf24d8655c668510723fd4d908605e4da839
Instruction Fuzzy Hash: 83118472A28A8186F7509F22E9443297AA0FB88FE6F400234D9DEC7B94CF7CD455C740

Function 00007FF6C9095BA0 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 387fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6C9170B30: GetLastError.KERNEL32(?,?,00000002,00007FF6C909566F,?,?,00000002,?,..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc,00000000,?,?,FFFFFFFF,?,00007FF6C91F239C), ref: 00007FF6C9170B4C
Part of subcall function 00007FF6C9170B30: SetLastError.KERNEL32(?,?,00000002,00007FF6C909566F,?,?,00000002,?,..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc,00000000,?,?,FFFFFFFF,?,00007FF6C91F239C), ref: 00007FF6C9170B57

OutputDebugStringA.KERNEL32 ref: 00007FF6C909602E
WriteFile.KERNEL32 ref: 00007FF6C9096189

Strings

LogMessage, xrefs: 00007FF6C90961BF
W, xrefs: 00007FF6C9095ECC
LOG_FATAL, xrefs: 00007FF6C909620C

Memory Dump Source

Source File: 00000009.00000002.17535816929.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000009.00000002.17535783150.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536290510.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536372772.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536397328.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536423196.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536503376.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536547112.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536576070.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff6c9020000_setup.jbxd

Similarity

API ID: ErrorLast$DebugFileOutputStringWrite
String ID: LOG_FATAL$LogMessage$W
API String ID: 2864343081-2234279591
Opcode ID: f34d65128c59934608a4315e0c03994b5f1297b90a71e1355b04d32f49994a09
Instruction ID: 1df354c202298153b47f42894912f9b5223fcc05531f11e1a6fbfbdb30372c6a
Opcode Fuzzy Hash: f34d65128c59934608a4315e0c03994b5f1297b90a71e1355b04d32f49994a09
Instruction Fuzzy Hash: F302BF22B18B8285EB609F15E5512BA6BA0EF41B96F460039DECE83B96DF3DE445C700

Function 00007FF6C90EAEC0 Relevance: 9.1, APIs: 6, Instructions: 112COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 00007FF6C90EAEF8
TlsSetValue.KERNEL32 ref: 00007FF6C90EAF24
TlsSetValue.KERNEL32 ref: 00007FF6C90EAF52
TlsFree.KERNEL32 ref: 00007FF6C90EAF9E

Part of subcall function 00007FF6C91292D0: TlsAlloc.KERNEL32(?,?,?,00007FF6C90EAE3F,?,?,?,?,?,?,?,?,00007FF6C916C65E), ref: 00007FF6C91292D8

TlsFree.KERNEL32 ref: 00007FF6C90EAFD2
TlsGetValue.KERNEL32(?,?,?,?,00007FF6C90EAE3F,?,?,?,?,?,?,?,?,00007FF6C916C65E), ref: 00007FF6C90EB002

Memory Dump Source

Source File: 00000009.00000002.17535816929.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000009.00000002.17535783150.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536290510.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536372772.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536397328.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536423196.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536503376.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536547112.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536576070.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff6c9020000_setup.jbxd

Similarity

API ID: Value$Free$Alloc
String ID:
API String ID: 4173863045-0
Opcode ID: 28c125dd58b9a80b5de19970b8bcb57c75e4a4598a26161729adbcb72c2e6fcb
Instruction ID: a9f6dbb7460f6c70f43b6cebfea8230845bb44a2e7b3f005cabfb0d1a11b222e
Opcode Fuzzy Hash: 28c125dd58b9a80b5de19970b8bcb57c75e4a4598a26161729adbcb72c2e6fcb
Instruction Fuzzy Hash: 3A31D431B185424AF7649F25E5021797A619F897A6F004338EAED87BD5CE3CE542CB40

Function 00007FF6C919A014 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF6C919A093
WriteFile.KERNEL32 ref: 00007FF6C919A35B
WriteFile.KERNEL32 ref: 00007FF6C919A3A1
GetLastError.KERNEL32 ref: 00007FF6C919A457

Strings

MZx, xrefs: 00007FF6C919A06A, 00007FF6C919A0EB, 00007FF6C919A1A0

Memory Dump Source

Source File: 00000009.00000002.17535816929.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000009.00000002.17535783150.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536290510.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536372772.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536397328.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536423196.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536503376.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536547112.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536576070.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff6c9020000_setup.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID: MZx
API String ID: 2718003287-2575928145
Opcode ID: 3f9a4d962f3682551a42740c76d16857cc1f7354d3bf491627a76f20b6ada767
Instruction ID: afc7abaa173a9bac71a56c5870f869d4072ff8779e3f8c275393f6c6c9dba964
Opcode Fuzzy Hash: 3f9a4d962f3682551a42740c76d16857cc1f7354d3bf491627a76f20b6ada767
Instruction Fuzzy Hash: E8D10232B18B8189E711DF79D4442AC3BB2FB54B99B058236CE9D97F99DE38D50AC300

Function 00007FF6C922EA30 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 168fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF6C922EA7F
GetLastError.KERNEL32 ref: 00007FF6C922EAA4
GetLastError.KERNEL32 ref: 00007FF6C922EBCD

Strings

CreateFile , xrefs: 00007FF6C922EACF, 00007FF6C922EBF8
..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc, xrefs: 00007FF6C922EAAD, 00007FF6C922EBD6

Memory Dump Source

Source File: 00000009.00000002.17535816929.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000009.00000002.17535783150.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536290510.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536372772.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536397328.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536423196.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536503376.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536547112.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536576070.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff6c9020000_setup.jbxd

Similarity

API ID: ErrorLast$CreateFile
String ID: ..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc$CreateFile
API String ID: 1722934493-2987130713
Opcode ID: 74a659072a881366ec01bdbdf2963224488b8312d8b12616a529507f2ec76428
Instruction ID: 662a0370a970df7b70c06c0ce029b590cfb606f7b47e749d58dcc4f5e73248d7
Opcode Fuzzy Hash: 74a659072a881366ec01bdbdf2963224488b8312d8b12616a529507f2ec76428
Instruction Fuzzy Hash: 6C51F522B2CA9241FB119F11E2553BA6B61AF89BE5F040531EEDD8BFD5CF2CE1458740

Function 00007FF6C91F1B00 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146fileCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32 ref: 00007FF6C91F1B83
CreateFileW.KERNEL32 ref: 00007FF6C91F1C53
GetCurrentDirectoryW.KERNEL32 ref: 00007FF6C91F1C8F

Strings

debug.log, xrefs: 00007FF6C91F1BF7, 00007FF6C91F1CF7

Memory Dump Source

Source File: 00000009.00000002.17535816929.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000009.00000002.17535783150.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536290510.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536372772.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536397328.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536423196.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536503376.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536547112.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536576070.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff6c9020000_setup.jbxd

Similarity

API ID: File$CreateCurrentDirectoryModuleName
String ID: debug.log
API String ID: 3818821825-600467936
Opcode ID: b8d05ac858502aff8654a6442efd66c9b656009e143cea88ec8bbd374a31e47e
Instruction ID: 9d3c42bc561e0e2b37b03a105acab83ee38ad5c942520202d24e5e0efdbcdd36
Opcode Fuzzy Hash: b8d05ac858502aff8654a6442efd66c9b656009e143cea88ec8bbd374a31e47e
Instruction Fuzzy Hash: 3751DA71A28A8680FB108F11EA593792BB1AF45FAAF004235CADD87BE0DF7DE1458300

Function 00007FF6C9058C00 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 136threadCOMMON

Download Yara Rule

APIs

SwitchToThread.KERNEL32(?), ref: 00007FF6C9058D0A

Strings

..\..\third_party\perfetto\src\tracing\core\shared_memory_abi.cc, xrefs: 00007FF6C9058D3B, 00007FF6C9058D89
PERFETTO_CHECK(chunk_state == expected_chunk_state), xrefs: 00007FF6C9058D9E
PERFETTO_CHECK(chunk.size() == page_chunk_size), xrefs: 00007FF6C9058D50
%s (errno: %d, %s), xrefs: 00007FF6C9058D5C, 00007FF6C9058DAA

Memory Dump Source

Source File: 00000009.00000002.17535816929.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000009.00000002.17535783150.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536290510.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536372772.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536397328.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536423196.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536503376.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536547112.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536576070.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff6c9020000_setup.jbxd

Similarity

API ID: SwitchThread
String ID: %s (errno: %d, %s)$..\..\third_party\perfetto\src\tracing\core\shared_memory_abi.cc$PERFETTO_CHECK(chunk.size() == page_chunk_size)$PERFETTO_CHECK(chunk_state == expected_chunk_state)
API String ID: 115865932-3916303389
Opcode ID: 07d9ed0c1875b51bd5ab2eb666b6058fa0cd84b3aab4342cdd98731b53ec3783
Instruction ID: 0ebc553aebd02c2586f7e00086fa90defe1e4da25579d7142a13a537a923da80
Opcode Fuzzy Hash: 07d9ed0c1875b51bd5ab2eb666b6058fa0cd84b3aab4342cdd98731b53ec3783
Instruction Fuzzy Hash: FF410472B1854142E7249F11E8126B83F91FB94BA6F46423ADE9E87BD1DF3CD846C304

Function 00007FF6C91F20F0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 134windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32 ref: 00007FF6C91F213F
LocalFree.KERNEL32 ref: 00007FF6C91F21B0
GetLastError.KERNEL32 ref: 00007FF6C91F230F

Strings

Error (0x%lX) while retrieving error. (0x%lX), xrefs: 00007FF6C91F2315
(0x%lX), xrefs: 00007FF6C91F21C2

Memory Dump Source

Source File: 00000009.00000002.17535816929.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000009.00000002.17535783150.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536290510.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536372772.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536397328.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536423196.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536503376.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536547112.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536576070.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff6c9020000_setup.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID: (0x%lX)$Error (0x%lX) while retrieving error. (0x%lX)
API String ID: 1365068426-3206765257
Opcode ID: 03ae5f3285c97a230daa055b4265b5a4f214d8776a24798a67af573410803d93
Instruction ID: 36fb1c9a274894a7fb984df395a3db2f5e4c0a04ae3b89599e530ed43e6856fa
Opcode Fuzzy Hash: 03ae5f3285c97a230daa055b4265b5a4f214d8776a24798a67af573410803d93
Instruction Fuzzy Hash: 9C51AD32A0DBC681EB218F25E4513AAABA0FF88B95F444135DACD87B99DF3CE045C700

Function 00007FF6C918E2C4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF6C918E2E9
GetProcAddress.KERNEL32 ref: 00007FF6C918E2FF
FreeLibrary.KERNEL32 ref: 00007FF6C918E326

Strings

mscoree.dll, xrefs: 00007FF6C918E2E0
CorExitProcess, xrefs: 00007FF6C918E2F8

Memory Dump Source

Source File: 00000009.00000002.17535816929.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000009.00000002.17535783150.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536290510.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536372772.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536397328.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536423196.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536503376.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536547112.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536576070.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff6c9020000_setup.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: a9cac37bfe261094b8dc3b22efd67b94b8f954481e9b60e8c58e3bcd1fa20611
Instruction ID: ffb01d5ed37271b118a1fd50316bfd704764c54d15579d31d66e1571a703f1a6
Opcode Fuzzy Hash: a9cac37bfe261094b8dc3b22efd67b94b8f954481e9b60e8c58e3bcd1fa20611
Instruction Fuzzy Hash: B3F09662B29B4281FB189F24E5453396B20EF44B63F55063ADAED8A7E4DF3CE444D708

Function 00007FF6C91A47B8 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF6C91A47C9
FlsSetValue.KERNEL32 ref: 00007FF6C91A47E8
FlsSetValue.KERNEL32 ref: 00007FF6C91A4810
FlsSetValue.KERNEL32 ref: 00007FF6C91A4821
FlsSetValue.KERNEL32 ref: 00007FF6C91A4832

Memory Dump Source

Source File: 00000009.00000002.17535816929.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000009.00000002.17535783150.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536290510.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536372772.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536397328.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536423196.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536503376.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536547112.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536576070.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff6c9020000_setup.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: adc86de3a61ec4bc6766ae0da6590d9ccbb7d9bd1b9f56830393b6ac0f2e4d43
Instruction ID: b0c597b8e4067e0999e1a86ff660d74eb1a58e5b3749803cd2f4112a946a8279
Opcode Fuzzy Hash: adc86de3a61ec4bc6766ae0da6590d9ccbb7d9bd1b9f56830393b6ac0f2e4d43
Instruction Fuzzy Hash: FB112E10F5C28381FB68AE7655631792A415F45BB2F150B38D9FECAAD7ED2CFC094281

Function 00007FF6C90F2150 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 101fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF6C90F21BE

Strings

CreateFile , xrefs: 00007FF6C90F2240
..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc, xrefs: 00007FF6C90F221E

Memory Dump Source

Source File: 00000009.00000002.17535816929.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000009.00000002.17535783150.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536290510.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536372772.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536397328.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536423196.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536503376.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536547112.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536576070.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff6c9020000_setup.jbxd

Similarity

API ID: CreateFile
String ID: ..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc$CreateFile
API String ID: 823142352-2987130713
Opcode ID: 30d81d84b43e5267f7bf75bd6fe193a339a2d1c572c3f2e3c14d20f2cd2a8eee
Instruction ID: 1152d75f872e0501a6b95336cdda7b2b9172026545ebfe92708c6454328a598a
Opcode Fuzzy Hash: 30d81d84b43e5267f7bf75bd6fe193a339a2d1c572c3f2e3c14d20f2cd2a8eee
Instruction Fuzzy Hash: 2D31E022B0868242FF11CF15E6517BA6B60BB89BDAF440135DACD87BD5DF2CE2468B00

Function 00007FF6C90F24A0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32 ref: 00007FF6C90F24F0
GetLastError.KERNEL32 ref: 00007FF6C90F254C

Strings

..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc, xrefs: 00007FF6C90F2555
SetFilePointerEx, xrefs: 00007FF6C90F257A

Memory Dump Source

Source File: 00000009.00000002.17535816929.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000009.00000002.17535783150.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536290510.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536372772.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536397328.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536423196.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536503376.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536547112.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536576070.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff6c9020000_setup.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: ..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc$SetFilePointerEx
API String ID: 2976181284-3423003897
Opcode ID: 844e05737310e890d8c91f416288aa82cb5c299eea38e7eff2b73318ecabe8e5
Instruction ID: 95642bb57e3ebdd3568a684c63886b1a58fbf4635cd4a4b8052220a45d42d2a6
Opcode Fuzzy Hash: 844e05737310e890d8c91f416288aa82cb5c299eea38e7eff2b73318ecabe8e5
Instruction Fuzzy Hash: 9821BE31B1C69240FB609F16A512BB92A90AF48BEAF800135CDDD87FC5CE2CE2438700

Function 00007FF6C90F22E0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54fileCOMMON

Download Yara Rule

APIs

LockFileEx.KERNEL32 ref: 00007FF6C90F232F
GetLastError.KERNEL32 ref: 00007FF6C90F2355

Strings

LockFileEx, xrefs: 00007FF6C90F23AB
..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc, xrefs: 00007FF6C90F2381

Memory Dump Source

Source File: 00000009.00000002.17535816929.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000009.00000002.17535783150.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536290510.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536372772.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536397328.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536423196.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536503376.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536547112.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536576070.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff6c9020000_setup.jbxd

Similarity

API ID: ErrorFileLastLock
String ID: ..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc$LockFileEx
API String ID: 1811722133-445818742
Opcode ID: 6ffc84015dee84a4ba2bd97ad0156444c272a122fa8a2de69a3506069068795c
Instruction ID: e4ffd6009bd071fb850f93d82d039d9c681f517191ed1d83007b8d31a279e155
Opcode Fuzzy Hash: 6ffc84015dee84a4ba2bd97ad0156444c272a122fa8a2de69a3506069068795c
Instruction Fuzzy Hash: B6212732B1C69280F7309F24E4127F96B60BF497AAF400635D9CD87BD5DE2CD6468700

Function 00007FF6C90F23D0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49fileCOMMON

Download Yara Rule

APIs

UnlockFileEx.KERNEL32 ref: 00007FF6C90F2411
GetLastError.KERNEL32 ref: 00007FF6C90F244D

Strings

UnlockFileEx, xrefs: 00007FF6C90F247B
..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc, xrefs: 00007FF6C90F2456

Memory Dump Source

Source File: 00000009.00000002.17535816929.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000009.00000002.17535783150.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536290510.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536372772.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536397328.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536423196.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536503376.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536547112.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536576070.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff6c9020000_setup.jbxd

Similarity

API ID: ErrorFileLastUnlock
String ID: ..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc$UnlockFileEx
API String ID: 3655728120-3540829929
Opcode ID: 74321f8b8f7d5f58ae51096d1de463f0c0a745a8cd725a1752318707e6174bb1
Instruction ID: 457acc310c6ed852cfe88686b4ddc0d5cb63585794e68b35bfd8789033213aed
Opcode Fuzzy Hash: 74321f8b8f7d5f58ae51096d1de463f0c0a745a8cd725a1752318707e6174bb1
Instruction Fuzzy Hash: A7110832B18A8240FB309F25F5027F66B91AF88799F404235DDCD87BD5EE2CD2868700

Function 00007FF6C90F25A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6C90F24A0: SetFilePointerEx.KERNEL32 ref: 00007FF6C90F24F0

SetEndOfFile.KERNEL32 ref: 00007FF6C90F25D2
GetLastError.KERNEL32 ref: 00007FF6C90F2609

Strings

SetEndOfFile, xrefs: 00007FF6C90F2637
..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc, xrefs: 00007FF6C90F2612

Memory Dump Source

Source File: 00000009.00000002.17535816929.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000009.00000002.17535783150.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536290510.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536372772.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536397328.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536423196.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536503376.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536547112.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536576070.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff6c9020000_setup.jbxd

Similarity

API ID: File$ErrorLastPointer
String ID: ..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc$SetEndOfFile
API String ID: 841452515-359779137
Opcode ID: 6458966ebebcdc29c352a51cc42520a70af5a0f15f18e7281eb69fc0700877f5
Instruction ID: 45988eedf4504a3f844d10eb3da527988fc7075b6abb6294f3d91fe3cfb61281
Opcode Fuzzy Hash: 6458966ebebcdc29c352a51cc42520a70af5a0f15f18e7281eb69fc0700877f5
Instruction Fuzzy Hash: BE11E521B1C59641FB20AF25A9227BA2A519F89F8AF410134DDCEC7B86DE2DE5078740

Function 00007FF6C9199BEC Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,00007FF6C90BC4DA,?,00007FF6C90BC4DA,?,00007FF6C90BC4DA,00007FF6C90BC4DA,00007FF6C90BC4DA,00000000,00007FF6C9199FFF,00000000), ref: 00007FF6C9199D08
GetLastError.KERNEL32(?,?,?,?,?,?,00007FF6C90BC4DA,?,00007FF6C90BC4DA,?,00007FF6C90BC4DA,00007FF6C90BC4DA,00007FF6C90BC4DA,00000000,00007FF6C9199FFF,00000000), ref: 00007FF6C9199D93

Memory Dump Source

Source File: 00000009.00000002.17535816929.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000009.00000002.17535783150.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536290510.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536372772.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536397328.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536423196.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536503376.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536547112.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536576070.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff6c9020000_setup.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: f5dfd21c9c62ca3141aa7a32308898ae9c1f30e30e3285335ab396cb129fe87d
Instruction ID: 406e078e802c2ee58b6c00bafeef3e8d3b8cb0f13be1ce6b2c8a4689725ae507
Opcode Fuzzy Hash: f5dfd21c9c62ca3141aa7a32308898ae9c1f30e30e3285335ab396cb129fe87d
Instruction Fuzzy Hash: D991C332F1865189FB509F6994812BD2FA0BB05F8AF154139DE8E97E94DF3CD886C700

Function 00007FF6C90EAD10 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6C9174780: InitOnceExecuteOnce.KERNEL32(?,?,?,?,?,?,00007FF6C917488A,?,?,?,00007FF6C916BF52), ref: 00007FF6C91747A7

TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,00007FF6C916C65E), ref: 00007FF6C90EAD7C
TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,00007FF6C916C65E), ref: 00007FF6C90EADB9
ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,00007FF6C916C65E), ref: 00007FF6C90EAE23

Memory Dump Source

Source File: 00000009.00000002.17535816929.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000009.00000002.17535783150.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536290510.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536372772.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536397328.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536423196.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536503376.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536547112.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536576070.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff6c9020000_setup.jbxd

Similarity

API ID: ExclusiveLockOnce$AcquireExecuteInitReleaseValue
String ID:
API String ID: 4082486125-0
Opcode ID: 44a921214e82abf1bc9c046c687e889eb5412cab8f81617366e05c0e02fbb446
Instruction ID: a3abbcda286b2d607bc9d1a21bf61b2e62c63b33aae4c871c9de8d4fb1789530
Opcode Fuzzy Hash: 44a921214e82abf1bc9c046c687e889eb5412cab8f81617366e05c0e02fbb446
Instruction Fuzzy Hash: D7415931E1861386FB149F55EA423B93BA1AF89B96F454139D9CEC37A1DF3CA485C340

Function 00007FF6C91A4924 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

FlsSetValue.KERNEL32(?,?,00001002,00007FF6C9195DF7,?,?,00000000,00007FF6C9195D0E), ref: 00007FF6C91A4962
FlsSetValue.KERNEL32(?,?,00001002,00007FF6C9195DF7,?,?,00000000,00007FF6C9195D0E), ref: 00007FF6C91A498A
FlsSetValue.KERNEL32(?,?,00001002,00007FF6C9195DF7,?,?,00000000,00007FF6C9195D0E), ref: 00007FF6C91A499B
FlsSetValue.KERNEL32(?,?,00001002,00007FF6C9195DF7,?,?,00000000,00007FF6C9195D0E), ref: 00007FF6C91A49AC

Memory Dump Source

Source File: 00000009.00000002.17535816929.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000009.00000002.17535783150.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536290510.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536372772.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536397328.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536423196.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536503376.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536547112.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536576070.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff6c9020000_setup.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 82f3305764a4c9534af9f6a213f7bdfcadc34aed1809c91b5c0ae16c2b4c1711
Instruction ID: 8510fc550f17b74507357b3115de9db5334ce447a972859b7c4d67942ccef582
Opcode Fuzzy Hash: 82f3305764a4c9534af9f6a213f7bdfcadc34aed1809c91b5c0ae16c2b4c1711
Instruction Fuzzy Hash: A5117F20F0C24281FB58AF3756521392A526F48BB2F154734D9FEC6ADAEE2CEC194244

Function 00007FF6C91747D0 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF6C917488A), ref: 00007FF6C917480A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF6C917488A), ref: 00007FF6C917481D
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF6C917488A), ref: 00007FF6C917482B
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF6C917488A), ref: 00007FF6C9174836

Memory Dump Source

Source File: 00000009.00000002.17535816929.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000009.00000002.17535783150.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536290510.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536372772.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536397328.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536423196.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536503376.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536547112.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536576070.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff6c9020000_setup.jbxd

Similarity

API ID: ErrorLastOnce$ExecuteInitValue
String ID:
API String ID: 2797425889-0
Opcode ID: a7f580a1db86c0691c8a1048bdce57d947ebae8b0d093fb778288a7fb17cac4e
Instruction ID: 062ca3ab146848a90d57c9bebf2abdb0b06caaf3c09460400372b0a1ad8e3bd1
Opcode Fuzzy Hash: a7f580a1db86c0691c8a1048bdce57d947ebae8b0d093fb778288a7fb17cac4e
Instruction Fuzzy Hash: 73117026A28A5786FB609F15EA466692B51AF48F9AF450135C8CD83BA0DE3CE545C340

Function 00007FF6C90F2660 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 42COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF6C90F267C
GetLastError.KERNEL32 ref: 00007FF6C90F26BB

Strings

CloseHandle, xrefs: 00007FF6C90F26E9
..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc, xrefs: 00007FF6C90F26C4

Memory Dump Source

Source File: 00000009.00000002.17535816929.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000009.00000002.17535783150.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536290510.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536372772.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536397328.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536423196.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536503376.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536547112.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536576070.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff6c9020000_setup.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID: ..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc$CloseHandle
API String ID: 918212764-1830217499
Opcode ID: bd69f308de9511593cad69c1eac52c47856b21cc925288134a9f31ea72cd6f3d
Instruction ID: 54840d61ecc035f27069308e20d951167ad782153ea51d2d527712a63746be8a
Opcode Fuzzy Hash: bd69f308de9511593cad69c1eac52c47856b21cc925288134a9f31ea72cd6f3d
Instruction Fuzzy Hash: 88019262B1869341FB20AF11AA527FA2A50AF89B95F410435DDCD8BBC5DE2CD946C640

Function 00007FF6C917CA54 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF6C917CA80
GetCurrentThreadId.KERNEL32 ref: 00007FF6C917CA8E
GetCurrentProcessId.KERNEL32 ref: 00007FF6C917CA9A
QueryPerformanceCounter.KERNEL32 ref: 00007FF6C917CAAA

Memory Dump Source

Source File: 00000009.00000002.17535816929.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000009.00000002.17535783150.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536290510.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536372772.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536397328.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536423196.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536503376.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536547112.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536576070.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff6c9020000_setup.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 3133d9487d0477d4e1ccef10edea34fdc8a106d0f9a2bfd49347af14973d681d
Instruction ID: dee25f7acb87df73a7205f725f8190650a1a22af90f59da3c73d7ef3d9f372dd
Opcode Fuzzy Hash: 3133d9487d0477d4e1ccef10edea34fdc8a106d0f9a2bfd49347af14973d681d
Instruction Fuzzy Hash: F4111C22B25B418AFB00CF60E9552A937A4FB1975AF440E31DAAD86BA4DF7CD554C380

Function 00007FF6C91A94C8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6C91A46E4: GetLastError.KERNEL32 ref: 00007FF6C91A46F3
Part of subcall function 00007FF6C91A46E4: FlsGetValue.KERNEL32 ref: 00007FF6C91A4708
Part of subcall function 00007FF6C91A46E4: SetLastError.KERNEL32 ref: 00007FF6C91A4793

GetACP.KERNEL32(?,?,?,00000000,00000092,00007FF6C918F280), ref: 00007FF6C91A95B4
IsValidCodePage.KERNEL32(?,?,?,00000000,00000092,00007FF6C918F280), ref: 00007FF6C91A95EC

Strings

utf8, xrefs: 00007FF6C91A96D0

Memory Dump Source

Source File: 00000009.00000002.17535816929.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000009.00000002.17535783150.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536290510.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536372772.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536397328.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536423196.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536503376.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536547112.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536576070.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff6c9020000_setup.jbxd

Similarity

API ID: ErrorLast$CodePageValidValue
String ID: utf8
API String ID: 1184045147-905460609
Opcode ID: a098707e0e397dbba8808c8e8636d6b2b0134b7177fc512126497e28f255d04b
Instruction ID: c16cd17fe9e97481ce367a9c743de3a0f2512b2a692d09cafa3d3a442bc99207
Opcode Fuzzy Hash: a098707e0e397dbba8808c8e8636d6b2b0134b7177fc512126497e28f255d04b
Instruction Fuzzy Hash: 56618D36A0874281FB24AF6199122B92AA4AF44F82F444031DE8DC7FD5EF7CED89C710

Function 00007FF6C919A6AC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF6C919A7C3
GetLastError.KERNEL32 ref: 00007FF6C919A7E5

Strings

U, xrefs: 00007FF6C919A76F

Memory Dump Source

Source File: 00000009.00000002.17535816929.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000009.00000002.17535783150.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536290510.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536372772.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536397328.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536423196.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536503376.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536547112.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536576070.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff6c9020000_setup.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: a8a422de85bc080689bc33c2ae296ae64a68efb0952aaa768e0d0158310de667
Instruction ID: 908bcf3fded9d0e8faa8465431f74dfbceb6630113cce7ba673d9ce51035ef01
Opcode Fuzzy Hash: a8a422de85bc080689bc33c2ae296ae64a68efb0952aaa768e0d0158310de667
Instruction Fuzzy Hash: 2841C522728A8185EB109F25E4463B97BA1FB98B85F514031EECDC7B98EF3DD405C740

Function 00007FF6C917CBDC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6C917B64F), ref: 00007FF6C917CC2C
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6C917B64F), ref: 00007FF6C917CC6D

Strings

csm, xrefs: 00007FF6C917CC5A

Memory Dump Source

Source File: 00000009.00000002.17535816929.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000009.00000002.17535783150.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536290510.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536372772.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536397328.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536423196.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536503376.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536547112.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536576070.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff6c9020000_setup.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 6069ad5b81e3bc1f2d8a70c0aad8b9ed6a44de4b6d1ca3e4fb3a3b470db0722c
Instruction ID: acf116d5936066f9c5bc4d1ac57575fb0b3d47943844f268883a37b1bfeeee74
Opcode Fuzzy Hash: 6069ad5b81e3bc1f2d8a70c0aad8b9ed6a44de4b6d1ca3e4fb3a3b470db0722c
Instruction Fuzzy Hash: A9116D72618B8182EB248F15F540269BBE4FB88B95F598230DECC47B68DF3CC951CB00

Function 00007FF6C9056350 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNEL32(?,?,?,00007FF6C9056818,?,?,?,00007FF6C91B6EED,?,?,?,?,?,?,00000001), ref: 00007FF6C905636E
WaitForSingleObject.KERNEL32(?,?,?,00007FF6C9056818,?,?,?,00007FF6C91B6EED,?,?,?,?,?,?,00000001), ref: 00007FF6C9056385

Strings

{A946A6A9-917E-4949-B9BC-6BADA8C7FD63}, xrefs: 00007FF6C9056363

Memory Dump Source

Source File: 00000009.00000002.17535816929.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 00000009.00000002.17535783150.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536290510.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536372772.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536397328.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536423196.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536450452.00007FF6C92F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536503376.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536547112.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.17536576070.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff6c9020000_setup.jbxd

Similarity

API ID: CreateMutexObjectSingleWait
String ID: {A946A6A9-917E-4949-B9BC-6BADA8C7FD63}
API String ID: 3113225513-1352562265
Opcode ID: 1e3acc4879c1dcc9391b7b265de8a9a87ffdb80975c288b4ae9e2d009255d884
Instruction ID: dd609383003b474679814c064d18abde2318e35cb1b48e03c8812aad7e6597b6
Opcode Fuzzy Hash: 1e3acc4879c1dcc9391b7b265de8a9a87ffdb80975c288b4ae9e2d009255d884
Instruction Fuzzy Hash: D7E04822B1979181FB599F7AB94437526909F48B05F59C078D5CD87750DF3CD486C350

Analysis Process: setup.exePID: 8628, Parent PID: 8412COMMON

Execution Graph

Execution Coverage:	2.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	468
Total number of Limit Nodes:	30

Executed Functions

Function 00007FF6C91A485C Relevance: 10.6, APIs: 7, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32 ref: 00007FF6C91A486B
FlsGetValue.KERNEL32 ref: 00007FF6C91A4880
FlsSetValue.KERNEL32 ref: 00007FF6C91A48A1
FlsSetValue.KERNEL32 ref: 00007FF6C91A48CE
FlsSetValue.KERNEL32 ref: 00007FF6C91A48DF
FlsSetValue.KERNEL32 ref: 00007FF6C91A48F0
SetLastError.KERNEL32 ref: 00007FF6C91A490B

Memory Dump Source

Source File: 0000000C.00000002.17526890125.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 0000000C.00000002.17526859417.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527361484.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527452354.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527483626.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527510779.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527607752.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527653925.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527684051.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6c9020000_setup.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 9c215e07966689fccacb168f234269f5bb2ba51e8c3e055530ba5e3d864a07b0
Instruction ID: 4cd909e14ffa656fa83a344e008502234a93242e1fd81198ecb058ea58604a18
Opcode Fuzzy Hash: 9c215e07966689fccacb168f234269f5bb2ba51e8c3e055530ba5e3d864a07b0
Instruction Fuzzy Hash: 74118124F1C28281F7585F76666213D2A526F88BF2F154734D9FEC7ADAEE6CE8054340

Function 00007FF6C9095BA0 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 387
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6C9170B30: GetLastError.KERNEL32(?,?,00000002,00007FF6C909566F,?,?,00000002,?,..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc,00000000,?,?,FFFFFFFF,?,00007FF6C91F239C), ref: 00007FF6C9170B4C
Part of subcall function 00007FF6C9170B30: SetLastError.KERNEL32(?,?,00000002,00007FF6C909566F,?,?,00000002,?,..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc,00000000,?,?,FFFFFFFF,?,00007FF6C91F239C), ref: 00007FF6C9170B57

OutputDebugStringA.KERNEL32 ref: 00007FF6C909602E
WriteFile.KERNELBASE ref: 00007FF6C9096189

Strings

W, xrefs: 00007FF6C9095ECC
LogMessage, xrefs: 00007FF6C90961BF
LOG_FATAL, xrefs: 00007FF6C909620C

Memory Dump Source

Source File: 0000000C.00000002.17526890125.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 0000000C.00000002.17526859417.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527361484.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527452354.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527483626.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527510779.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527607752.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527653925.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527684051.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6c9020000_setup.jbxd

Similarity

API ID: ErrorLast$DebugFileOutputStringWrite
String ID: LOG_FATAL$LogMessage$W
API String ID: 2864343081-2234279591
Opcode ID: 204e1a1b4b3b02e6af5e882663bfc33cb61cde10a1e0796fcaa544b0e02b1fd6
Instruction ID: 1df354c202298153b47f42894912f9b5223fcc05531f11e1a6fbfbdb30372c6a
Opcode Fuzzy Hash: 204e1a1b4b3b02e6af5e882663bfc33cb61cde10a1e0796fcaa544b0e02b1fd6
Instruction Fuzzy Hash: F302BF22B18B8285EB609F15E5512BA6BA0EF41B96F460039DECE83B96DF3DE445C700

Function 00007FF6C91F1B00 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 00007FF6C91F1B83
CreateFileW.KERNELBASE ref: 00007FF6C91F1C53
GetCurrentDirectoryW.KERNEL32 ref: 00007FF6C91F1C8F

Strings

debug.log, xrefs: 00007FF6C91F1BF7, 00007FF6C91F1CF7

Memory Dump Source

Source File: 0000000C.00000002.17526890125.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 0000000C.00000002.17526859417.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527361484.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527452354.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527483626.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527510779.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527607752.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527653925.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527684051.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6c9020000_setup.jbxd

Similarity

API ID: File$CreateCurrentDirectoryModuleName
String ID: debug.log
API String ID: 3818821825-600467936
Opcode ID: 72809cc7259121069deffa413a981da22c1090bca9a7ae6200236e194fa66dfc
Instruction ID: 9d3c42bc561e0e2b37b03a105acab83ee38ad5c942520202d24e5e0efdbcdd36
Opcode Fuzzy Hash: 72809cc7259121069deffa413a981da22c1090bca9a7ae6200236e194fa66dfc
Instruction Fuzzy Hash: 3751DA71A28A8680FB108F11EA593792BB1AF45FAAF004235CADD87BE0DF7DE1458300

Function 00007FF6C90F2150 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 101
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 00007FF6C90F21BE

Strings

CreateFile , xrefs: 00007FF6C90F2240
..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc, xrefs: 00007FF6C90F221E

Memory Dump Source

Source File: 0000000C.00000002.17526890125.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 0000000C.00000002.17526859417.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527361484.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527452354.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527483626.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527510779.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527607752.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527653925.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527684051.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6c9020000_setup.jbxd

Similarity

API ID: CreateFile
String ID: ..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc$CreateFile
API String ID: 823142352-2987130713
Opcode ID: 2e0ae4e2ad4091d8320f5b4799cd6eab61da632ab7bd3ca3a4940b2b4df5bad7
Instruction ID: 1152d75f872e0501a6b95336cdda7b2b9172026545ebfe92708c6454328a598a
Opcode Fuzzy Hash: 2e0ae4e2ad4091d8320f5b4799cd6eab61da632ab7bd3ca3a4940b2b4df5bad7
Instruction Fuzzy Hash: 2D31E022B0868242FF11CF15E6517BA6B60BB89BDAF440135DACD87BD5DF2CE2468B00

Function 00007FF6C90F24A0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNELBASE ref: 00007FF6C90F24F0
GetLastError.KERNEL32 ref: 00007FF6C90F254C

Strings

SetFilePointerEx, xrefs: 00007FF6C90F257A
..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc, xrefs: 00007FF6C90F2555

Memory Dump Source

Source File: 0000000C.00000002.17526890125.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 0000000C.00000002.17526859417.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527361484.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527452354.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527483626.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527510779.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527607752.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527653925.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527684051.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6c9020000_setup.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: ..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc$SetFilePointerEx
API String ID: 2976181284-3423003897
Opcode ID: 844e05737310e890d8c91f416288aa82cb5c299eea38e7eff2b73318ecabe8e5
Instruction ID: 95642bb57e3ebdd3568a684c63886b1a58fbf4635cd4a4b8052220a45d42d2a6
Opcode Fuzzy Hash: 844e05737310e890d8c91f416288aa82cb5c299eea38e7eff2b73318ecabe8e5
Instruction Fuzzy Hash: 9821BE31B1C69240FB609F16A512BB92A90AF48BEAF800135CDDD87FC5CE2CE2438700

Function 00007FF6C90F25A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6C90F24A0: SetFilePointerEx.KERNELBASE ref: 00007FF6C90F24F0

SetEndOfFile.KERNELBASE ref: 00007FF6C90F25D2
GetLastError.KERNEL32 ref: 00007FF6C90F2609

Strings

SetEndOfFile, xrefs: 00007FF6C90F2637
..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc, xrefs: 00007FF6C90F2612

Memory Dump Source

Source File: 0000000C.00000002.17526890125.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 0000000C.00000002.17526859417.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527361484.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527452354.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527483626.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527510779.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527607752.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527653925.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527684051.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6c9020000_setup.jbxd

Similarity

API ID: File$ErrorLastPointer
String ID: ..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc$SetEndOfFile
API String ID: 841452515-359779137
Opcode ID: 674331e17bbd71cd14e59761385c21c09cd0443200d865423d61f4169f498cad
Instruction ID: 45988eedf4504a3f844d10eb3da527988fc7075b6abb6294f3d91fe3cfb61281
Opcode Fuzzy Hash: 674331e17bbd71cd14e59761385c21c09cd0443200d865423d61f4169f498cad
Instruction Fuzzy Hash: BE11E521B1C59641FB20AF25A9227BA2A519F89F8AF410134DDCEC7B86DE2DE5078740

Function 00007FF6C90F2660 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNELBASE ref: 00007FF6C90F267C
GetLastError.KERNEL32 ref: 00007FF6C90F26BB

Strings

CloseHandle, xrefs: 00007FF6C90F26E9
..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc, xrefs: 00007FF6C90F26C4

Memory Dump Source

Source File: 0000000C.00000002.17526890125.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 0000000C.00000002.17526859417.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527361484.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527452354.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527483626.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527510779.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527607752.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527653925.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527684051.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6c9020000_setup.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID: ..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc$CloseHandle
API String ID: 918212764-1830217499
Opcode ID: bd69f308de9511593cad69c1eac52c47856b21cc925288134a9f31ea72cd6f3d
Instruction ID: 54840d61ecc035f27069308e20d951167ad782153ea51d2d527712a63746be8a
Opcode Fuzzy Hash: bd69f308de9511593cad69c1eac52c47856b21cc925288134a9f31ea72cd6f3d
Instruction Fuzzy Hash: 88019262B1869341FB20AF11AA527FA2A50AF89B95F410435DDCD8BBC5DE2CD946C640

Function 00007FF6C90F2A10 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

..\..\third_party\crashpad\crashpad\util\file\file_io.cc, xrefs: 00007FF6C90F2A9E
ReadFile, xrefs: 00007FF6C90F2AC3

Memory Dump Source

Source File: 0000000C.00000002.17526890125.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 0000000C.00000002.17526859417.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527361484.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527452354.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527483626.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527510779.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527607752.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527653925.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527684051.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6c9020000_setup.jbxd

Similarity

API ID: CloseHandle
String ID: ..\..\third_party\crashpad\crashpad\util\file\file_io.cc$ReadFile
API String ID: 2962429428-1347244036
Opcode ID: 30d89f1bbfdb8cd4f1505fd23aceacf41d9905e994a816dd0aa84fd6f31b860e
Instruction ID: 2149e9909e31cda4c1be82227d1fdf5edba75c0ae599882fc9cd15fc80696c66
Opcode Fuzzy Hash: 30d89f1bbfdb8cd4f1505fd23aceacf41d9905e994a816dd0aa84fd6f31b860e
Instruction Fuzzy Hash: 27112322F181C640FB20AF19A5123F91A50AF98BAAF400635DDCD8BBC6DE1CE6478700

Function 00007FF6C90F2010 Relevance: 4.6, APIs: 3, Instructions: 59
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE ref: 00007FF6C90F206E
GetFileType.KERNEL32 ref: 00007FF6C90F20A5
GetLastError.KERNEL32 ref: 00007FF6C90F20B6

Memory Dump Source

Source File: 0000000C.00000002.17526890125.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 0000000C.00000002.17526859417.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527361484.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527452354.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527483626.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527510779.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527607752.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527653925.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527684051.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6c9020000_setup.jbxd

Similarity

API ID: File$ErrorLastReadType
String ID:
API String ID: 291879748-0
Opcode ID: 443ccd3f952e52c5fa5255bd0580c556af1c3914ff954ab95faf65a1b50ec064
Instruction ID: 4116195d9c08aeb2b6c8aae9553b2157b6a60d98e6cbf9b49fcd1d305b32bf32
Opcode Fuzzy Hash: 443ccd3f952e52c5fa5255bd0580c556af1c3914ff954ab95faf65a1b50ec064
Instruction Fuzzy Hash: 5211C423B1858249F7218F26A94462AB790AF48B99F550635ED9DC7794CE3CD943CA00

Function 00007FF6C90F2930 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32 ref: 00007FF6C90F29C5

Strings

..\..\third_party\crashpad\crashpad\util\file\file_io.cc, xrefs: 00007FF6C90F29CE
WriteFile, xrefs: 00007FF6C90F29F3

Memory Dump Source

Source File: 0000000C.00000002.17526890125.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 0000000C.00000002.17526859417.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527361484.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527452354.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527483626.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527510779.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527607752.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527653925.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527684051.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6c9020000_setup.jbxd

Similarity

API ID: ErrorLast
String ID: ..\..\third_party\crashpad\crashpad\util\file\file_io.cc$WriteFile
API String ID: 1452528299-1292784012
Opcode ID: 179de11993113eb105d4fe59dc2ffbc84c64f5c5db04941f19f45d2b2279ad05
Instruction ID: 331f5b19496ed790b97b69d86cd3b7f9857fa4a7341ba57153e92b948ca88415
Opcode Fuzzy Hash: 179de11993113eb105d4fe59dc2ffbc84c64f5c5db04941f19f45d2b2279ad05
Instruction Fuzzy Hash: 2511CD21B1C68641FF159F11EA127F92A90AF48BD9F454039DDCD87B86DE2CE606C300

Function 00007FF6C9085690 Relevance: 3.0, APIs: 2, Instructions: 37
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,?,?,?,00000000,00000000,?,00007FF6C9056678,?,?,?,?,?,?,?), ref: 00007FF6C90856C6
RegCloseKey.ADVAPI32(?,?,?,?,00000000,00000000,?,00007FF6C9056678,?,?,?,?,?,?,?), ref: 00007FF6C9085702

Memory Dump Source

Source File: 0000000C.00000002.17526890125.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 0000000C.00000002.17526859417.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527361484.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527452354.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527483626.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527510779.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527607752.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527653925.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527684051.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6c9020000_setup.jbxd

Similarity

API ID: CloseOpen
String ID:
API String ID: 47109696-0
Opcode ID: 1b45fec8eeae5ab7eb531375cc05bb643b2247f9ebeecbba943f5b46a548d667
Instruction ID: 9d11baaf4b25d187287a475e22751ddf572348239aa7b7b61a6a63692f6c1ee4
Opcode Fuzzy Hash: 1b45fec8eeae5ab7eb531375cc05bb643b2247f9ebeecbba943f5b46a548d667
Instruction Fuzzy Hash: 02016272B29A5282FB544F15E95176A67A0FB88B95F014035EECF87750DE3CD8518740

Function 00007FF6C90CA0E0 Relevance: 2.5, APIs: 2, Instructions: 22
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualFree.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,000023A8000AC050,-0000000400000000,?,00007FF6C90B8811), ref: 00007FF6C90CA0EA
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,000023A8000AC050,-0000000400000000,?,00007FF6C90B8811), ref: 00007FF6C90CA0F4

Memory Dump Source

Source File: 0000000C.00000002.17526890125.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 0000000C.00000002.17526859417.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527361484.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527452354.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527483626.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527510779.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527607752.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527653925.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527684051.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6c9020000_setup.jbxd

Similarity

API ID: ErrorFreeLastVirtual
String ID:
API String ID: 499627090-0
Opcode ID: 73818c80937deb4832c471d99414fc7ff2eeaff62bfd5e719b1526dabfdcc212
Instruction ID: c4556b923349a6dfab87c672e7eba8a6d73739182f90ed374908bbfadd765bb2
Opcode Fuzzy Hash: 73818c80937deb4832c471d99414fc7ff2eeaff62bfd5e719b1526dabfdcc212
Instruction Fuzzy Hash: 12D01251F1954245F7542F726D4133428546F25B87F81483CC68CD6650EE1CD085C711

Function 00007FF6C90F20D0 Relevance: 1.5, APIs: 1, Instructions: 23
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 00007FF6C90F211C

Memory Dump Source

Source File: 0000000C.00000002.17526890125.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 0000000C.00000002.17526859417.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527361484.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527452354.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527483626.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527510779.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527607752.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527653925.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527684051.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6c9020000_setup.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d1b69eb38a61535727279d59207186c3acebad48a70d119754322408c0ea9445
Instruction ID: a4ad43877a53264d5a2d4d949b190572637b1bba2d2094a4d76f6ae8b55ade27
Opcode Fuzzy Hash: d1b69eb38a61535727279d59207186c3acebad48a70d119754322408c0ea9445
Instruction Fuzzy Hash: 5CF0A022B1868186FB208F18EA543292B61FB9974AF148035C6CE86758CF3DD206C704

Non-executed Functions

Function 00007FF6C91A9EEC Relevance: 9.2, APIs: 6, Instructions: 171COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6C91A46E4: GetLastError.KERNEL32 ref: 00007FF6C91A46F3
Part of subcall function 00007FF6C91A46E4: FlsGetValue.KERNEL32 ref: 00007FF6C91A4708
Part of subcall function 00007FF6C91A46E4: SetLastError.KERNEL32 ref: 00007FF6C91A4793

Part of subcall function 00007FF6C91A46E4: FlsSetValue.KERNEL32 ref: 00007FF6C91A4729

GetUserDefaultLCID.KERNEL32(?,00000000,00000092,?), ref: 00007FF6C91AA05C

Part of subcall function 00007FF6C91A46E4: FlsSetValue.KERNEL32 ref: 00007FF6C91A4756
Part of subcall function 00007FF6C91A46E4: FlsSetValue.KERNEL32 ref: 00007FF6C91A4767
Part of subcall function 00007FF6C91A46E4: FlsSetValue.KERNEL32 ref: 00007FF6C91A4778

EnumSystemLocalesW.KERNEL32(?,00000000,00000092,?,?,00000000,?,00007FF6C918F279), ref: 00007FF6C91AA043
IsValidCodePage.KERNEL32 ref: 00007FF6C91AA098
IsValidLocale.KERNEL32 ref: 00007FF6C91AA0AE
GetLocaleInfoW.KERNEL32 ref: 00007FF6C91AA10A
GetLocaleInfoW.KERNEL32 ref: 00007FF6C91AA126

Memory Dump Source

Source File: 0000000C.00000002.17526890125.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 0000000C.00000002.17526859417.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527361484.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527452354.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527483626.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527510779.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527607752.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527653925.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527684051.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6c9020000_setup.jbxd

Similarity

API ID: Value$Locale$ErrorInfoLastValid$CodeDefaultEnumLocalesPageSystemUser
String ID:
API String ID: 1706690794-0
Opcode ID: fc7311b086ce6fd43b0eb301339a6b3cc1f08fc7bd23cc236602390b1e8bbbb3
Instruction ID: 67901dfb2fb77a510e2397a38f0577ed87fcffa6a76ad8f25fe7823e4d32b112
Opcode Fuzzy Hash: fc7311b086ce6fd43b0eb301339a6b3cc1f08fc7bd23cc236602390b1e8bbbb3
Instruction Fuzzy Hash: 85718E62B186429AFF109F60D8526BD3BB1BF44B46F444036CA9E93B95EF3CE849C350

Function 00007FF6C9195B80 Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF6C9195BF9
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6C9195C11
RtlVirtualUnwind.KERNEL32 ref: 00007FF6C9195C4C
IsDebuggerPresent.KERNEL32 ref: 00007FF6C9195C85
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6C9195C8F
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6C9195C9A

Memory Dump Source

Source File: 0000000C.00000002.17526890125.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 0000000C.00000002.17526859417.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527361484.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527452354.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527483626.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527510779.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527607752.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527653925.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527684051.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6c9020000_setup.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 49f356e329ffe9317a02f37c9929f3f11b56c8c09c740634a9a27b444624c1bf
Instruction ID: 2d89929f6b2b5e1de59c62758e17a49baa08a0162dc4cae138fb188dfddb7d08
Opcode Fuzzy Hash: 49f356e329ffe9317a02f37c9929f3f11b56c8c09c740634a9a27b444624c1bf
Instruction Fuzzy Hash: F7317132A18F8186EB60CF25E8412AE77A5FB88B59F504135EADD87B98DF3CC545CB00

Function 00007FF6C91AA798 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,?,00007FF6C91AA08B), ref: 00007FF6C91AA7ED
GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,?,00007FF6C91AA08B), ref: 00007FF6C91AA81A
GetACP.KERNEL32(?,?,?,?,?,?,?,00007FF6C91AA08B), ref: 00007FF6C91AA830

Strings

ACP, xrefs: 00007FF6C91AA7B9
OCP, xrefs: 00007FF6C91AA7C9

Memory Dump Source

Source File: 0000000C.00000002.17526890125.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 0000000C.00000002.17526859417.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527361484.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527452354.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527483626.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527510779.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527607752.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527653925.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527684051.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6c9020000_setup.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: b57b358656b6c5e522c07b9433039294d2a61d4965a7f805eed9d0eed18eb55b
Instruction ID: 0ebe323de0f884bab371b4a420940bf8bf64792fecca6ecc780dc2e739c55a70
Opcode Fuzzy Hash: b57b358656b6c5e522c07b9433039294d2a61d4965a7f805eed9d0eed18eb55b
Instruction Fuzzy Hash: 2A11B121A1868382FB649F51E50257A6BA1FF44B93F808035DACAC3A55DF2CEC4AC740

Function 00007FF6C9146D00 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 174threadtimeCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00007FF6C9146D30
QueryThreadCycleTime.KERNEL32 ref: 00007FF6C9146D3E
GetCurrentThread.KERNEL32 ref: 00007FF6C9146DC5
GetThreadPriority.KERNEL32 ref: 00007FF6C9146DCA
GetCurrentThread.KERNEL32 ref: 00007FF6C9146DD2
SetThreadPriority.KERNEL32 ref: 00007FF6C9146DDC
QueryPerformanceCounter.KERNEL32 ref: 00007FF6C9146E42
GetCurrentThread.KERNEL32 ref: 00007FF6C9146E4B
SetThreadPriority.KERNEL32 ref: 00007FF6C9146E56
QueryPerformanceFrequency.KERNEL32 ref: 00007FF6C9146E64
QueryPerformanceCounter.KERNEL32 ref: 00007FF6C9146F48

Strings

PERFETTO_CHECK(perf_counter_now >= perf_counter_initial), xrefs: 00007FF6C9146F94
PERFETTO_CHECK(tsc_now >= tsc_initial), xrefs: 00007FF6C9146FE6
%s (errno: %d, %s), xrefs: 00007FF6C9146FA0, 00007FF6C9146FF2
..\..\third_party\perfetto\src\base\time.cc, xrefs: 00007FF6C9146F7F, 00007FF6C9146FD1

Memory Dump Source

Source File: 0000000C.00000002.17526890125.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 0000000C.00000002.17526859417.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527361484.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527452354.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527483626.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527510779.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527607752.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527653925.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527684051.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6c9020000_setup.jbxd

Similarity

API ID: Thread$CurrentQuery$PerformancePriority$Counter$CycleFrequencyTime
String ID: %s (errno: %d, %s)$..\..\third_party\perfetto\src\base\time.cc$PERFETTO_CHECK(perf_counter_now >= perf_counter_initial)$PERFETTO_CHECK(tsc_now >= tsc_initial)
API String ID: 649842374-3408761757
Opcode ID: de432c121d9762614cbf4ba3aa36bff704b534f44ecf2d0cb4b272247977c08a
Instruction ID: 809e4a2005fd723fc584d526b9bf61b356839fbb730a3a9acbb58c3cf07d1178
Opcode Fuzzy Hash: de432c121d9762614cbf4ba3aa36bff704b534f44ecf2d0cb4b272247977c08a
Instruction Fuzzy Hash: 0881C421928A4285F711DF20EA512797B60FF49B9AF154235D9CED7BA5DF3CE442C700

Function 00007FF6C9095630 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 310threadtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6C9170B30: GetLastError.KERNEL32(?,?,00000002,00007FF6C909566F,?,?,00000002,?,..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc,00000000,?,?,FFFFFFFF,?,00007FF6C91F239C), ref: 00007FF6C9170B4C
Part of subcall function 00007FF6C9170B30: SetLastError.KERNEL32(?,?,00000002,00007FF6C909566F,?,?,00000002,?,..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc,00000000,?,?,FFFFFFFF,?,00007FF6C91F239C), ref: 00007FF6C9170B57

GetCurrentThreadId.KERNEL32 ref: 00007FF6C9095735
GetLocalTime.KERNEL32(?,?,00000002,?,..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc,00000000,?,?,FFFFFFFF,?,00007FF6C91F239C), ref: 00007FF6C9095776

Strings

UNKNOWN, xrefs: 00007FF6C9095A2F
)] , xrefs: 00007FF6C9095916
VERBOSE, xrefs: 00007FF6C9095A62
:\/, xrefs: 00007FF6C90958D4
..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc, xrefs: 00007FF6C9095639

Memory Dump Source

Source File: 0000000C.00000002.17526890125.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 0000000C.00000002.17526859417.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527361484.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527452354.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527483626.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527510779.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527607752.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527653925.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527684051.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6c9020000_setup.jbxd

Similarity

API ID: ErrorLast$CurrentLocalThreadTime
String ID: )] $..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc$:\/$UNKNOWN$VERBOSE
API String ID: 359520752-2521604196
Opcode ID: c8ca36fb0e73a89e3d6cb400dbebea6c548ef5068fe02463721102b877aa1f59
Instruction ID: 1f0ee3adbd5c15d3a86d17d8e7c5ae77a6aa7afc29a2e763a48f0ba94dcafd3c
Opcode Fuzzy Hash: c8ca36fb0e73a89e3d6cb400dbebea6c548ef5068fe02463721102b877aa1f59
Instruction Fuzzy Hash: AED1C321B1968284EF14DF16E4552BA6F90EB89FCAF864439DECD8B792DE3DE141C700

Function 00007FF6C91A5880 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 117libraryloaderCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00000000,00007FF6C91A566C,?,?,00000000,00007FF6C91A7E63,?,?,00000003,00007FF6C918E33D), ref: 00007FF6C91A59FC
GetProcAddress.KERNEL32(?,?,00000000,00007FF6C91A566C,?,?,00000000,00007FF6C91A7E63,?,?,00000003,00007FF6C918E33D), ref: 00007FF6C91A5A08

Strings

MZx, xrefs: 00007FF6C91A589F, 00007FF6C91A5985, 00007FF6C91A59E5
api-ms-, xrefs: 00007FF6C91A5946
ext-ms-, xrefs: 00007FF6C91A5959

Memory Dump Source

Source File: 0000000C.00000002.17526890125.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 0000000C.00000002.17526859417.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527361484.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527452354.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527483626.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527510779.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527607752.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527653925.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527684051.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6c9020000_setup.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: MZx$api-ms-$ext-ms-
API String ID: 3013587201-2431898299
Opcode ID: 13f8f4d5adfa5fe98ff9d75ff434922d7620d7c2fd455643e412e673fb3db0a4
Instruction ID: 50d4bff8499593dca60688d9916a3521f2f01dd5395462f61b2aa2c891212baf
Opcode Fuzzy Hash: 13f8f4d5adfa5fe98ff9d75ff434922d7620d7c2fd455643e412e673fb3db0a4
Instruction Fuzzy Hash: DC41E322B29B4285FB16CF1699456792B91BF55BA2F094135DD8DCBB84EE3CEC49C200

Function 00007FF6C91B0DC4 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 88libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000012,?,00007FF6C91B0CEB,?,?,00000000,00007FF6C91A0A72,?,?,?,00007FF6C917DDA9), ref: 00007FF6C91B0E49
GetLastError.KERNEL32(?,00000012,?,00007FF6C91B0CEB,?,?,00000000,00007FF6C91A0A72,?,?,?,00007FF6C917DDA9), ref: 00007FF6C91B0E57
LoadLibraryExW.KERNEL32(?,00000012,?,00007FF6C91B0CEB,?,?,00000000,00007FF6C91A0A72,?,?,?,00007FF6C917DDA9), ref: 00007FF6C91B0E81
FreeLibrary.KERNEL32(?,00000012,?,00007FF6C91B0CEB,?,?,00000000,00007FF6C91A0A72,?,?,?,00007FF6C917DDA9), ref: 00007FF6C91B0EEF
GetProcAddress.KERNEL32(?,00000012,?,00007FF6C91B0CEB,?,?,00000000,00007FF6C91A0A72,?,?,?,00007FF6C917DDA9), ref: 00007FF6C91B0EFB

Strings

MZx, xrefs: 00007FF6C91B0DE2, 00007FF6C91B0E92, 00007FF6C91B0ED8
api-ms-, xrefs: 00007FF6C91B0E69
..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc, xrefs: 00007FF6C91B0DD8

Memory Dump Source

Source File: 0000000C.00000002.17526890125.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 0000000C.00000002.17526859417.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527361484.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527452354.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527483626.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527510779.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527607752.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527653925.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527684051.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6c9020000_setup.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: ..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc$MZx$api-ms-
API String ID: 2559590344-3539208823
Opcode ID: 4297d0d72445a5ed14222d767aff36e0ccd66d9d2c0f99644abded0481749379
Instruction ID: a08a293f5a06761c69f735fb3f6120f768f654cb584aa394f4ee392bdd8861a2
Opcode Fuzzy Hash: 4297d0d72445a5ed14222d767aff36e0ccd66d9d2c0f99644abded0481749379
Instruction Fuzzy Hash: 6F31C162B1AB42C9FF119F12A5015752BA5BF48FA2F490535DD9D8BB88DF3CE4858304

Function 00007FF6C90EABB0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNEL32(?,?,00000000,00000000,..\..\third_party\boringssl\src\crypto\mem.c,?,00007FF6C922A4D9,?,?,?,0000000E,00007FF6C922A509), ref: 00007FF6C90EABF3
GetLastError.KERNEL32(?,?,?,0000000E,00007FF6C922A509), ref: 00007FF6C90EAC0E
TlsGetValue.KERNEL32(?,?,?,0000000E,00007FF6C922A509), ref: 00007FF6C90EAC1C
SetLastError.KERNEL32(?,?,?,0000000E,00007FF6C922A509), ref: 00007FF6C90EAC27
TlsSetValue.KERNEL32(?,?,?,0000000E,00007FF6C922A509), ref: 00007FF6C90EAC52
AcquireSRWLockExclusive.KERNEL32(?,?,?,0000000E,00007FF6C922A509), ref: 00007FF6C90EAC66
ReleaseSRWLockExclusive.KERNEL32(?,?,?,0000000E,00007FF6C922A509), ref: 00007FF6C90EAC7D

Strings

..\..\third_party\boringssl\src\crypto\mem.c, xrefs: 00007FF6C90EABB2

Memory Dump Source

Source File: 0000000C.00000002.17526890125.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 0000000C.00000002.17526859417.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527361484.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527452354.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527483626.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527510779.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527607752.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527653925.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527684051.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6c9020000_setup.jbxd

Similarity

API ID: ErrorExclusiveLastLockOnceValue$AcquireExecuteInitRelease
String ID: ..\..\third_party\boringssl\src\crypto\mem.c
API String ID: 389898287-3521738057
Opcode ID: 967fd5c76b4b0f57fde2daf56290db014900a64f721b7223f059e74187000840
Instruction ID: deab6c1db8a8555a80899cde34018235a216c8e3104a68a4273e7310fdb232b4
Opcode Fuzzy Hash: 967fd5c76b4b0f57fde2daf56290db014900a64f721b7223f059e74187000840
Instruction Fuzzy Hash: D0317E22B2961296FB40DF11EA556793B94AF49B9BF460039DCCEC77A1DE3CE449C380

Function 00007FF6C9057D20 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 155libraryloaderthreadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00007FF6C9057D84
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6C9058535,?,?,?,?,?,?), ref: 00007FF6C9057E6B
GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6C9058535,?,?,?,?,?,?), ref: 00007FF6C9057EC2
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6C9058535,?,?,?,?,?,?), ref: 00007FF6C9057ED2

Strings

GetThreadDescription, xrefs: 00007FF6C9057EC8
Kernel32.dll, xrefs: 00007FF6C9057EBB

Memory Dump Source

Source File: 0000000C.00000002.17526890125.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 0000000C.00000002.17526859417.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527361484.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527452354.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527483626.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527510779.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527607752.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527653925.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527684051.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6c9020000_setup.jbxd

Similarity

API ID: AddressCurrentFreeHandleLocalModuleProcThread
String ID: GetThreadDescription$Kernel32.dll
API String ID: 4205643583-415897907
Opcode ID: 5101984a050c95c193425e26491a85c1de19e339799019307c579fc866a4c4b4
Instruction ID: 924da906f0170f1086d7dcff4f683be56b35e3eb7c4ef7dc0f4a428673468fa9
Opcode Fuzzy Hash: 5101984a050c95c193425e26491a85c1de19e339799019307c579fc866a4c4b4
Instruction Fuzzy Hash: F351AF32B18B4281FB10DF15E9411B97BA1EF48BE6F554235DADE87BA5DE3CE8418700

Function 00007FF6C91A46E4 Relevance: 10.6, APIs: 7, Instructions: 62COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6C91A46F3
FlsGetValue.KERNEL32 ref: 00007FF6C91A4708
FlsSetValue.KERNEL32 ref: 00007FF6C91A4729
FlsSetValue.KERNEL32 ref: 00007FF6C91A4756
FlsSetValue.KERNEL32 ref: 00007FF6C91A4767
FlsSetValue.KERNEL32 ref: 00007FF6C91A4778
SetLastError.KERNEL32 ref: 00007FF6C91A4793

Memory Dump Source

Source File: 0000000C.00000002.17526890125.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 0000000C.00000002.17526859417.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527361484.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527452354.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527483626.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527510779.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527607752.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527653925.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527684051.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6c9020000_setup.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 41b5958701493da588de957a310c25c635e8a11efb66ac24fd9486dc90d30bd0
Instruction ID: d52e9cdd42addfcb46d98bfd61c1e2f5b3e2fe956e7051b7f6a999ea7500922a
Opcode Fuzzy Hash: 41b5958701493da588de957a310c25c635e8a11efb66ac24fd9486dc90d30bd0
Instruction Fuzzy Hash: CC217C24F0C28281FB58AF76565213D6A526F45BF2F150A34D9FEC6EDAEE2CEC054280

Function 00007FF6C91B351C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF6C91B354D
GetLastError.KERNEL32 ref: 00007FF6C91B3559
CloseHandle.KERNEL32 ref: 00007FF6C91B3571
CreateFileW.KERNEL32 ref: 00007FF6C91B359C
WriteConsoleW.KERNEL32 ref: 00007FF6C91B35BB

Strings

CONOUT$, xrefs: 00007FF6C91B357D

Memory Dump Source

Source File: 0000000C.00000002.17526890125.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 0000000C.00000002.17526859417.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527361484.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527452354.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527483626.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527510779.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527607752.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527653925.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527684051.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6c9020000_setup.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 352ad203f3a051f1809320f21ee2bf24d8655c668510723fd4d908605e4da839
Instruction ID: 5f5ebdce087cd9ea4726591fbef1967709864ae4166ac027930352489cc9927d
Opcode Fuzzy Hash: 352ad203f3a051f1809320f21ee2bf24d8655c668510723fd4d908605e4da839
Instruction Fuzzy Hash: 83118472A28A8186F7509F22E9443297AA0FB88FE6F400234D9DEC7B94CF7CD455C740

Function 00007FF6C90EAEC0 Relevance: 9.1, APIs: 6, Instructions: 112COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 00007FF6C90EAEF8
TlsSetValue.KERNEL32 ref: 00007FF6C90EAF24
TlsSetValue.KERNEL32 ref: 00007FF6C90EAF52
TlsFree.KERNEL32 ref: 00007FF6C90EAF9E

Part of subcall function 00007FF6C91292D0: TlsAlloc.KERNEL32(?,?,?,00007FF6C90EAE3F,?,?,?,?,?,?,?,?,00007FF6C916C65E), ref: 00007FF6C91292D8

TlsFree.KERNEL32 ref: 00007FF6C90EAFD2
TlsGetValue.KERNEL32(?,?,?,?,00007FF6C90EAE3F,?,?,?,?,?,?,?,?,00007FF6C916C65E), ref: 00007FF6C90EB002

Memory Dump Source

Source File: 0000000C.00000002.17526890125.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 0000000C.00000002.17526859417.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527361484.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527452354.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527483626.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527510779.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527607752.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527653925.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527684051.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6c9020000_setup.jbxd

Similarity

API ID: Value$Free$Alloc
String ID:
API String ID: 4173863045-0
Opcode ID: 28c125dd58b9a80b5de19970b8bcb57c75e4a4598a26161729adbcb72c2e6fcb
Instruction ID: a9f6dbb7460f6c70f43b6cebfea8230845bb44a2e7b3f005cabfb0d1a11b222e
Opcode Fuzzy Hash: 28c125dd58b9a80b5de19970b8bcb57c75e4a4598a26161729adbcb72c2e6fcb
Instruction Fuzzy Hash: 3A31D431B185424AF7649F25E5021797A619F897A6F004338EAED87BD5CE3CE542CB40

Function 00007FF6C919A014 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF6C919A093
WriteFile.KERNEL32 ref: 00007FF6C919A35B
WriteFile.KERNEL32 ref: 00007FF6C919A3A1
GetLastError.KERNEL32 ref: 00007FF6C919A457

Strings

MZx, xrefs: 00007FF6C919A06A, 00007FF6C919A0EB, 00007FF6C919A1A0

Memory Dump Source

Source File: 0000000C.00000002.17526890125.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 0000000C.00000002.17526859417.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527361484.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527452354.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527483626.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527510779.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527607752.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527653925.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527684051.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6c9020000_setup.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID: MZx
API String ID: 2718003287-2575928145
Opcode ID: 3f9a4d962f3682551a42740c76d16857cc1f7354d3bf491627a76f20b6ada767
Instruction ID: afc7abaa173a9bac71a56c5870f869d4072ff8779e3f8c275393f6c6c9dba964
Opcode Fuzzy Hash: 3f9a4d962f3682551a42740c76d16857cc1f7354d3bf491627a76f20b6ada767
Instruction Fuzzy Hash: E8D10232B18B8189E711DF79D4442AC3BB2FB54B99B058236CE9D97F99DE38D50AC300

Function 00007FF6C922EA30 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 168fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF6C922EA7F
GetLastError.KERNEL32 ref: 00007FF6C922EAA4
GetLastError.KERNEL32 ref: 00007FF6C922EBCD

Strings

CreateFile , xrefs: 00007FF6C922EACF, 00007FF6C922EBF8
..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc, xrefs: 00007FF6C922EAAD, 00007FF6C922EBD6

Memory Dump Source

Source File: 0000000C.00000002.17526890125.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 0000000C.00000002.17526859417.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527361484.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527452354.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527483626.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527510779.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527607752.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527653925.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527684051.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6c9020000_setup.jbxd

Similarity

API ID: ErrorLast$CreateFile
String ID: ..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc$CreateFile
API String ID: 1722934493-2987130713
Opcode ID: 0c5a381dd2cc4cf7d4c8ee682f01548dd06b80daa7296f2e1490ca0135be6c29
Instruction ID: 662a0370a970df7b70c06c0ce029b590cfb606f7b47e749d58dcc4f5e73248d7
Opcode Fuzzy Hash: 0c5a381dd2cc4cf7d4c8ee682f01548dd06b80daa7296f2e1490ca0135be6c29
Instruction Fuzzy Hash: 6C51F522B2CA9241FB119F11E2553BA6B61AF89BE5F040531EEDD8BFD5CF2CE1458740

Function 00007FF6C9058C00 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 136threadCOMMON

Download Yara Rule

APIs

SwitchToThread.KERNEL32(?), ref: 00007FF6C9058D0A

Strings

PERFETTO_CHECK(chunk.size() == page_chunk_size), xrefs: 00007FF6C9058D50
PERFETTO_CHECK(chunk_state == expected_chunk_state), xrefs: 00007FF6C9058D9E
..\..\third_party\perfetto\src\tracing\core\shared_memory_abi.cc, xrefs: 00007FF6C9058D3B, 00007FF6C9058D89
%s (errno: %d, %s), xrefs: 00007FF6C9058D5C, 00007FF6C9058DAA

Memory Dump Source

Source File: 0000000C.00000002.17526890125.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 0000000C.00000002.17526859417.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527361484.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527452354.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527483626.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527510779.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527607752.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527653925.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527684051.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6c9020000_setup.jbxd

Similarity

API ID: SwitchThread
String ID: %s (errno: %d, %s)$..\..\third_party\perfetto\src\tracing\core\shared_memory_abi.cc$PERFETTO_CHECK(chunk.size() == page_chunk_size)$PERFETTO_CHECK(chunk_state == expected_chunk_state)
API String ID: 115865932-3916303389
Opcode ID: 07d9ed0c1875b51bd5ab2eb666b6058fa0cd84b3aab4342cdd98731b53ec3783
Instruction ID: 0ebc553aebd02c2586f7e00086fa90defe1e4da25579d7142a13a537a923da80
Opcode Fuzzy Hash: 07d9ed0c1875b51bd5ab2eb666b6058fa0cd84b3aab4342cdd98731b53ec3783
Instruction Fuzzy Hash: FF410472B1854142E7249F11E8126B83F91FB94BA6F46423ADE9E87BD1DF3CD846C304

Function 00007FF6C91F20F0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 134windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32 ref: 00007FF6C91F213F
LocalFree.KERNEL32 ref: 00007FF6C91F21B0
GetLastError.KERNEL32 ref: 00007FF6C91F230F

Strings

(0x%lX), xrefs: 00007FF6C91F21C2
Error (0x%lX) while retrieving error. (0x%lX), xrefs: 00007FF6C91F2315

Memory Dump Source

Source File: 0000000C.00000002.17526890125.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 0000000C.00000002.17526859417.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527361484.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527452354.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527483626.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527510779.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527607752.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527653925.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527684051.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6c9020000_setup.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID: (0x%lX)$Error (0x%lX) while retrieving error. (0x%lX)
API String ID: 1365068426-3206765257
Opcode ID: ac1320a8166a978532e898e4478cdb7f796e4d9568b6e3ba5f249d112bfe48e4
Instruction ID: 36fb1c9a274894a7fb984df395a3db2f5e4c0a04ae3b89599e530ed43e6856fa
Opcode Fuzzy Hash: ac1320a8166a978532e898e4478cdb7f796e4d9568b6e3ba5f249d112bfe48e4
Instruction Fuzzy Hash: 9C51AD32A0DBC681EB218F25E4513AAABA0FF88B95F444135DACD87B99DF3CE045C700

Function 00007FF6C918E2C4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF6C918E2E9
GetProcAddress.KERNEL32 ref: 00007FF6C918E2FF
FreeLibrary.KERNEL32 ref: 00007FF6C918E326

Strings

mscoree.dll, xrefs: 00007FF6C918E2E0
CorExitProcess, xrefs: 00007FF6C918E2F8

Memory Dump Source

Source File: 0000000C.00000002.17526890125.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 0000000C.00000002.17526859417.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527361484.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527452354.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527483626.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527510779.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527607752.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527653925.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527684051.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6c9020000_setup.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: a9cac37bfe261094b8dc3b22efd67b94b8f954481e9b60e8c58e3bcd1fa20611
Instruction ID: ffb01d5ed37271b118a1fd50316bfd704764c54d15579d31d66e1571a703f1a6
Opcode Fuzzy Hash: a9cac37bfe261094b8dc3b22efd67b94b8f954481e9b60e8c58e3bcd1fa20611
Instruction Fuzzy Hash: B3F09662B29B4281FB189F24E5453396B20EF44B63F55063ADAED8A7E4DF3CE444D708

Function 00007FF6C91A47B8 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF6C91A47C9
FlsSetValue.KERNEL32 ref: 00007FF6C91A47E8
FlsSetValue.KERNEL32 ref: 00007FF6C91A4810
FlsSetValue.KERNEL32 ref: 00007FF6C91A4821
FlsSetValue.KERNEL32 ref: 00007FF6C91A4832

Memory Dump Source

Source File: 0000000C.00000002.17526890125.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 0000000C.00000002.17526859417.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527361484.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527452354.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527483626.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527510779.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527607752.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527653925.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527684051.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6c9020000_setup.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: adc86de3a61ec4bc6766ae0da6590d9ccbb7d9bd1b9f56830393b6ac0f2e4d43
Instruction ID: b0c597b8e4067e0999e1a86ff660d74eb1a58e5b3749803cd2f4112a946a8279
Opcode Fuzzy Hash: adc86de3a61ec4bc6766ae0da6590d9ccbb7d9bd1b9f56830393b6ac0f2e4d43
Instruction Fuzzy Hash: FB112E10F5C28381FB68AE7655631792A415F45BB2F150B38D9FECAAD7ED2CFC094281

Function 00007FF6C90F22E0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54fileCOMMON

Download Yara Rule

APIs

LockFileEx.KERNEL32 ref: 00007FF6C90F232F
GetLastError.KERNEL32 ref: 00007FF6C90F2355

Strings

LockFileEx, xrefs: 00007FF6C90F23AB
..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc, xrefs: 00007FF6C90F2381

Memory Dump Source

Source File: 0000000C.00000002.17526890125.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 0000000C.00000002.17526859417.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527361484.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527452354.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527483626.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527510779.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527607752.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527653925.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527684051.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6c9020000_setup.jbxd

Similarity

API ID: ErrorFileLastLock
String ID: ..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc$LockFileEx
API String ID: 1811722133-445818742
Opcode ID: 6ffc84015dee84a4ba2bd97ad0156444c272a122fa8a2de69a3506069068795c
Instruction ID: e4ffd6009bd071fb850f93d82d039d9c681f517191ed1d83007b8d31a279e155
Opcode Fuzzy Hash: 6ffc84015dee84a4ba2bd97ad0156444c272a122fa8a2de69a3506069068795c
Instruction Fuzzy Hash: B6212732B1C69280F7309F24E4127F96B60BF497AAF400635D9CD87BD5DE2CD6468700

Function 00007FF6C90F23D0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49fileCOMMON

Download Yara Rule

APIs

UnlockFileEx.KERNEL32 ref: 00007FF6C90F2411
GetLastError.KERNEL32 ref: 00007FF6C90F244D

Strings

UnlockFileEx, xrefs: 00007FF6C90F247B
..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc, xrefs: 00007FF6C90F2456

Memory Dump Source

Source File: 0000000C.00000002.17526890125.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 0000000C.00000002.17526859417.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527361484.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527452354.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527483626.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527510779.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527607752.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527653925.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527684051.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6c9020000_setup.jbxd

Similarity

API ID: ErrorFileLastUnlock
String ID: ..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc$UnlockFileEx
API String ID: 3655728120-3540829929
Opcode ID: 74321f8b8f7d5f58ae51096d1de463f0c0a745a8cd725a1752318707e6174bb1
Instruction ID: 457acc310c6ed852cfe88686b4ddc0d5cb63585794e68b35bfd8789033213aed
Opcode Fuzzy Hash: 74321f8b8f7d5f58ae51096d1de463f0c0a745a8cd725a1752318707e6174bb1
Instruction Fuzzy Hash: A7110832B18A8240FB309F25F5027F66B91AF88799F404235DDCD87BD5EE2CD2868700

Function 00007FF6C9199BEC Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,00007FF6C90BC4DA,?,00007FF6C90BC4DA,?,00007FF6C90BC4DA,00007FF6C90BC4DA,00007FF6C90BC4DA,00000000,00007FF6C9199FFF,00000000), ref: 00007FF6C9199D08
GetLastError.KERNEL32(?,?,?,?,?,?,00007FF6C90BC4DA,?,00007FF6C90BC4DA,?,00007FF6C90BC4DA,00007FF6C90BC4DA,00007FF6C90BC4DA,00000000,00007FF6C9199FFF,00000000), ref: 00007FF6C9199D93

Memory Dump Source

Source File: 0000000C.00000002.17526890125.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 0000000C.00000002.17526859417.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527361484.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527452354.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527483626.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527510779.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527607752.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527653925.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527684051.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6c9020000_setup.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: f5dfd21c9c62ca3141aa7a32308898ae9c1f30e30e3285335ab396cb129fe87d
Instruction ID: 406e078e802c2ee58b6c00bafeef3e8d3b8cb0f13be1ce6b2c8a4689725ae507
Opcode Fuzzy Hash: f5dfd21c9c62ca3141aa7a32308898ae9c1f30e30e3285335ab396cb129fe87d
Instruction Fuzzy Hash: D991C332F1865189FB509F6994812BD2FA0BB05F8AF154139DE8E97E94DF3CD886C700

Function 00007FF6C90EAD10 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6C9174780: InitOnceExecuteOnce.KERNEL32(?,?,?,?,?,?,00007FF6C917488A,?,?,?,00007FF6C916BF52), ref: 00007FF6C91747A7

TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,00007FF6C916C65E), ref: 00007FF6C90EAD7C
TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,00007FF6C916C65E), ref: 00007FF6C90EADB9
ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,00007FF6C916C65E), ref: 00007FF6C90EAE23

Memory Dump Source

Source File: 0000000C.00000002.17526890125.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 0000000C.00000002.17526859417.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527361484.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527452354.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527483626.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527510779.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527607752.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527653925.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527684051.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6c9020000_setup.jbxd

Similarity

API ID: ExclusiveLockOnce$AcquireExecuteInitReleaseValue
String ID:
API String ID: 4082486125-0
Opcode ID: 44a921214e82abf1bc9c046c687e889eb5412cab8f81617366e05c0e02fbb446
Instruction ID: a3abbcda286b2d607bc9d1a21bf61b2e62c63b33aae4c871c9de8d4fb1789530
Opcode Fuzzy Hash: 44a921214e82abf1bc9c046c687e889eb5412cab8f81617366e05c0e02fbb446
Instruction Fuzzy Hash: D7415931E1861386FB149F55EA423B93BA1AF89B96F454139D9CEC37A1DF3CA485C340

Function 00007FF6C91A4924 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

FlsSetValue.KERNEL32(?,?,00001002,00007FF6C9195DF7,?,?,00000000,00007FF6C9195D0E), ref: 00007FF6C91A4962
FlsSetValue.KERNEL32(?,?,00001002,00007FF6C9195DF7,?,?,00000000,00007FF6C9195D0E), ref: 00007FF6C91A498A
FlsSetValue.KERNEL32(?,?,00001002,00007FF6C9195DF7,?,?,00000000,00007FF6C9195D0E), ref: 00007FF6C91A499B
FlsSetValue.KERNEL32(?,?,00001002,00007FF6C9195DF7,?,?,00000000,00007FF6C9195D0E), ref: 00007FF6C91A49AC

Memory Dump Source

Source File: 0000000C.00000002.17526890125.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 0000000C.00000002.17526859417.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527361484.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527452354.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527483626.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527510779.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527607752.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527653925.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527684051.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6c9020000_setup.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 82f3305764a4c9534af9f6a213f7bdfcadc34aed1809c91b5c0ae16c2b4c1711
Instruction ID: 8510fc550f17b74507357b3115de9db5334ce447a972859b7c4d67942ccef582
Opcode Fuzzy Hash: 82f3305764a4c9534af9f6a213f7bdfcadc34aed1809c91b5c0ae16c2b4c1711
Instruction Fuzzy Hash: A5117F20F0C24281FB58AF3756521392A526F48BB2F154734D9FEC6ADAEE2CEC194244

Function 00007FF6C91747D0 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF6C917488A), ref: 00007FF6C917480A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF6C917488A), ref: 00007FF6C917481D
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF6C917488A), ref: 00007FF6C917482B
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF6C917488A), ref: 00007FF6C9174836

Memory Dump Source

Source File: 0000000C.00000002.17526890125.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 0000000C.00000002.17526859417.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527361484.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527452354.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527483626.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527510779.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527607752.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527653925.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527684051.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6c9020000_setup.jbxd

Similarity

API ID: ErrorLastOnce$ExecuteInitValue
String ID:
API String ID: 2797425889-0
Opcode ID: a7f580a1db86c0691c8a1048bdce57d947ebae8b0d093fb778288a7fb17cac4e
Instruction ID: 062ca3ab146848a90d57c9bebf2abdb0b06caaf3c09460400372b0a1ad8e3bd1
Opcode Fuzzy Hash: a7f580a1db86c0691c8a1048bdce57d947ebae8b0d093fb778288a7fb17cac4e
Instruction Fuzzy Hash: 73117026A28A5786FB609F15EA466692B51AF48F9AF450135C8CD83BA0DE3CE545C340

Function 00007FF6C917CA54 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF6C917CA80
GetCurrentThreadId.KERNEL32 ref: 00007FF6C917CA8E
GetCurrentProcessId.KERNEL32 ref: 00007FF6C917CA9A
QueryPerformanceCounter.KERNEL32 ref: 00007FF6C917CAAA

Memory Dump Source

Source File: 0000000C.00000002.17526890125.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 0000000C.00000002.17526859417.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527361484.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527452354.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527483626.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527510779.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527607752.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527653925.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527684051.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6c9020000_setup.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 3133d9487d0477d4e1ccef10edea34fdc8a106d0f9a2bfd49347af14973d681d
Instruction ID: dee25f7acb87df73a7205f725f8190650a1a22af90f59da3c73d7ef3d9f372dd
Opcode Fuzzy Hash: 3133d9487d0477d4e1ccef10edea34fdc8a106d0f9a2bfd49347af14973d681d
Instruction Fuzzy Hash: F4111C22B25B418AFB00CF60E9552A937A4FB1975AF440E31DAAD86BA4DF7CD554C380

Function 00007FF6C91A94C8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6C91A46E4: GetLastError.KERNEL32 ref: 00007FF6C91A46F3
Part of subcall function 00007FF6C91A46E4: FlsGetValue.KERNEL32 ref: 00007FF6C91A4708
Part of subcall function 00007FF6C91A46E4: SetLastError.KERNEL32 ref: 00007FF6C91A4793

GetACP.KERNEL32(?,?,?,00000000,00000092,00007FF6C918F280), ref: 00007FF6C91A95B4
IsValidCodePage.KERNEL32(?,?,?,00000000,00000092,00007FF6C918F280), ref: 00007FF6C91A95EC

Strings

utf8, xrefs: 00007FF6C91A96D0

Memory Dump Source

Source File: 0000000C.00000002.17526890125.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 0000000C.00000002.17526859417.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527361484.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527452354.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527483626.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527510779.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527607752.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527653925.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527684051.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6c9020000_setup.jbxd

Similarity

API ID: ErrorLast$CodePageValidValue
String ID: utf8
API String ID: 1184045147-905460609
Opcode ID: a098707e0e397dbba8808c8e8636d6b2b0134b7177fc512126497e28f255d04b
Instruction ID: c16cd17fe9e97481ce367a9c743de3a0f2512b2a692d09cafa3d3a442bc99207
Opcode Fuzzy Hash: a098707e0e397dbba8808c8e8636d6b2b0134b7177fc512126497e28f255d04b
Instruction Fuzzy Hash: 56618D36A0874281FB24AF6199122B92AA4AF44F82F444031DE8DC7FD5EF7CED89C710

Function 00007FF6C919A6AC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF6C919A7C3
GetLastError.KERNEL32 ref: 00007FF6C919A7E5

Strings

U, xrefs: 00007FF6C919A76F

Memory Dump Source

Source File: 0000000C.00000002.17526890125.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 0000000C.00000002.17526859417.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527361484.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527452354.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527483626.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527510779.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527607752.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527653925.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527684051.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6c9020000_setup.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: a8a422de85bc080689bc33c2ae296ae64a68efb0952aaa768e0d0158310de667
Instruction ID: 908bcf3fded9d0e8faa8465431f74dfbceb6630113cce7ba673d9ce51035ef01
Opcode Fuzzy Hash: a8a422de85bc080689bc33c2ae296ae64a68efb0952aaa768e0d0158310de667
Instruction Fuzzy Hash: 2841C522728A8185EB109F25E4463B97BA1FB98B85F514031EECDC7B98EF3DD405C740

Function 00007FF6C917CBDC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6C917B64F), ref: 00007FF6C917CC2C
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6C917B64F), ref: 00007FF6C917CC6D

Strings

csm, xrefs: 00007FF6C917CC5A

Memory Dump Source

Source File: 0000000C.00000002.17526890125.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 0000000C.00000002.17526859417.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527361484.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527452354.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527483626.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527510779.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527607752.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527653925.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527684051.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6c9020000_setup.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 6069ad5b81e3bc1f2d8a70c0aad8b9ed6a44de4b6d1ca3e4fb3a3b470db0722c
Instruction ID: acf116d5936066f9c5bc4d1ac57575fb0b3d47943844f268883a37b1bfeeee74
Opcode Fuzzy Hash: 6069ad5b81e3bc1f2d8a70c0aad8b9ed6a44de4b6d1ca3e4fb3a3b470db0722c
Instruction Fuzzy Hash: A9116D72618B8182EB248F15F540269BBE4FB88B95F598230DECC47B68DF3CC951CB00

Function 00007FF6C9056350 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNEL32(?,?,?,00007FF6C9056818,?,?,?,00007FF6C91B6EED,?,?,?,?,?,?,00000001), ref: 00007FF6C905636E
WaitForSingleObject.KERNEL32(?,?,?,00007FF6C9056818,?,?,?,00007FF6C91B6EED,?,?,?,?,?,?,00000001), ref: 00007FF6C9056385

Strings

{A946A6A9-917E-4949-B9BC-6BADA8C7FD63}, xrefs: 00007FF6C9056363

Memory Dump Source

Source File: 0000000C.00000002.17526890125.00007FF6C9021000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C9020000, based on PE: true

Associated: 0000000C.00000002.17526859417.00007FF6C9020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527361484.00007FF6C9285000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527452354.00007FF6C92E2000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527483626.00007FF6C92E3000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527510779.00007FF6C92E4000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527539821.00007FF6C92F6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527607752.00007FF6C92FF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527653925.00007FF6C9319000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.17527684051.00007FF6C931B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff6c9020000_setup.jbxd

Similarity

API ID: CreateMutexObjectSingleWait
String ID: {A946A6A9-917E-4949-B9BC-6BADA8C7FD63}
API String ID: 3113225513-1352562265
Opcode ID: 1e3acc4879c1dcc9391b7b265de8a9a87ffdb80975c288b4ae9e2d009255d884
Instruction ID: dd609383003b474679814c064d18abde2318e35cb1b48e03c8812aad7e6597b6
Opcode Fuzzy Hash: 1e3acc4879c1dcc9391b7b265de8a9a87ffdb80975c288b4ae9e2d009255d884
Instruction Fuzzy Hash: D7E04822B1979181FB599F7AB94437526909F48B05F59C078D5CD87750DF3CD486C350

Analysis Process: MSIBD59.tmpPID: 9164, Parent PID: 2436COMMON

Execution Graph

Execution Coverage:	3.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	11.7%
Total number of Nodes:	1059
Total number of Limit Nodes:	23

Executed Functions

Function 00986FE0 Relevance: 44.3, APIs: 24, Strings: 1, Instructions: 559
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00986050: GetCurrentProcess.KERNEL32(00000008,?,0615A9B3), ref: 00986060
Part of subcall function 00986050: OpenProcessToken.ADVAPI32(00000000), ref: 00986067

CoInitialize.OLE32(00000000), ref: 00987052
CoCreateInstance.OLE32(009CFD30,00000000,00000004,009DA530,00000000,?), ref: 00987082
CoUninitialize.COMBASE ref: 00987689

Part of subcall function 009818E0: LocalFree.KERNEL32(?,0615A9B3,?,00000000,009CB020,000000FF,?,?,009E0558,?,?,009816A4,80004005), ref: 0098192C

Strings

$, xrefs: 00987593

Memory Dump Source

Source File: 00000014.00000002.17563678551.0000000000981000.00000020.00000001.01000000.00000010.sdmp, Offset: 00980000, based on PE: true

Associated: 00000014.00000002.17563642493.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563763650.00000000009CF000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563821675.00000000009E2000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563861708.00000000009E7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_980000_MSIBD59.jbxd

Similarity

API ID: Process$CreateCurrentFreeInitializeInstanceLocalOpenTokenUninitialize
String ID: $
API String ID: 3404539012-3993045852
Opcode ID: 7d9b7076b006e079ec255750024a43363da1221141e364d1fe63d05ead2062b0
Instruction ID: 4bdebb4d9dfaaca2b447276ca75e45e343f0955e60b6a3533637d5fe4c332a41
Opcode Fuzzy Hash: 7d9b7076b006e079ec255750024a43363da1221141e364d1fe63d05ead2062b0
Instruction Fuzzy Hash: 2D32CD70E08248DFDF11DFA8C818BADBBB9AF49304F248199E405EB391DB749E45DB51

Function 009866A0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 257
librarynativeloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00986150: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 009861B5
Part of subcall function 00986150: LoadLibraryExW.KERNEL32(?,00000000,00000000,?,?,000000FF,009CB8CD,000000FF), ref: 0098620F
Part of subcall function 00986150: GetLastError.KERNEL32(?,?,?,000000FF,009CB8CD,000000FF), ref: 0098626B

GetProcAddress.KERNEL32(?,NtQueryInformationProcess), ref: 00986726
NtQueryInformationProcess.NTDLL ref: 00986751
ReadProcessMemory.KERNELBASE(?,?,?,000001D8,00000000), ref: 00986794
ReadProcessMemory.KERNELBASE(?,?,?,00000048,00000000), ref: 009867FB
GetLastError.KERNEL32 ref: 009869AC
FreeLibrary.KERNEL32(?), ref: 00986A05

Strings

NtQueryInformationProcess, xrefs: 00986720

Memory Dump Source

Source File: 00000014.00000002.17563678551.0000000000981000.00000020.00000001.01000000.00000010.sdmp, Offset: 00980000, based on PE: true

Associated: 00000014.00000002.17563642493.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563763650.00000000009CF000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563821675.00000000009E2000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563861708.00000000009E7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_980000_MSIBD59.jbxd

Similarity

API ID: Process$ErrorLastLibraryMemoryRead$AddressDirectoryFreeInformationLoadProcQuerySystem
String ID: NtQueryInformationProcess
API String ID: 862929643-2781105232
Opcode ID: d1e6be108a7f3de8f35363085186822676306a16013ce1652d2a027e9e839ae4
Instruction ID: b69782cc60f41532122da68ede28de5f326d072e36a5d83bfa373527dbf86c6f
Opcode Fuzzy Hash: d1e6be108a7f3de8f35363085186822676306a16013ce1652d2a027e9e839ae4
Instruction Fuzzy Hash: EAB17070D14749DBDB20DF64C8497AEBBF4EF48308F20465DD449AB290D7B9AAC8CB91

Function 009862B0 Relevance: 10.7, APIs: 7, Instructions: 232
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,0615A9B3), ref: 00986322
CloseHandle.KERNEL32(00000000), ref: 00986363
Process32FirstW.KERNEL32(?,0000022C), ref: 009863A5
OpenProcess.KERNEL32(00000410,00000000,?), ref: 009863C0
CloseHandle.KERNELBASE(?), ref: 00986517
Process32NextW.KERNEL32(?,0000022C), ref: 00986534
CloseHandle.KERNEL32(?), ref: 00986565

Memory Dump Source

Source File: 00000014.00000002.17563678551.0000000000981000.00000020.00000001.01000000.00000010.sdmp, Offset: 00980000, based on PE: true

Associated: 00000014.00000002.17563642493.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563763650.00000000009CF000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563821675.00000000009E2000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563861708.00000000009E7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_980000_MSIBD59.jbxd

Similarity

API ID: CloseHandle$Process32$CreateFirstNextOpenProcessSnapshotToolhelp32
String ID:
API String ID: 708755948-0
Opcode ID: 440f2d1ac22ad23252c7a3a0f49ecc8e7ac5085efec756f2dbd09a3760c56727
Instruction ID: 97ae76e23375b180cf7662d2369b0ef2e63b74df5f4011b5ea5cf5b44a8d86d9
Opcode Fuzzy Hash: 440f2d1ac22ad23252c7a3a0f49ecc8e7ac5085efec756f2dbd09a3760c56727
Instruction Fuzzy Hash: 2DA14A71905258DFDB20DF68CC48B9EBBB9EB44314F1082DAE409A7391DB75AE84CF50

Function 0098CCB0 Relevance: 6.6, APIs: 3, Strings: 1, Instructions: 582
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LocalFree.KERNEL32(?,?,?,009DA8D9,00000000,009DA8D9), ref: 0098D011
LocalFree.KERNEL32(?,00000010,00000000,0615A9B3,009DA8D9), ref: 0098D1E6

Strings

bad locale name, xrefs: 0098CF49

Memory Dump Source

Source File: 00000014.00000002.17563678551.0000000000981000.00000020.00000001.01000000.00000010.sdmp, Offset: 00980000, based on PE: true

Associated: 00000014.00000002.17563642493.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563763650.00000000009CF000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563821675.00000000009E2000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563861708.00000000009E7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_980000_MSIBD59.jbxd

Similarity

API ID: FreeLocal
String ID: bad locale name
API String ID: 2826327444-1405518554
Opcode ID: 22a78c4b136e07ced0bda817f14f243bd4d6d848e4efe7fb52410f43125019de
Instruction ID: 44a238b6cfbd8029a11996c5afd9284270b85237cdebdc272dfd52e97f0d1a7c
Opcode Fuzzy Hash: 22a78c4b136e07ced0bda817f14f243bd4d6d848e4efe7fb52410f43125019de
Instruction Fuzzy Hash: 8E22ADB1D05249DFDF10EFA8D844BAEBBB9EF48304F144169E855AB381E735AE04CB91

Function 009BF02D Relevance: 6.1, APIs: 4, Instructions: 83
memorylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(009E6000,00000080,00000004,00000000,?,?,009BF188,0000001A,AppPolicyGetProcessTerminationMethod,009D4848,AppPolicyGetProcessTerminationMethod,?,?,009C167E,00000000), ref: 009BF096
VirtualProtect.KERNELBASE(009E6000,00000080,00000002,00000000,?,?,009BF188,0000001A,AppPolicyGetProcessTerminationMethod,009D4848,AppPolicyGetProcessTerminationMethod,?,?,009C167E,00000000), ref: 009BF0BE
FreeLibrary.KERNEL32(00000000,?,?,?,?,009BF188,0000001A,AppPolicyGetProcessTerminationMethod,009D4848,AppPolicyGetProcessTerminationMethod,?,?,009C167E,00000000), ref: 009BF0E0
GetProcAddress.KERNEL32(00000000,?), ref: 009BF0EA

Memory Dump Source

Source File: 00000014.00000002.17563678551.0000000000981000.00000020.00000001.01000000.00000010.sdmp, Offset: 00980000, based on PE: true

Associated: 00000014.00000002.17563642493.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563763650.00000000009CF000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563821675.00000000009E2000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563861708.00000000009E7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_980000_MSIBD59.jbxd

Similarity

API ID: ProtectVirtual$AddressFreeLibraryProc
String ID:
API String ID: 3998452802-0
Opcode ID: d91e99748cf1734d6109b5c0e3bbc8f12870e742cb5b38b552215e77b5f01314
Instruction ID: 2bbaeeba6362b2e31c9d3b15b0a76d3b71608a6745e804732a63df7c89408146
Opcode Fuzzy Hash: d91e99748cf1734d6109b5c0e3bbc8f12870e742cb5b38b552215e77b5f01314
Instruction Fuzzy Hash: 7B210732A08225ABDB226B69DD91FDA379CEF45770B244236FA11E71A1DE70DD009790

Function 00986050 Relevance: 6.0, APIs: 4, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000008,?,0615A9B3), ref: 00986060
OpenProcessToken.ADVAPI32(00000000), ref: 00986067
GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?), ref: 0098609C
CloseHandle.KERNEL32(?), ref: 009860B2

Memory Dump Source

Source File: 00000014.00000002.17563678551.0000000000981000.00000020.00000001.01000000.00000010.sdmp, Offset: 00980000, based on PE: true

Associated: 00000014.00000002.17563642493.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563763650.00000000009CF000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563821675.00000000009E2000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563861708.00000000009E7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_980000_MSIBD59.jbxd

Similarity

API ID: ProcessToken$CloseCurrentHandleInformationOpen
String ID:
API String ID: 215268677-0
Opcode ID: da3f764f6c2702ee000ef35d91dacce1c5c2fa38441860c5bfe607c4f70dd808
Instruction ID: 8b217059690f7e0e60e44a94f97180723a6b31698b96b139caab978a4320b718
Opcode Fuzzy Hash: da3f764f6c2702ee000ef35d91dacce1c5c2fa38441860c5bfe607c4f70dd808
Instruction Fuzzy Hash: 0AF06274548301ABEB10DF20EC45FAA7BE8BB44B00F408829F984C1261D379851CEB63

Function 00991EE0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineW.KERNEL32(0615A9B3,?,0000FFFF), ref: 00991F0D

Part of subcall function 00984F50: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,00000000,00000000,?,?), ref: 00984F6C

ExitProcess.KERNEL32 ref: 009920E7

Part of subcall function 009889D0: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00988A4D

Strings

Full command line:, xrefs: 00991F3E

Memory Dump Source

Source File: 00000014.00000002.17563678551.0000000000981000.00000020.00000001.01000000.00000010.sdmp, Offset: 00980000, based on PE: true

Associated: 00000014.00000002.17563642493.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563763650.00000000009CF000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563821675.00000000009E2000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563861708.00000000009E7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_980000_MSIBD59.jbxd

Similarity

API ID: AllocCommandCreateExitFileLineLocalProcess
String ID: Full command line:
API String ID: 1878577176-831861440
Opcode ID: 0247c25dd9083b3b1109820286bc759a90dde7cfee06cbcb945098acfa8d90e3
Instruction ID: c2148c87e30f6dd1c5f2d3547fc8c150ae00e4a1e520777c2331cd6beeaa73ba
Opcode Fuzzy Hash: 0247c25dd9083b3b1109820286bc759a90dde7cfee06cbcb945098acfa8d90e3
Instruction Fuzzy Hash: AC518331C141689ACF25FB64CC59BEEB7B5AF91340F1441D8E00A672A2EF745F48CBA1

Function 00988210 Relevance: 4.6, APIs: 3, Instructions: 85
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000000,009881E8,0615A9B3), ref: 00988284
GetLastError.KERNEL32(?,TokenIntegrityLevel,00000000,00000000,009881E8,0615A9B3), ref: 0098828E
GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),?,00000000,00000000,?,TokenIntegrityLevel,00000000,00000000,009881E8,0615A9B3), ref: 009882EA

Memory Dump Source

Source File: 00000014.00000002.17563678551.0000000000981000.00000020.00000001.01000000.00000010.sdmp, Offset: 00980000, based on PE: true

Associated: 00000014.00000002.17563642493.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563763650.00000000009CF000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563821675.00000000009E2000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563861708.00000000009E7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_980000_MSIBD59.jbxd

Similarity

API ID: InformationToken$ErrorLast
String ID:
API String ID: 2567405617-0
Opcode ID: 8a0df1be2c2a94e6aaeea35fd420de3bee47e440e4232fd745dec4eaa8287fa9
Instruction ID: fa14bf59a18491225b96f228b7c2bee51ed32ff2a17ede59b62084ece168fc51
Opcode Fuzzy Hash: 8a0df1be2c2a94e6aaeea35fd420de3bee47e440e4232fd745dec4eaa8287fa9
Instruction Fuzzy Hash: 42319E71A00609AFDB20DF99CC85BAFBBF9FB84710F50452DE425A7380DBB569048BA0

Function 009BD330 Relevance: 1.5, APIs: 1, Instructions: 33
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,009BCD65,?,00000000,?,009AE0E9,?,?,?,?,?,?,0098163C), ref: 009BD365

Memory Dump Source

Source File: 00000014.00000002.17563678551.0000000000981000.00000020.00000001.01000000.00000010.sdmp, Offset: 00980000, based on PE: true

Associated: 00000014.00000002.17563642493.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563763650.00000000009CF000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563821675.00000000009E2000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563861708.00000000009E7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_980000_MSIBD59.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a381e0cb726202e5aa5f75d15bbf5e7b650d59f6436e1c62d858093425675b91
Instruction ID: 0c852e9ba6b236eb7363a4029877376cce9f33832a730c8c20c83a6215e16421
Opcode Fuzzy Hash: a381e0cb726202e5aa5f75d15bbf5e7b650d59f6436e1c62d858093425675b91
Instruction Fuzzy Hash: 2BF06576A16A26A6DE202B769D55FD736CC9B827B8B050530E855E6192FE24CC0092E3

Function 009BF530 Relevance: 1.5, APIs: 1, Instructions: 14
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(009E6000,00000080,00000002,?), ref: 009BF546

Memory Dump Source

Source File: 00000014.00000002.17563678551.0000000000981000.00000020.00000001.01000000.00000010.sdmp, Offset: 00980000, based on PE: true

Associated: 00000014.00000002.17563642493.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563763650.00000000009CF000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563821675.00000000009E2000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563861708.00000000009E7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_980000_MSIBD59.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 51467f8e8bed7324db04125beaf136109f71450b5fcfa98f19431e88ae428107
Instruction ID: 93d50f59f3a640c7aa7e17f576a8572e7f2c064df7381b066f7d5e27bdb160c1
Opcode Fuzzy Hash: 51467f8e8bed7324db04125beaf136109f71450b5fcfa98f19431e88ae428107
Instruction Fuzzy Hash: D2C08C31348308FBE75047A38C0BF4B369EE780F95F048124B602E60C0D9A0EE045220

Function 0098CF60 Relevance: 1.3, APIs: 1, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LocalFree.KERNEL32(?,?,?,009DA8D9,00000000,009DA8D9), ref: 0098D011
LocalFree.KERNEL32(?,00000010,00000000,0615A9B3,009DA8D9), ref: 0098D1E6

Memory Dump Source

Source File: 00000014.00000002.17563678551.0000000000981000.00000020.00000001.01000000.00000010.sdmp, Offset: 00980000, based on PE: true

Associated: 00000014.00000002.17563642493.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563763650.00000000009CF000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563821675.00000000009E2000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563861708.00000000009E7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_980000_MSIBD59.jbxd

Similarity

API ID: FreeLocal
String ID:
API String ID: 2826327444-0
Opcode ID: ae52c3dfa3cb9d82bc740f5c7523a29be96cb3f869484f68d015b431da71920f
Instruction ID: c0aa70abf8df93d3762292276e1858fcf55c61f54451529def632cb40d648e2a
Opcode Fuzzy Hash: ae52c3dfa3cb9d82bc740f5c7523a29be96cb3f869484f68d015b431da71920f
Instruction Fuzzy Hash: AE21B7B1D042489FDB14EF68C845BAEF7B9EB48714F10822DE811A73C1DB745944CB91

Function 00988700 Relevance: 1.3, APIs: 1, Instructions: 4
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LocalAlloc.KERNELBASE(00000040,00000000,009AA1C5,00000000,0615A9B3,?,00000000,?,FFFFFFFF,?,009CEB28,000000FF,?,009817A4,?,009CFDDA), ref: 00988706

Memory Dump Source

Source File: 00000014.00000002.17563678551.0000000000981000.00000020.00000001.01000000.00000010.sdmp, Offset: 00980000, based on PE: true

Associated: 00000014.00000002.17563642493.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563763650.00000000009CF000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563821675.00000000009E2000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563861708.00000000009E7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_980000_MSIBD59.jbxd

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: ea124fb8d0b68ff09950d9511d5c84cb7cf6f168d11cbe2168b98dde737af16c
Instruction ID: 9f99e27f47ac34ad89e5c8ee228d5215b4fe36cff7ed2ea32f6c168331c8f6fe
Opcode Fuzzy Hash: ea124fb8d0b68ff09950d9511d5c84cb7cf6f168d11cbe2168b98dde737af16c
Instruction Fuzzy Hash: FFA0027596C600EFDE415B90DE1AF097AA2BB88B05F144454F349550A086754419FB16

Non-executed Functions

Function 00987800 Relevance: 42.4, APIs: 16, Strings: 8, Instructions: 417libraryloadersleepCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryW.KERNEL32(00000010,00000104,?,?,?), ref: 009879D8
GetForegroundWindow.USER32(?,?,?), ref: 00987A5D
ShellExecuteExW.SHELL32(?), ref: 00987A7A
ShellExecuteExW.SHELL32(?), ref: 00987AB8
GetModuleHandleW.KERNEL32(Kernel32.dll,GetProcessId,?,?,?,?), ref: 00987B01
GetProcAddress.KERNEL32(00000000), ref: 00987B08
AllowSetForegroundWindow.USER32(00000000), ref: 00987B1E
GetModuleHandleW.KERNEL32(Kernel32.dll,GetProcessId,?,?,?,?), ref: 00987B42
GetProcAddress.KERNEL32(00000000), ref: 00987B49
Sleep.KERNEL32(00000064,?,?,?,?), ref: 00987B6E
EnumWindows.USER32(00987CA0,?), ref: 00987B8A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00004003,?,?,?,?), ref: 00987BA8
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?), ref: 00987BC5
GetExitCodeProcess.KERNEL32(?,?), ref: 00987BD2
GetWindowThreadProcessId.USER32(?,?), ref: 00987CAC
GetWindowLongW.USER32(?,000000F0), ref: 00987CC4

Strings

/C ""%s" %s", xrefs: 009879FD
%s\System32\cmd.exe, xrefs: 009879E5
open, xrefs: 00987A11
runas, xrefs: 00987A2D
GetProcessId, xrefs: 00987AF7, 00987B38
Kernel32.dll, xrefs: 00987AFC, 00987B3D
.cmd, xrefs: 00987996
.bat, xrefs: 00987960

Memory Dump Source

Source File: 00000014.00000002.17563678551.0000000000981000.00000020.00000001.01000000.00000010.sdmp, Offset: 00980000, based on PE: true

Associated: 00000014.00000002.17563642493.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563763650.00000000009CF000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563821675.00000000009E2000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563861708.00000000009E7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_980000_MSIBD59.jbxd

Similarity

API ID: Window$AddressExecuteForegroundHandleModuleProcProcessShellWindows$AllowCodeDirectoryEnumExitLongObjectSingleSleepThreadWait
String ID: %s\System32\cmd.exe$.bat$.cmd$/C ""%s" %s"$GetProcessId$Kernel32.dll$open$runas
API String ID: 3646750338-986041216
Opcode ID: 5c8efc849f6e2c787621904178b152375caf65343c23516bc1cc175e61b49e61
Instruction ID: bffb35609caa5326fa87b0cd3b1dda362cd8429009d89f0bdcb6928e38f404cf
Opcode Fuzzy Hash: 5c8efc849f6e2c787621904178b152375caf65343c23516bc1cc175e61b49e61
Instruction Fuzzy Hash: 25F19F71A042099FDB10EFA8C898AADFBB9FF58314F244169E515E7391DB35DE01CB60

Function 009C4ED5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,009C51ED,00000002,00000000,?,?,?,009C51ED,?,00000000), ref: 009C4F6E
GetLocaleInfoW.KERNEL32(?,20001004,009C51ED,00000002,00000000,?,?,?,009C51ED,?,00000000), ref: 009C4F97
GetACP.KERNEL32(?,?,009C51ED,?,00000000), ref: 009C4FAC

Strings

OCP, xrefs: 009C4F29
ACP, xrefs: 009C4EF3

Memory Dump Source

Source File: 00000014.00000002.17563678551.0000000000981000.00000020.00000001.01000000.00000010.sdmp, Offset: 00980000, based on PE: true

Associated: 00000014.00000002.17563642493.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563763650.00000000009CF000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563821675.00000000009E2000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563861708.00000000009E7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_980000_MSIBD59.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 2940ad34b9dc823918e3b3438abd46be5412d7a2f00b38bcdb705de58e81e160
Instruction ID: 7a99c69cd4f59350041b619b4908d417a4730be42ae4fd2bee989bfae4f01034
Opcode Fuzzy Hash: 2940ad34b9dc823918e3b3438abd46be5412d7a2f00b38bcdb705de58e81e160
Instruction Fuzzy Hash: 4D217F32F04101ABEB348B54DA25F9BB6AEAB54B61B5B842CE90ADB105E732DD40D352

Function 009C50B7 Relevance: 7.7, APIs: 5, Instructions: 182COMMON

Download Yara Rule

APIs

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 009C51BF
IsValidCodePage.KERNEL32(00000000), ref: 009C51FD
IsValidLocale.KERNEL32(?,00000001), ref: 009C5210
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 009C5258
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 009C5273

Memory Dump Source

Source File: 00000014.00000002.17563678551.0000000000981000.00000020.00000001.01000000.00000010.sdmp, Offset: 00980000, based on PE: true

Associated: 00000014.00000002.17563642493.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563763650.00000000009CF000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563821675.00000000009E2000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563861708.00000000009E7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_980000_MSIBD59.jbxd

Similarity

API ID: Locale$InfoValid$CodeDefaultPageUser
String ID:
API String ID: 3475089800-0
Opcode ID: 90779e2c0895d4e072ec1006dcbee256b290f8d37d2ed708ac4b43bf02373a0d
Instruction ID: d181d6aaae0f5eb834d625d3c907f1e0ae06252d8deef1362c25d080c5772d5f
Opcode Fuzzy Hash: 90779e2c0895d4e072ec1006dcbee256b290f8d37d2ed708ac4b43bf02373a0d
Instruction Fuzzy Hash: ED516C71E04609ABEB10DFA4CC85FAA77BDAF48700F5A442DE515E7191E770EA80CB62

Function 009C4714 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 271COMMON

Download Yara Rule

APIs

GetACP.KERNEL32(?,?,?,?,?,?,009BBB76,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 009C47DD
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,009BBB76,?,?,?,00000055,?,-00000050,?,?), ref: 009C4814
GetLocaleInfoW.KERNEL32(00000000,00001002,?,00000078,-00000050,00000000,000000D0), ref: 009C4980

Strings

utf8, xrefs: 009C48E6

Memory Dump Source

Source File: 00000014.00000002.17563678551.0000000000981000.00000020.00000001.01000000.00000010.sdmp, Offset: 00980000, based on PE: true

Associated: 00000014.00000002.17563642493.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563763650.00000000009CF000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563821675.00000000009E2000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563861708.00000000009E7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_980000_MSIBD59.jbxd

Similarity

API ID: CodeInfoLocalePageValid
String ID: utf8
API String ID: 790303815-905460609
Opcode ID: 38c7c30d64ef5a20910215aebb61ecdaf09dd4d07d80e2cdf0f1a828a008b180
Instruction ID: 46abbe5cd2f6d48396038eb9fb11b028a71cf61f9c663c6ab691c3f00aef477c
Opcode Fuzzy Hash: 38c7c30d64ef5a20910215aebb61ecdaf09dd4d07d80e2cdf0f1a828a008b180
Instruction Fuzzy Hash: AE71C271F04215AAEB24AB748DA2FAB73ACEF89710F14442DE905DB185FB74D9408792

Function 0098D400 Relevance: 6.5, APIs: 2, Strings: 2, Instructions: 483COMMON

Download Yara Rule

APIs

LocalFree.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,?), ref: 0098D61D
LocalFree.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,?), ref: 0098D87D

Strings

%, xrefs: 0098D8E1
+, xrefs: 0098D8F0

Memory Dump Source

Source File: 00000014.00000002.17563678551.0000000000981000.00000020.00000001.01000000.00000010.sdmp, Offset: 00980000, based on PE: true

Associated: 00000014.00000002.17563642493.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563763650.00000000009CF000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563821675.00000000009E2000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563861708.00000000009E7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_980000_MSIBD59.jbxd

Similarity

API ID: FreeLocal
String ID: %$+
API String ID: 2826327444-2626897407
Opcode ID: 1462c64a607f03daa12bd6d1eb5289876d7896f7643464ce3d93abceba25ccbe
Instruction ID: ad9cada35c158ccfbbbc3ecdf28d7d699935940b69fcb2882995bc2599e5b393
Opcode Fuzzy Hash: 1462c64a607f03daa12bd6d1eb5289876d7896f7643464ce3d93abceba25ccbe
Instruction Fuzzy Hash: 3E02CE71D112199FDF19EFA8D850BAEBBB5FF89300F144229F811AB381D738A945CB91

Function 009AA1F1 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 009AA1FD
IsDebuggerPresent.KERNEL32 ref: 009AA2C9
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 009AA2E2
UnhandledExceptionFilter.KERNEL32(?), ref: 009AA2EC

Memory Dump Source

Source File: 00000014.00000002.17563678551.0000000000981000.00000020.00000001.01000000.00000010.sdmp, Offset: 00980000, based on PE: true

Associated: 00000014.00000002.17563642493.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563763650.00000000009CF000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563821675.00000000009E2000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563861708.00000000009E7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_980000_MSIBD59.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 428d4062ee243484bb76873f9be26ca87d6ca40d9f16b9444b07b8dfc80d484d
Instruction ID: 60f2809e2d9753df45927d9ea5a2700774f09f3ff251ca6973d339697f706ff6
Opcode Fuzzy Hash: 428d4062ee243484bb76873f9be26ca87d6ca40d9f16b9444b07b8dfc80d484d
Instruction Fuzzy Hash: 7331F5B5D052189BDF21DFA5D949BCDBBB8AF48300F1041EAE40CAB250EB719B84DF85

Function 009A985D Relevance: 6.0, APIs: 4, Instructions: 12COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,009A997D,009D183C), ref: 009A9862
UnhandledExceptionFilter.KERNEL32(009A997D,?,009A997D,009D183C), ref: 009A986B
GetCurrentProcess.KERNEL32(C0000409,?,009A997D,009D183C), ref: 009A9876
TerminateProcess.KERNEL32(00000000,?,009A997D,009D183C), ref: 009A987D

Memory Dump Source

Source File: 00000014.00000002.17563678551.0000000000981000.00000020.00000001.01000000.00000010.sdmp, Offset: 00980000, based on PE: true

Associated: 00000014.00000002.17563642493.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563763650.00000000009CF000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563821675.00000000009E2000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563861708.00000000009E7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_980000_MSIBD59.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: c0c145571f6f0e6176194f13e2b1f1e979a4c11bf4784ec5c76391ebfac7f87f
Instruction ID: 2efe49d72beeb9ca9d4663cc0ecf0b43d3989f794c9211efa379aba41fd4d1d1
Opcode Fuzzy Hash: c0c145571f6f0e6176194f13e2b1f1e979a4c11bf4784ec5c76391ebfac7f87f
Instruction Fuzzy Hash: 87D0123781C104EBDB002BE0EC1CE187F2AFB09702F444020F319C1021CB314400AB61

Function 009926C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32windowCOMMON

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32(!x-sys-default-locale,20000001,00000000,00000002,?,?,009832C0,?), ref: 009926D5
FormatMessageA.KERNEL32(00001300,00000000,0615A9B3,00000000,00000000,00000000,00000000,?,?,?,009832C0,?), ref: 009926FC

Strings

!x-sys-default-locale, xrefs: 009926D0

Memory Dump Source

Source File: 00000014.00000002.17563678551.0000000000981000.00000020.00000001.01000000.00000010.sdmp, Offset: 00980000, based on PE: true

Associated: 00000014.00000002.17563642493.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563763650.00000000009CF000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563821675.00000000009E2000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563861708.00000000009E7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_980000_MSIBD59.jbxd

Similarity

API ID: FormatInfoLocaleMessage
String ID: !x-sys-default-locale
API String ID: 4235545615-2729719199
Opcode ID: 9c44219eed4cf8adb3e5c2e0d3a926bfe8e7b739960ef514b84feee56a8b6245
Instruction ID: ce1e13131990f3bf97c55a398d77c2bc5e0e207801052fb7f8d10b1c4a26ddad
Opcode Fuzzy Hash: 9c44219eed4cf8adb3e5c2e0d3a926bfe8e7b739960ef514b84feee56a8b6245
Instruction Fuzzy Hash: 28F03075514214FFFF049B98DC0ADAE77ADEB49354F004026B902DA550E6B0AE0097A0

Function 00981D80 Relevance: 4.6, APIs: 3, Instructions: 65COMMON

Download Yara Rule

APIs

LoadResource.KERNEL32(00000000,00000000,0615A9B3,00000001,00000000,?,00000000,009CB0C0,000000FF,?,00981D2C,?,?,?,00000000,?), ref: 00981DAB
LockResource.KERNEL32(00000000,?,00981D2C,?,?,?,00000000,?,-00000010,009CB0A0,000000FF,?,00982048,?,00000000,009CB0ED), ref: 00981DB6
SizeofResource.KERNEL32(00000000,00000000,?,00981D2C,?,?,?,00000000,?,-00000010,009CB0A0,000000FF,?,00982048,?,00000000), ref: 00981DC4

Memory Dump Source

Source File: 00000014.00000002.17563678551.0000000000981000.00000020.00000001.01000000.00000010.sdmp, Offset: 00980000, based on PE: true

Associated: 00000014.00000002.17563642493.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563763650.00000000009CF000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563821675.00000000009E2000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563861708.00000000009E7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_980000_MSIBD59.jbxd

Similarity

API ID: Resource$LoadLockSizeof
String ID:
API String ID: 2853612939-0
Opcode ID: d63c6cb9912b2e633145ae971384a54862e35fd667a8ae9c8b8e65cf9e8b1cb4
Instruction ID: 0dd1363b2a57029f020f929d44235bd3617b4f898203a863a34150d2607c1732
Opcode Fuzzy Hash: d63c6cb9912b2e633145ae971384a54862e35fd667a8ae9c8b8e65cf9e8b1cb4
Instruction Fuzzy Hash: E4119132E046559BC724AF69DC85B66B7ACFB85B25F014A3AEC5AD3350E635AC008790

Function 009C1860 Relevance: 1.6, APIs: 1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.17563678551.0000000000981000.00000020.00000001.01000000.00000010.sdmp, Offset: 00980000, based on PE: true

Associated: 00000014.00000002.17563642493.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563763650.00000000009CF000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563821675.00000000009E2000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563861708.00000000009E7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_980000_MSIBD59.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9a53be220a8fe0e5422a91615324d7fd4a3c84e55ff59fc4d00f01b80b35bc8
Instruction ID: 8504b6eb62811f249925acfb36b7e92caab84b245b65f6bb31a4761f8b570f71
Opcode Fuzzy Hash: d9a53be220a8fe0e5422a91615324d7fd4a3c84e55ff59fc4d00f01b80b35bc8
Instruction Fuzzy Hash: 38310972D0021DAFDB24DFA8CC94EAB77BDEB85354F14469DF80597245EA30DD408B54

Function 009825A0 Relevance: 1.3, APIs: 1, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009A95A8: AcquireSRWLockExclusive.KERNEL32(009E3B74,?,?,?,00982646,009E4714,0615A9B3,?,?,009CB16D,000000FF,?,00981A07), ref: 009A95B3
Part of subcall function 009A95A8: ReleaseSRWLockExclusive.KERNEL32(009E3B74,?,?,00982646,009E4714,0615A9B3,?,?,009CB16D,000000FF,?,00981A07,?,?,?,0615A9B3), ref: 009A95ED

GetProcessHeap.KERNEL32 ref: 009825F5

Part of subcall function 009A9557: AcquireSRWLockExclusive.KERNEL32(009E3B74,?,?,009826B7,009E4714,009CEC90), ref: 009A9561
Part of subcall function 009A9557: ReleaseSRWLockExclusive.KERNEL32(009E3B74,?,?,009826B7,009E4714,009CEC90), ref: 009A9594
Part of subcall function 009A9557: WakeAllConditionVariable.KERNEL32(009E3B70,?,?,009826B7,009E4714,009CEC90), ref: 009A959F

Memory Dump Source

Source File: 00000014.00000002.17563678551.0000000000981000.00000020.00000001.01000000.00000010.sdmp, Offset: 00980000, based on PE: true

Associated: 00000014.00000002.17563642493.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563763650.00000000009CF000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563821675.00000000009E2000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563861708.00000000009E7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_980000_MSIBD59.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease$ConditionHeapProcessVariableWake
String ID:
API String ID: 1755742941-0
Opcode ID: 25c7f784591876dc4b41d4690e2ed3b8e74930e61e1e9a27e55aeabe039bf974
Instruction ID: 398c821eb3c2cb0d42fe7e4a36bc1cd554358f1ff1780820aa3bb92d333e7dad
Opcode Fuzzy Hash: 25c7f784591876dc4b41d4690e2ed3b8e74930e61e1e9a27e55aeabe039bf974
Instruction Fuzzy Hash: 9A2189B08183809FCB11DF69ED86B493BE4F74B724F010229E8219B3E1D7761E00ABD6

Function 00981270 Relevance: 33.6, APIs: 17, Strings: 2, Instructions: 304libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(Advapi32.dll), ref: 009812F8
GetLastError.KERNEL32 ref: 00981326

Part of subcall function 009818E0: LocalFree.KERNEL32(?,0615A9B3,?,00000000,009CB020,000000FF,?,?,009E0558,?,?,009816A4,80004005), ref: 0098192C

GetProcAddress.KERNEL32(00000000,ConvertStringSidToSidW), ref: 0098133C
FreeLibrary.KERNEL32(00000000), ref: 00981358
GetLastError.KERNEL32 ref: 00981365

Strings

Advapi32.dll, xrefs: 009812BD
ConvertStringSidToSidW, xrefs: 00981336

Memory Dump Source

Source File: 00000014.00000002.17563678551.0000000000981000.00000020.00000001.01000000.00000010.sdmp, Offset: 00980000, based on PE: true

Associated: 00000014.00000002.17563642493.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563763650.00000000009CF000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563821675.00000000009E2000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563861708.00000000009E7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_980000_MSIBD59.jbxd

Similarity

API ID: ErrorFreeLastLibrary$AddressLoadLocalProc
String ID: Advapi32.dll$ConvertStringSidToSidW
API String ID: 2442427113-1129428314
Opcode ID: 02ae7a4dc7ff37c511a97d3ef3be4be778d16c487b1fda2fc079da749f2e7a9c
Instruction ID: de6f0c8d1baf870267649fca56c0281b1576c6da85ffaddffba95e76a2649dca
Opcode Fuzzy Hash: 02ae7a4dc7ff37c511a97d3ef3be4be778d16c487b1fda2fc079da749f2e7a9c
Instruction Fuzzy Hash: CED15AB1C05209EFDB10DFA4C944BEEBBF9EF48314F244619E855A7390E774AA46CB90

Function 009889D0 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 347filememoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00988A4D
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00988AA0
LocalAlloc.KERNEL32(00000040,00000000,?,?,?,?,?,?,?,00000000,009CBFF5,000000FF), ref: 00988AAF
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00988ACB
WriteFile.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,00000000,009CBFF5,000000FF), ref: 00988BAB
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000000,009CBFF5,000000FF), ref: 00988BB7
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,00000000,009CBFF5,000000FF), ref: 00988BF3
LocalAlloc.KERNEL32(00000040,00000000,?,?,?,?,?,?,?,00000000,009CBFF5,000000FF), ref: 00988C11
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,00000000,009CBFF5,000000FF), ref: 00988C2E
LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,00000000,009CBFF5,000000FF), ref: 00988CC3
ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 00988D08
ShellExecuteW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000005), ref: 00988D5A
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,00000000,009CBFF5,000000FF), ref: 00988D8D

Strings

[InternetShortcut]URL=, xrefs: 00988ADF
open, xrefs: 00988D01, 00988D21
-_.~!*'();:@&=+$,/?#[], xrefs: 00988B27, 00988B3E
URL Shortcut content:, xrefs: 00988C49

Memory Dump Source

Source File: 00000014.00000002.17563678551.0000000000981000.00000020.00000001.01000000.00000010.sdmp, Offset: 00980000, based on PE: true

Associated: 00000014.00000002.17563642493.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563763650.00000000009CF000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563821675.00000000009E2000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563861708.00000000009E7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_980000_MSIBD59.jbxd

Similarity

API ID: ByteCharLocalMultiWide$AllocExecuteFileFreeShell$CloseCreateHandleWrite
String ID: -_.~!*'();:@&=+$,/?#[]$URL Shortcut content:$[InternetShortcut]URL=$open
API String ID: 2199533872-3004881174
Opcode ID: a539d433ed1f9a58dce0af0aca262fd74c668b568ba76d2131c9163de002d55a
Instruction ID: 1c55481d414e0e219ef11afe3957251bfe77d4162184f136936aa8d1b9feea0f
Opcode Fuzzy Hash: a539d433ed1f9a58dce0af0aca262fd74c668b568ba76d2131c9163de002d55a
Instruction Fuzzy Hash: B6C124B19002499FEB20AF28CC45BBFBBF9EF95700F54412AE501AB3D1EB744909C7A1

Function 00986B50 Relevance: 15.1, APIs: 10, Instructions: 132timeCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000400,00000000,?,0615A9B3,?,00000000), ref: 00986BA5
OpenProcess.KERNEL32(00000400,00000000,00000000,?,0615A9B3,?,00000000), ref: 00986BC6
GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,0615A9B3,?,00000000), ref: 00986BF9
GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,0615A9B3,?,00000000), ref: 00986C0A
CloseHandle.KERNEL32(00000000,?,0615A9B3,?,00000000), ref: 00986C28
CloseHandle.KERNEL32(00000000,?,0615A9B3,?,00000000), ref: 00986C4C
CloseHandle.KERNEL32(00000000,?,0615A9B3,?,00000000), ref: 00986C78
CloseHandle.KERNEL32(00000000,?,0615A9B3,?,00000000), ref: 00986C98
CloseHandle.KERNEL32(00000000,?,0615A9B3,?,00000000), ref: 00986CBA
CloseHandle.KERNEL32(00000000,?,0615A9B3,?,00000000), ref: 00986CDA

Memory Dump Source

Source File: 00000014.00000002.17563678551.0000000000981000.00000020.00000001.01000000.00000010.sdmp, Offset: 00980000, based on PE: true

Associated: 00000014.00000002.17563642493.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563763650.00000000009CF000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563821675.00000000009E2000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563861708.00000000009E7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_980000_MSIBD59.jbxd

Similarity

API ID: CloseHandle$Process$OpenTimes
String ID:
API String ID: 1711917922-0
Opcode ID: 7206542dcfbaf570e298cc59b08c802fc65df06110d3281ead60de9e07d589b9
Instruction ID: a44949e61981ffd819d9fcb6562a6480abeed8b2a521c3aa18b645a06eb87db3
Opcode Fuzzy Hash: 7206542dcfbaf570e298cc59b08c802fc65df06110d3281ead60de9e07d589b9
Instruction Fuzzy Hash: A0518271D05218DFDB20DF94C958BAEBBB8FF09B14F208219E691BB380D7755A008B65

Function 00985A00 Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 373fileCOMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNEL32(?,URL,00000000,?,0615A9B3,?,00000004), ref: 00985A6A
LocalFree.KERNEL32(?), ref: 00985B7B
MoveFileW.KERNEL32(?,00000000), ref: 00985E1B
DeleteFileW.KERNEL32(?), ref: 00985E63
LocalFree.KERNEL32(?), ref: 00985EFD
LocalFree.KERNEL32(?), ref: 00985FB2

Strings

URL, xrefs: 00985A64, 00985E4B
url, xrefs: 00985B9C, 00985E46

Memory Dump Source

Source File: 00000014.00000002.17563678551.0000000000981000.00000020.00000001.01000000.00000010.sdmp, Offset: 00980000, based on PE: true

Associated: 00000014.00000002.17563642493.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563763650.00000000009CF000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563821675.00000000009E2000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563861708.00000000009E7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_980000_MSIBD59.jbxd

Similarity

API ID: FileFreeLocal$DeleteMoveNameTemp
String ID: URL$url
API String ID: 1227976696-346267919
Opcode ID: 138c09bc28c3acb0c4457802a5f1a485de5e546f81d8fad7e44aca4d0b0b9b66
Instruction ID: 205ec5bc3afd9a7f62368aa29a87b239df7366b7107a53b9af35c3c70c9d1c99
Opcode Fuzzy Hash: 138c09bc28c3acb0c4457802a5f1a485de5e546f81d8fad7e44aca4d0b0b9b66
Instruction Fuzzy Hash: AB026970D146699ACB24EF24C998B9DB7B5FF94304F1042D9D449A7291EB74AFC8CF80

Function 009913A0 Relevance: 11.0, APIs: 2, Strings: 4, Instructions: 454registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,-00000002,00000000,?,?), ref: 009917A2
RegQueryValueExW.ADVAPI32(?,00000002,00000000,00000000,009E47B8,00000800), ref: 009917C2

Strings

/DontWait , xrefs: 00991447, 00991450, 0099147C, 0099149E
/EnforcedRunAsAdmin , xrefs: 009913C0, 009913CA, 009913F3, 00991411
/HideWindow, xrefs: 00991585, 0099158F, 009915BC, 009915CC, 009915EB
/RunAsAdmin , xrefs: 009914DE, 009914E9, 00991513, 00991523, 00991542

Memory Dump Source

Source File: 00000014.00000002.17563678551.0000000000981000.00000020.00000001.01000000.00000010.sdmp, Offset: 00980000, based on PE: true

Associated: 00000014.00000002.17563642493.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563763650.00000000009CF000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563821675.00000000009E2000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563861708.00000000009E7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_980000_MSIBD59.jbxd

Similarity

API ID: OpenQueryValue
String ID: /DontWait $/EnforcedRunAsAdmin $/HideWindow$/RunAsAdmin
API String ID: 4153817207-1914306501
Opcode ID: 1c57b404f7a442d3d35e3841a7e9e75b39e0ea0b5100bd575398a69e5995e9d6
Instruction ID: b7165fe163cd067a6f8dd14c2474904e9a54f0924d6f71793ad2ea19d2e3e460
Opcode Fuzzy Hash: 1c57b404f7a442d3d35e3841a7e9e75b39e0ea0b5100bd575398a69e5995e9d6
Instruction Fuzzy Hash: 09E1D329E043538BDF349F1DC840276B3EAFF95740B9E846AE8458B251E771CD82D792

Function 00990780 Relevance: 9.3, APIs: 4, Strings: 2, Instructions: 274memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,?), ref: 0099083F
LocalAlloc.KERNEL32(00000040,?), ref: 00990881

Part of subcall function 00990780: LocalFree.KERNEL32(?,00000000,00000000,?,?,0615A9B3,0615A9B3,00000000,?), ref: 00990A66

LocalFree.KERNEL32(?), ref: 00990931

Strings

ios_base::failbit set, xrefs: 009909D2
iostream, xrefs: 00990AC0

Memory Dump Source

Source File: 00000014.00000002.17563678551.0000000000981000.00000020.00000001.01000000.00000010.sdmp, Offset: 00980000, based on PE: true

Associated: 00000014.00000002.17563642493.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563763650.00000000009CF000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563821675.00000000009E2000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563861708.00000000009E7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_980000_MSIBD59.jbxd

Similarity

API ID: Local$AllocFree
String ID: ios_base::failbit set$iostream
API String ID: 2012307162-302468714
Opcode ID: 1efaafb802ccb1758f60ac82c60379627536cb56f914124644d4fd08e858e025
Instruction ID: d607b4786a66aad1e9d77d2834d9998e463e91dcfa9bddd1c36c3a4477cf9bc4
Opcode Fuzzy Hash: 1efaafb802ccb1758f60ac82c60379627536cb56f914124644d4fd08e858e025
Instruction Fuzzy Hash: 02A1D2B1D01204DFDB14DF68C885BAEBBB5FF89310F14826EE825AB391D7719A44CB91

Function 009A921D Relevance: 9.2, APIs: 6, Instructions: 225COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,?,?), ref: 009A92A8
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 009A9334
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 009A939F
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 009A93BB
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 009A941E
CompareStringEx.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,00000000), ref: 009A943B

Memory Dump Source

Source File: 00000014.00000002.17563678551.0000000000981000.00000020.00000001.01000000.00000010.sdmp, Offset: 00980000, based on PE: true

Associated: 00000014.00000002.17563642493.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563763650.00000000009CF000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563821675.00000000009E2000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563861708.00000000009E7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_980000_MSIBD59.jbxd

Similarity

API ID: ByteCharMultiWide$CompareInfoString
String ID:
API String ID: 2984826149-0
Opcode ID: 151baf255291fae2a46e973c80a457dab7565a6a31a14445a3121be1f98e5b23
Instruction ID: e3277d3f55755efa32e8c889e56c961496eeee41bc075cbc09d7876f5e81894e
Opcode Fuzzy Hash: 151baf255291fae2a46e973c80a457dab7565a6a31a14445a3121be1f98e5b23
Instruction Fuzzy Hash: 2E71CF72D04269ABDF208FA4CC85BEEBBF9BF4B764F184115E955A61A0DA358C01C7E0

Function 00982CD0 Relevance: 9.2, APIs: 6, Instructions: 220encryptionCOMMON

Download Yara Rule

APIs

#224.MSI(?,00000001,00000000,00000000,00000000), ref: 00982D50
LocalFree.KERNEL32(?), ref: 00982DBA
LocalFree.KERNEL32(?), ref: 00982E24
CertFreeCertificateContext.CRYPT32(00000000), ref: 00982F65

Part of subcall function 00983DC0: CertGetNameStringW.CRYPT32(00000000,00000004,00000000,00000000,00000000,00000000,0615A9B3), ref: 00983E03

LocalFree.KERNEL32(?), ref: 00982F1B
CertFreeCertificateContext.CRYPT32(00000003,?), ref: 00982FAB

Memory Dump Source

Source File: 00000014.00000002.17563678551.0000000000981000.00000020.00000001.01000000.00000010.sdmp, Offset: 00980000, based on PE: true

Associated: 00000014.00000002.17563642493.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563763650.00000000009CF000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563821675.00000000009E2000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563861708.00000000009E7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_980000_MSIBD59.jbxd

Similarity

API ID: Free$CertLocal$CertificateContext$#224NameString
String ID:
API String ID: 2751787804-0
Opcode ID: 542422a70bc21a084413abea1f7ebd9bb018dfdf22ff371a33da525f702e0946
Instruction ID: cacee73635d4067658b2fd0110920b2526b7fbe49afd0bb71d407eff6fa50f5b
Opcode Fuzzy Hash: 542422a70bc21a084413abea1f7ebd9bb018dfdf22ff371a33da525f702e0946
Instruction Fuzzy Hash: E8918C70D04249CFDB18DFA8C558BAEBBF5FF48304F144619E415AB391DBB5AA88CB90

Function 009A8CFE Relevance: 9.2, APIs: 6, Instructions: 175COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,CCCCCCCC,0098C98F,?,00000001,00000000,00000000,?,?,0098C98F,?), ref: 009A8D47
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,00000000,?,0098C98F,?,?,00000000,0098CFE3,0000003F,?), ref: 009A8DB2
LCMapStringEx.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0098C98F,?,?,00000000,0098CFE3,0000003F), ref: 009A8DCF
LCMapStringEx.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,0098C98F,?,?,00000000,0098CFE3,0000003F), ref: 009A8E0E
LCMapStringEx.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0098C98F,?,?,00000000,0098CFE3,0000003F), ref: 009A8E6D
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000,?,0098C98F,?,?,00000000,0098CFE3,0000003F,?), ref: 009A8E90

Memory Dump Source

Source File: 00000014.00000002.17563678551.0000000000981000.00000020.00000001.01000000.00000010.sdmp, Offset: 00980000, based on PE: true

Associated: 00000014.00000002.17563642493.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563763650.00000000009CF000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563821675.00000000009E2000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563861708.00000000009E7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_980000_MSIBD59.jbxd

Similarity

API ID: ByteCharMultiStringWide
String ID:
API String ID: 2829165498-0
Opcode ID: 8af8375a7d702af58d582f8ccfd10f2159094c382b695f19f31804bab295f2f1
Instruction ID: 08e2f68f401790a7c900d5f09c4f9442ff8c1cd89865b1c3d23524a81e8d85b5
Opcode Fuzzy Hash: 8af8375a7d702af58d582f8ccfd10f2159094c382b695f19f31804bab295f2f1
Instruction Fuzzy Hash: 4851AF7290020AFBDF20AF60CC45FAB7BB9FF46B50F254425F905A6190DB748D10CBA0

Function 00988620 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 64libraryloaderCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0615A9B3,0615A9B3,?,?,00000000,009CBF91,000000FF), ref: 009886BB

Part of subcall function 009A95A8: AcquireSRWLockExclusive.KERNEL32(009E3B74,?,?,?,00982646,009E4714,0615A9B3,?,?,009CB16D,000000FF,?,00981A07), ref: 009A95B3
Part of subcall function 009A95A8: ReleaseSRWLockExclusive.KERNEL32(009E3B74,?,?,00982646,009E4714,0615A9B3,?,?,009CB16D,000000FF,?,00981A07,?,?,?,0615A9B3), ref: 009A95ED

GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 00988680
GetProcAddress.KERNEL32(00000000), ref: 00988687

Part of subcall function 009A9557: AcquireSRWLockExclusive.KERNEL32(009E3B74,?,?,009826B7,009E4714,009CEC90), ref: 009A9561
Part of subcall function 009A9557: ReleaseSRWLockExclusive.KERNEL32(009E3B74,?,?,009826B7,009E4714,009CEC90), ref: 009A9594
Part of subcall function 009A9557: WakeAllConditionVariable.KERNEL32(009E3B70,?,?,009826B7,009E4714,009CEC90), ref: 009A959F

Strings

kernel32, xrefs: 0098867B
IsWow64Process, xrefs: 00988676

Memory Dump Source

Source File: 00000014.00000002.17563678551.0000000000981000.00000020.00000001.01000000.00000010.sdmp, Offset: 00980000, based on PE: true

Associated: 00000014.00000002.17563642493.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563763650.00000000009CF000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563821675.00000000009E2000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563861708.00000000009E7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_980000_MSIBD59.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease$AddressConditionCurrentHandleModuleProcProcessVariableWake
String ID: IsWow64Process$kernel32
API String ID: 411948497-3789238822
Opcode ID: 4102b60c345ea37cf58aa8bf7f942bccf3916fb0aeb7f3bda1655c302529ecc0
Instruction ID: 88ddca3fe5803efe489ffa8039fe9548117b3f32b6fedb5f8da745b1cabb152e
Opcode Fuzzy Hash: 4102b60c345ea37cf58aa8bf7f942bccf3916fb0aeb7f3bda1655c302529ecc0
Instruction Fuzzy Hash: 8E21AE72D58644EFCB10DF64DC49F9AB7E8F709B25F10022AE81193390EB36A900DB91

Function 009BA628 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,0615A9B3,?,?,00000001,009CD620,000000FF,?,009BA61D,?,?,009BA5F4,?,?), ref: 009BA65D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 009BA66F
FreeLibrary.KERNEL32(00000000,?,00000001,009CD620,000000FF,?,009BA61D,?,?,009BA5F4,?,?), ref: 009BA691

Strings

mscoree.dll, xrefs: 009BA656
CorExitProcess, xrefs: 009BA667

Memory Dump Source

Source File: 00000014.00000002.17563678551.0000000000981000.00000020.00000001.01000000.00000010.sdmp, Offset: 00980000, based on PE: true

Associated: 00000014.00000002.17563642493.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563763650.00000000009CF000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563821675.00000000009E2000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563861708.00000000009E7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_980000_MSIBD59.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: e86058ac5a8cd64ad102d78ad5d50ab27b8dff16de26a7f0272a06f542143dc0
Instruction ID: 6f489f5798e82c35585316ed793a9afe8f239e8b24f8e2d03ef687cb5d4a9227
Opcode Fuzzy Hash: e86058ac5a8cd64ad102d78ad5d50ab27b8dff16de26a7f0272a06f542143dc0
Instruction Fuzzy Hash: 3E01A271968615EBCB118F40CC09FBEBBBDFB48B29F044236F811A22D0DB749900CB81

Function 009BF0FA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800,?,009BF064,?,?,?,?,?,009BF188,0000001A,AppPolicyGetProcessTerminationMethod,009D4848,AppPolicyGetProcessTerminationMethod,?), ref: 009BF109
GetLastError.KERNEL32(?,009BF064,?,?,?,?,?,009BF188,0000001A,AppPolicyGetProcessTerminationMethod,009D4848,AppPolicyGetProcessTerminationMethod,?,?,009C167E,00000000), ref: 009BF113
LoadLibraryExW.KERNEL32(?,00000000,00000000,?,?,?,?,?), ref: 009BF151

Strings

ext-ms-, xrefs: 009BF136
api-ms-, xrefs: 009BF120

Memory Dump Source

Source File: 00000014.00000002.17563678551.0000000000981000.00000020.00000001.01000000.00000010.sdmp, Offset: 00980000, based on PE: true

Associated: 00000014.00000002.17563642493.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563763650.00000000009CF000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563821675.00000000009E2000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563861708.00000000009E7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_980000_MSIBD59.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-$ext-ms-
API String ID: 3177248105-537541572
Opcode ID: 07846c4c274cc4678f72494ec8ecee75c572e45ca0c2a3f996b262b688cad56d
Instruction ID: 92da6238f80a5a82bb915d0e047e88791d4bc634793676563bdb889f5ab45d57
Opcode Fuzzy Hash: 07846c4c274cc4678f72494ec8ecee75c572e45ca0c2a3f996b262b688cad56d
Instruction Fuzzy Hash: B6F03030A88204F7EF211F61EE16F993F5AEB80B60F144430FE0CE81E1EB61E955A585

Function 00987E40 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 82COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000010,00000010,?,00987ACB,?,?,?), ref: 00987E47

Strings

false, xrefs: 00987E56
true, xrefs: 00987E51
Call to ShellExecuteEx() returned:, xrefs: 00987E6D
Last error=, xrefs: 00987ED3

Memory Dump Source

Source File: 00000014.00000002.17563678551.0000000000981000.00000020.00000001.01000000.00000010.sdmp, Offset: 00980000, based on PE: true

Associated: 00000014.00000002.17563642493.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563763650.00000000009CF000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563821675.00000000009E2000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563861708.00000000009E7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_980000_MSIBD59.jbxd

Similarity

API ID: ErrorLast
String ID: Call to ShellExecuteEx() returned:$Last error=$false$true
API String ID: 1452528299-1782174991
Opcode ID: 8f99bf77328d921f1764aebe05fc09483ee5c255a039742b1d5f9aaf0168b130
Instruction ID: 63273b88513654148fc1d554524a8f7f9a9a60d1a502270f2cd4e3706d38eb2d
Opcode Fuzzy Hash: 8f99bf77328d921f1764aebe05fc09483ee5c255a039742b1d5f9aaf0168b130
Instruction Fuzzy Hash: 7D215C49A1026286CB706F7D8400336E2F9AF54744B75486FD8C8D73A0F669CCC18391

Function 00986150 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 105libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000105), ref: 009861B5
GetLastError.KERNEL32(?,?,?,000000FF,009CB8CD,000000FF), ref: 0098626B

Part of subcall function 00981FD0: FindResourceW.KERNEL32(00000000,?,00000006,?,00000000,009CB0ED,000000FF,?,80070057,?,00000000,?,00000010,?,00981B09,?), ref: 0098205C

LoadLibraryExW.KERNEL32(?,00000000,00000000,?,?,000000FF,009CB8CD,000000FF), ref: 0098620F

Strings

ntdll.dll, xrefs: 009861EB

Memory Dump Source

Source File: 00000014.00000002.17563678551.0000000000981000.00000020.00000001.01000000.00000010.sdmp, Offset: 00980000, based on PE: true

Associated: 00000014.00000002.17563642493.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563763650.00000000009CF000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563821675.00000000009E2000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563861708.00000000009E7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_980000_MSIBD59.jbxd

Similarity

API ID: DirectoryErrorFindLastLibraryLoadResourceSystem
String ID: ntdll.dll
API String ID: 4113295189-2227199552
Opcode ID: 91b9ce462e3b3afb1f84e3d7b6cce8da1f62440f1e9f49cde13a51a831dd040c
Instruction ID: 7c7571d42022238431168a8a7670c6e68c1d7119d2a5d46482766c9ae18561cd
Opcode Fuzzy Hash: 91b9ce462e3b3afb1f84e3d7b6cce8da1f62440f1e9f49cde13a51a831dd040c
Instruction Fuzzy Hash: 38417F71A002099FDB10EF68CC85BAEBBB9FF48710F148169E525EB3D1DB749A04CB91

Function 009ADE82 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,009ADE33,00000000,?,009E3F04,?,?,?,009ADFD6,00000004,InitializeCriticalSectionEx,009D230C,InitializeCriticalSectionEx), ref: 009ADE8F
GetLastError.KERNEL32(?,009ADE33,00000000,?,009E3F04,?,?,?,009ADFD6,00000004,InitializeCriticalSectionEx,009D230C,InitializeCriticalSectionEx,00000000,?,009ADD8D), ref: 009ADE99
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 009ADEC1

Strings

api-ms-, xrefs: 009ADEA6

Memory Dump Source

Source File: 00000014.00000002.17563678551.0000000000981000.00000020.00000001.01000000.00000010.sdmp, Offset: 00980000, based on PE: true

Associated: 00000014.00000002.17563642493.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563763650.00000000009CF000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563821675.00000000009E2000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563861708.00000000009E7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_980000_MSIBD59.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 1d6a89c30f7da43bc7ee66d3339beb738ff85a9a6b431946584a46289eefb4c7
Instruction ID: 1ee7973b732c10e69feb5c947fdbeac758ccf533bc0e7c36bc1de8bda35d17e7
Opcode Fuzzy Hash: 1d6a89c30f7da43bc7ee66d3339beb738ff85a9a6b431946584a46289eefb4c7
Instruction Fuzzy Hash: 8AE04F30685204B7EF211B61EC06F593F6AAB61B51F244030F90DE84E1D761AD54A6C4

Function 009C8298 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(0615A9B3,00000000,00000000,?), ref: 009C82FB

Part of subcall function 009C12CA: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,00000000,?,-00000008,-00000008,00000000,?,?,009BEB45,?,00000000), ref: 009C1329

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 009C8551
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 009C8597
GetLastError.KERNEL32 ref: 009C863A

Memory Dump Source

Source File: 00000014.00000002.17563678551.0000000000981000.00000020.00000001.01000000.00000010.sdmp, Offset: 00980000, based on PE: true

Associated: 00000014.00000002.17563642493.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563763650.00000000009CF000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563821675.00000000009E2000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563861708.00000000009E7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_980000_MSIBD59.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 845656ab378b76cd691945f09331fad2c88738e168154f5c775520af6c497254
Instruction ID: bd15dd349077b3dd73d67a9d15e1c6c9e301dffa8d9f2384aa1213b9fdd0d508
Opcode Fuzzy Hash: 845656ab378b76cd691945f09331fad2c88738e168154f5c775520af6c497254
Instruction Fuzzy Hash: 16D19D75D042889FCB15CFA8D980AEEBBB9FF49310F24416EE856EB351DB30A941CB51

Function 0098F4E0 Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 263memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,00000018,0615A9B3,00000000,?), ref: 0098F546

Strings

false, xrefs: 0098F69D
bad locale name, xrefs: 0098F85C
true, xrefs: 0098F6B3

Memory Dump Source

Source File: 00000014.00000002.17563678551.0000000000981000.00000020.00000001.01000000.00000010.sdmp, Offset: 00980000, based on PE: true

Associated: 00000014.00000002.17563642493.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563763650.00000000009CF000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563821675.00000000009E2000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563861708.00000000009E7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_980000_MSIBD59.jbxd

Similarity

API ID: AllocLocal
String ID: bad locale name$false$true
API String ID: 3494564517-1062449267
Opcode ID: c0e81b4ed7fc4a63a8b69239895e4360aea0ebd56822c030da32555841da41ee
Instruction ID: b6ed6a8b684b363c72e7396fcc12c7ce5ac21cb5892d7bd90bccd04bd6c0b7ce
Opcode Fuzzy Hash: c0e81b4ed7fc4a63a8b69239895e4360aea0ebd56822c030da32555841da41ee
Instruction Fuzzy Hash: A3B191B1D00348DEEF20DFA8C955BDEBBF8AF55304F148169E444AB382E7759A48CB91

Function 009892A0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 78COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000000,00000000,00988D7C,00000000,?,?,?,?,?,?,?,00000000,009CBFF5,000000FF), ref: 009892A7

Strings

Call to ShellExecute() for verb<, xrefs: 009892B1
> returned:, xrefs: 009892B6
Last error=, xrefs: 00989301

Memory Dump Source

Source File: 00000014.00000002.17563678551.0000000000981000.00000020.00000001.01000000.00000010.sdmp, Offset: 00980000, based on PE: true

Associated: 00000014.00000002.17563642493.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563763650.00000000009CF000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563821675.00000000009E2000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563861708.00000000009E7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_980000_MSIBD59.jbxd

Similarity

API ID: ErrorLast
String ID: > returned:$Call to ShellExecute() for verb<$Last error=
API String ID: 1452528299-1781106413
Opcode ID: b09fa51b0458265157de0c9420af03e127136ac06ff1374f49de60a16b22132d
Instruction ID: 60cf7840d7a9f2c1f119eabda1ff2ec262d70f66d8fee69e6c7fbf480ebf7fa2
Opcode Fuzzy Hash: b09fa51b0458265157de0c9420af03e127136ac06ff1374f49de60a16b22132d
Instruction Fuzzy Hash: D9216349F6026287CB742F7C840133AA2F9EF94754F69542FE8D9D7390FA698C82C395

Function 009918C0 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000004,00000080,00000000,0615A9B3), ref: 009918FC
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 0099191C
WriteFile.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 0099194D
CloseHandle.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 00991966

Memory Dump Source

Source File: 00000014.00000002.17563678551.0000000000981000.00000020.00000001.01000000.00000010.sdmp, Offset: 00980000, based on PE: true

Associated: 00000014.00000002.17563642493.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563763650.00000000009CF000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563821675.00000000009E2000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563861708.00000000009E7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_980000_MSIBD59.jbxd

Similarity

API ID: File$CloseCreateHandlePointerWrite
String ID:
API String ID: 3604237281-0
Opcode ID: 26c52b66c86f87b9a40e7ccfda77db2d88515d5feb79ac07d59e2049646ad9a6
Instruction ID: 51be4b752a52b190aeeef8e5f2b7bd07a7df835f63af5320feb18a81c06bc7f9
Opcode Fuzzy Hash: 26c52b66c86f87b9a40e7ccfda77db2d88515d5feb79ac07d59e2049646ad9a6
Instruction Fuzzy Hash: D321B170A44315ABD720CF54DC09FAEBBF8FB05B14F10412AF500A72C1D7B45A0487A4

Function 009AA445 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 009AA457
GetCurrentThreadId.KERNEL32 ref: 009AA466
GetCurrentProcessId.KERNEL32 ref: 009AA46F
QueryPerformanceCounter.KERNEL32(?), ref: 009AA47C

Memory Dump Source

Source File: 00000014.00000002.17563678551.0000000000981000.00000020.00000001.01000000.00000010.sdmp, Offset: 00980000, based on PE: true

Associated: 00000014.00000002.17563642493.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563763650.00000000009CF000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563821675.00000000009E2000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563861708.00000000009E7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_980000_MSIBD59.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 36cf90987ea6e2ff95ab98d7270c0d4b4bb06bca93780d8129ca59c6863df0af
Instruction ID: e1e8cc5f779912aa45df8164f1104ac5ccd3f0f59e2211dd0c6cc45263b424e6
Opcode Fuzzy Hash: 36cf90987ea6e2ff95ab98d7270c0d4b4bb06bca93780d8129ca59c6863df0af
Instruction Fuzzy Hash: C7F0AF70C24208EFDB00DBB0C949A9EBBF8FF08315F9144A59402E7110D734AB04DB50

Function 00989890 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 154COMMON

Download Yara Rule

Strings

\\?\, xrefs: 009899DF, 00989A0C
\\?\UNC\, xrefs: 00989968, 009899C3

Memory Dump Source

Source File: 00000014.00000002.17563678551.0000000000981000.00000020.00000001.01000000.00000010.sdmp, Offset: 00980000, based on PE: true

Associated: 00000014.00000002.17563642493.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563763650.00000000009CF000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563821675.00000000009E2000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563861708.00000000009E7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_980000_MSIBD59.jbxd

Similarity

API ID:
String ID: \\?\$\\?\UNC\
API String ID: 0-3019864461
Opcode ID: 79da31eb888cbcb7d973973e2f4071a151cc70e1cb9a44bfb1a8591b2bb16304
Instruction ID: 0c0b9305deff25ff53cbfb612b0d5ee381108aead0b85c7dd190ee7c0b33c520
Opcode Fuzzy Hash: 79da31eb888cbcb7d973973e2f4071a151cc70e1cb9a44bfb1a8591b2bb16304
Instruction Fuzzy Hash: CF519FB1E002059BDB24EF68C885BBEB7F9FF95318F14851EE441A7780D775A988CB90

Function 009AD426 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 009AD44B

Strings

MOC, xrefs: 009AD45D
RCC, xrefs: 009AD465

Memory Dump Source

Source File: 00000014.00000002.17563678551.0000000000981000.00000020.00000001.01000000.00000010.sdmp, Offset: 00980000, based on PE: true

Associated: 00000014.00000002.17563642493.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563763650.00000000009CF000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563821675.00000000009E2000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563861708.00000000009E7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_980000_MSIBD59.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: a8be61df7674f1930fb823f3ed5e3a7b2e5a962b918d807bd9461c9abefe7b6e
Instruction ID: 8a8afa9f26c45c4e078b580601abc56adcab941172bdd05e3886d7c76a1caa40
Opcode Fuzzy Hash: a8be61df7674f1930fb823f3ed5e3a7b2e5a962b918d807bd9461c9abefe7b6e
Instruction Fuzzy Hash: FE417971D01209AFCF16CF98C881AEE7BB9FF4A304F158099F906A7265D335A950DF90

Function 00988310 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

ConvertSidToStringSidW.ADVAPI32(?,00000000), ref: 00988356
LocalFree.KERNEL32(00000000,Invalid SID,0000000B,?,00000000,0615A9B3), ref: 009883C5

Strings

Invalid SID, xrefs: 009883A3

Memory Dump Source

Source File: 00000014.00000002.17563678551.0000000000981000.00000020.00000001.01000000.00000010.sdmp, Offset: 00980000, based on PE: true

Associated: 00000014.00000002.17563642493.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563763650.00000000009CF000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563821675.00000000009E2000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563861708.00000000009E7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_980000_MSIBD59.jbxd

Similarity

API ID: ConvertFreeLocalString
String ID: Invalid SID
API String ID: 3201929900-130637731
Opcode ID: f6b21c74a9f1239cc8d225a349f3fb0210ee4633e3bc4530f6c7dd2cd2e882d1
Instruction ID: bc6cdbd3b9d46db0527ae5149c8b1df3463e12290ab75a15e76f1a3a9543fdb3
Opcode Fuzzy Hash: f6b21c74a9f1239cc8d225a349f3fb0210ee4633e3bc4530f6c7dd2cd2e882d1
Instruction Fuzzy Hash: A021AEB1A142059BDB10DF58C815BAFBBB9FF84B14F54461EE802A7380DBB96A448BD0

Function 00992345 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00991020: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,0615A9B3,?,009CB110,000000FF), ref: 00991047
Part of subcall function 00991020: GetLastError.KERNEL32(?,00000000,00000000,0615A9B3,?,009CB110,000000FF), ref: 00991051

IsDebuggerPresent.KERNEL32(?,?,009DECF8), ref: 00992378
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,009DECF8), ref: 00992387

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00992382

Memory Dump Source

Source File: 00000014.00000002.17563678551.0000000000981000.00000020.00000001.01000000.00000010.sdmp, Offset: 00980000, based on PE: true

Associated: 00000014.00000002.17563642493.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563763650.00000000009CF000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563821675.00000000009E2000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563861708.00000000009E7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_980000_MSIBD59.jbxd

Similarity

API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3511171328-631824599
Opcode ID: fe452466b3609992660429eeb1a1b603ec6da819e049aebf54973eadc3129393
Instruction ID: 8784aaecd2a777eed4a5b6f43f0c9572e820382f446e0c25446577ff7d68da37
Opcode Fuzzy Hash: fe452466b3609992660429eeb1a1b603ec6da819e049aebf54973eadc3129393
Instruction Fuzzy Hash: A6E09274604342CFE730AF28D515B467BE5AF41B05F00892CE842CB650D7B5D488CBA1

Function 00986D20 Relevance: 5.2, APIs: 4, Instructions: 198memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,00000028,0615A9B3,?,00000000,?,?,?,009CBB00,000000FF,?,009864FE,00000000,?), ref: 00986DD4
LocalFree.KERNEL32(?,?,?,?,?,00000000,?,?,?,009CBB00,000000FF,?,009864FE,00000000), ref: 00986E8A
LocalFree.KERNEL32(?,0615A9B3,00000000,009CB110,000000FF,?,00000000,00000000,009CBB00,?,0615A9B3), ref: 00986F1D

Memory Dump Source

Source File: 00000014.00000002.17563678551.0000000000981000.00000020.00000001.01000000.00000010.sdmp, Offset: 00980000, based on PE: true

Associated: 00000014.00000002.17563642493.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563763650.00000000009CF000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563821675.00000000009E2000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563861708.00000000009E7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_980000_MSIBD59.jbxd

Similarity

API ID: Local$Free$Alloc
String ID:
API String ID: 3098330729-0
Opcode ID: e1f480b02b14ea680edab56524e9f39f97f2b5007f7b9e8636749931600fcd24
Instruction ID: 520f0e2fd958b1896432fa2687a4f9c274bd3f8dfa19d2f24066b8bf76649d91
Opcode Fuzzy Hash: e1f480b02b14ea680edab56524e9f39f97f2b5007f7b9e8636749931600fcd24
Instruction Fuzzy Hash: 1751C5B5E102059FDB18DF68C895BAEBBB9FB48310F24462DE815EB380D735AD14CB90

Function 00984B00 Relevance: 5.2, APIs: 4, Instructions: 170memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,80000022,?,?,?,00000000,?,?,00000000,?), ref: 00984B56
LocalAlloc.KERNEL32(00000040,7FFFFFFF,?,?,?,00000000,?,?,00000000,?), ref: 00984BA0
LocalFree.KERNEL32(7FFFFFFE,?,?,?,?,?,00000000,?,?,00000000,?), ref: 00984C22
LocalFree.KERNEL32(00000000,0615A9B3,00000000,00000000,Function_0004B020,000000FF,?,?,00000000,?,?,00000000,?), ref: 00984CAD

Memory Dump Source

Source File: 00000014.00000002.17563678551.0000000000981000.00000020.00000001.01000000.00000010.sdmp, Offset: 00980000, based on PE: true

Associated: 00000014.00000002.17563642493.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563763650.00000000009CF000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563821675.00000000009E2000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563861708.00000000009E7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_980000_MSIBD59.jbxd

Similarity

API ID: Local$AllocFree
String ID:
API String ID: 2012307162-0
Opcode ID: 07555aa20d3bc67129130f256d54298da5f309bcd40c2dba27f6022888dc1184
Instruction ID: a3c7a2c2be0a37896cd350e57789c19f55624851d7e7170e34d6f0753459794b
Opcode Fuzzy Hash: 07555aa20d3bc67129130f256d54298da5f309bcd40c2dba27f6022888dc1184
Instruction Fuzzy Hash: D051D172A052169FC714EF28D881B6EB7E9EF89710F100A6EF855D7390EB30DD048B91

Function 009BD0AE Relevance: 5.1, APIs: 4, Instructions: 62COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,009BD268,?,009AE0E9,?,?,?,?,?,?,0098163C,?,?,00000020), ref: 009BD0B1
SetLastError.KERNEL32(00000000,000000FF,?,009AE0E9,?,?,?,?,?,?,0098163C,?,?,00000020), ref: 009BD0CB
SetLastError.KERNEL32(00000000,00000000,00000000,?,000000FF,?,009AE0E9,?,?,?,?,?,?,0098163C,?,?), ref: 009BD101

Memory Dump Source

Source File: 00000014.00000002.17563678551.0000000000981000.00000020.00000001.01000000.00000010.sdmp, Offset: 00980000, based on PE: true

Associated: 00000014.00000002.17563642493.0000000000980000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563763650.00000000009CF000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563821675.00000000009E2000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000014.00000002.17563861708.00000000009E7000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_980000_MSIBD59.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: afb2f7d274fd9a3b332e4e251e56eeb822c489de1a24e6d7f3889eef000a6326
Instruction ID: 810be09dc17d43f5852fbd9912639049a40c7d069fdb338e4b00e35a6e5f13c3
Opcode Fuzzy Hash: afb2f7d274fd9a3b332e4e251e56eeb822c489de1a24e6d7f3889eef000a6326
Instruction Fuzzy Hash: 0501247221D2087EE24137B4BECAEEF3A5EFFC17B4B100539FA05941A2EA944C026651

Analysis Process: onestart.exePID: 3236, Parent PID: 8756COMMON

Execution Graph

Execution Coverage:	2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	480
Total number of Limit Nodes:	23

Executed Functions

Function 00007FF637CED9F0 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 201
filelibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 00007FF637CEDB6A
GetLastError.KERNEL32 ref: 00007FF637CEDB78
SetLastError.KERNEL32 ref: 00007FF637CEDBA6
GetLastError.KERNEL32 ref: 00007FF637CEDC08
GetLastError.KERNEL32 ref: 00007FF637CEDC1A
GetModuleHandleW.KERNEL32 ref: 00007FF637CEDC83
GetProcAddress.KERNEL32 ref: 00007FF637CEDC93
SetLastError.KERNEL32 ref: 00007FF637CEDCC7

Strings

GetHandleVerifier, xrefs: 00007FF637CEDC89
DoInitialize, xrefs: 00007FF637CEDA3B
..\..\base\files\file_win.cc, xrefs: 00007FF637CEDA42

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: ErrorLast$AddressCreateFileHandleModuleProc
String ID: ..\..\base\files\file_win.cc$DoInitialize$GetHandleVerifier
API String ID: 2959055312-1999724202
Opcode ID: 132140ac4411db25df7bae9cb9704bd6093d4c15e6dcec37d277072f7d5b13b5
Instruction ID: fbce1a01fe29d6ca242db43a8aa2a48a53fff5195802ee29aa2c15ac59e1ea6b
Opcode Fuzzy Hash: 132140ac4411db25df7bae9cb9704bd6093d4c15e6dcec37d277072f7d5b13b5
Instruction Fuzzy Hash: 7371F731B1C64A86FB348B15E466B7967A1BF85781F006438CE8E93BD1DE7DE181E340

Function 00007FF637D83760 Relevance: 7.8, APIs: 5, Instructions: 298
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TryAcquireSRWLockExclusive.KERNEL32 ref: 00007FF637D83790

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: AcquireExclusiveLock
String ID:
API String ID: 4021432409-0
Opcode ID: 5b214582d2e0ca93e1fd3aa2d753afc67d110d62a6097740f3594223f9a6c835
Instruction ID: e01934485454f70f12185ed30ab73ce3374b8784fc73d6721ea1b520453148f5
Opcode Fuzzy Hash: 5b214582d2e0ca93e1fd3aa2d753afc67d110d62a6097740f3594223f9a6c835
Instruction Fuzzy Hash: E1E1CF3290C6C1A2F7258B34E5053EA6BA0FB45794F045339DA9C83B92DF7DE196E340

Function 00007FF637D85FE0 Relevance: 7.7, APIs: 6, Instructions: 198
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualFree.KERNEL32(00000003,00001000,00000000,00000000,?,?,?), ref: 00007FF637D86052
VirtualFree.KERNEL32(00000003,00001000,00000000,00000000,?,?,?), ref: 00007FF637D860B6
VirtualFree.KERNEL32(00000003,00001000,00000000,00000000,?,?,?), ref: 00007FF637D8611A
VirtualFree.KERNEL32(00000003,00001000,00000000,00000000,?,?,?), ref: 00007FF637D861B3
VirtualAlloc.KERNEL32(?,?,?), ref: 00007FF637D861EF
GetLastError.KERNEL32(?,?,?), ref: 00007FF637D861FA

Part of subcall function 00007FF637D86280: VirtualAlloc.KERNELBASE(00001000,?,?,00001000,00007FF637D8602F,00000003,00001000,00000000,00000000,?,?,?), ref: 00007FF637D862B6

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: Virtual$Free$Alloc$ErrorLast
String ID:
API String ID: 845348599-0
Opcode ID: 23c42437cb558c8f45a434e27b7ce2c542b0bda76d8071b49729d760e6415ba1
Instruction ID: 45273e1ca58d5bcea311909216ae4fac564363cd0bea22f98e283d3c03ac0da3
Opcode Fuzzy Hash: 23c42437cb558c8f45a434e27b7ce2c542b0bda76d8071b49729d760e6415ba1
Instruction Fuzzy Hash: E251B321F1D62A22FE658F62591173A5AC5BF45FE4F449B38DD0E83B92EE3CE005A701

Function 00007FF637D85970 Relevance: 4.7, APIs: 3, Instructions: 244
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualFree.KERNEL32 ref: 00007FF637D85BE2
GetLastError.KERNEL32 ref: 00007FF637D85BEC
ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,00000000,?,00000000,00000040,?,00007FF637D82700), ref: 00007FF637D85C96

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: ErrorExclusiveFreeLastLockReleaseVirtual
String ID:
API String ID: 2391256959-0
Opcode ID: 3cdc6b37fa0af4be967cb0dbbf1aa6dcda31302ed9a626db9fe87719e2359532
Instruction ID: 5edd7567b88ab68386ff365f7602cae10f005678de95c15e23033e2b6aa12b3d
Opcode Fuzzy Hash: 3cdc6b37fa0af4be967cb0dbbf1aa6dcda31302ed9a626db9fe87719e2359532
Instruction Fuzzy Hash: 3FA1E133B19A4192EB248B25E8907B977A1FB54BA0F184335EB6E877D4DF3CE1529700

Function 00007FF637CEEE02 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 140
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32 ref: 00007FF637CEEE89
LoadLibraryExW.KERNELBASE ref: 00007FF637CEEEE0
SetProcessShutdownParameters.KERNEL32 ref: 00007FF637CEEF02
GetProcAddress.KERNEL32 ref: 00007FF637CEEF16

Strings

ChromeMain, xrefs: 00007FF637CEEF0C
no-pre-read-main-dll, xrefs: 00007FF637CEEEAC
Failed to load Chrome DLL from , xrefs: 00007FF637CEF1AA
..\..\chrome\app\main_dll_loader_win.cc, xrefs: 00007FF637CEF182

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: AddressCurrentDirectoryLibraryLoadParametersProcProcessShutdown
String ID: ..\..\chrome\app\main_dll_loader_win.cc$ChromeMain$Failed to load Chrome DLL from $no-pre-read-main-dll
API String ID: 4180520086-3232293009
Opcode ID: eb2c111123b06cace5519531e20671824854e88013ff618f176012683c69b179
Instruction ID: 2b013549f34adf030fb39041403ee614d9cc054af938d9805c89651127fe351a
Opcode Fuzzy Hash: eb2c111123b06cace5519531e20671824854e88013ff618f176012683c69b179
Instruction Fuzzy Hash: 5151B322A1CA8685FB619B15E0523BA6360FF85BD1F442135EE8DC7BD6DE3DE045E700

Function 00007FF637D86280 Relevance: 12.1, APIs: 8, Instructions: 76
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00001000,?,?,00001000,00007FF637D8602F,00000003,00001000,00000000,00000000,?,?,?), ref: 00007FF637D862B6
GetLastError.KERNEL32(?,?,?), ref: 00007FF637D862DD
TryAcquireSRWLockExclusive.KERNEL32(?,?,?), ref: 00007FF637D862F9
ReleaseSRWLockExclusive.KERNEL32(?,?,?), ref: 00007FF637D86316
VirtualAlloc.KERNEL32(?,?,?), ref: 00007FF637D8632A
GetLastError.KERNEL32(?,?,?), ref: 00007FF637D86338
TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,00001000,?,?,00001000,00007FF637D8602F,00000003,00001000,00000000,00000000,?,?), ref: 00007FF637D8635B
ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,00001000,?,?,00001000,00007FF637D8602F,00000003,00001000,00000000,00000000,?,?), ref: 00007FF637D86378

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: ExclusiveLock$AcquireAllocErrorLastReleaseVirtual
String ID:
API String ID: 527672694-0
Opcode ID: 3626b224d7427fe1439266081cbe69f1c37bdc642c3ea42db0df22a49eb87874
Instruction ID: c08a681b2172e2a4da8638c6c67bc59b95cd3dd52a8286e9e3a44072c4e1baab
Opcode Fuzzy Hash: 3626b224d7427fe1439266081cbe69f1c37bdc642c3ea42db0df22a49eb87874
Instruction Fuzzy Hash: CA214F25F1D917A5FA129F11EC5467423A4BF29BA0F840679DD0DC3B61EE2CA54AEB00

Function 00007FF637E9E1EC Relevance: 9.1, APIs: 6, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,AAAAAAAA,00007FF637E74A39,?,?,?,?,00007FF637DAF40D), ref: 00007FF637E9E1FB
FlsSetValue.KERNEL32(?,?,AAAAAAAA,00007FF637E74A39,?,?,?,?,00007FF637DAF40D), ref: 00007FF637E9E231
FlsSetValue.KERNEL32(?,?,AAAAAAAA,00007FF637E74A39,?,?,?,?,00007FF637DAF40D), ref: 00007FF637E9E25E
FlsSetValue.KERNEL32(?,?,AAAAAAAA,00007FF637E74A39,?,?,?,?,00007FF637DAF40D), ref: 00007FF637E9E26F
FlsSetValue.KERNEL32(?,?,AAAAAAAA,00007FF637E74A39,?,?,?,?,00007FF637DAF40D), ref: 00007FF637E9E280
SetLastError.KERNEL32(?,?,AAAAAAAA,00007FF637E74A39,?,?,?,?,00007FF637DAF40D), ref: 00007FF637E9E29B

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: e2184aa32d3e308b7105779d8261cf23760c9d71d717e6bfbb86fe00580718cd
Instruction ID: 11dc3c9ee2e8407e617f06606bd91ec6633fbd7e6d75ff538bf3442a8a6a8aad
Opcode Fuzzy Hash: e2184aa32d3e308b7105779d8261cf23760c9d71d717e6bfbb86fe00580718cd
Instruction Fuzzy Hash: B011B423F0D24281FA64A772655597912826F5ABB0F104B38DA3EC7BD6DE6CF802A600

Function 00007FF637CE8D80 Relevance: 7.8, APIs: 5, Instructions: 321
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF637CE928C

Part of subcall function 00007FF637D853B0: TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000180), ref: 00007FF637D85406

TryAcquireSRWLockExclusive.KERNEL32 ref: 00007FF637CE8FFA
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF637CE90B8
TryAcquireSRWLockExclusive.KERNEL32 ref: 00007FF637CE90F1
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF637CE91B1

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID:
API String ID: 17069307-0
Opcode ID: a69af80289aea65d9a22181f9ab99cf6586442e5e7d685323f179ddc0e3f6bfa
Instruction ID: 98d22ebf715cfeefa2164b62334c8e11ce5465e2bf30c159439877b0e6e98ad2
Opcode Fuzzy Hash: a69af80289aea65d9a22181f9ab99cf6586442e5e7d685323f179ddc0e3f6bfa
Instruction Fuzzy Hash: 5DE1CC32A0CA8A8AEB54CB15E8493697BB1FB48BC4F455135DE9E83B94DF3CE545E300

Function 00007FF637CE1000 Relevance: 7.8, APIs: 5, Instructions: 298
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF637CE14BB

Part of subcall function 00007FF637D853B0: TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000180), ref: 00007FF637D85406

TryAcquireSRWLockExclusive.KERNEL32 ref: 00007FF637CE1252
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF637CE1310
TryAcquireSRWLockExclusive.KERNEL32 ref: 00007FF637CE1349
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF637CE1400

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID:
API String ID: 17069307-0
Opcode ID: c3febf1562e0a50fbd3d270bfef042b64e2550d123cac26163681a97a487f860
Instruction ID: 9a384a3cb446737c9be436d81765fddce043957d60e82eee419caa8c8ee5a847
Opcode Fuzzy Hash: c3febf1562e0a50fbd3d270bfef042b64e2550d123cac26163681a97a487f860
Instruction Fuzzy Hash: 71D1AB32A0CA8A8AEB54CB15E84536A77B1FB48BC4F454135DE5E83B94EF3CE555E300

Function 00007FF637D1EFA0 Relevance: 4.6, APIs: 3, Instructions: 107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TryAcquireSRWLockExclusive.KERNEL32(00000008,?,00000000,00007FF637E2AA16,?,?,?,?,?,?,?,?,?,?,00007FF637E2A889), ref: 00007FF637D1F03A
ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,00007FF637E2A889,?,?,0000000100000000,?,00007FF637D12BB0), ref: 00007FF637D1F061

Part of subcall function 00007FF637E74AF4: AcquireSRWLockExclusive.KERNEL32(?,?,00000180,00007FF637DA053E,?,?,?,?,?,?,?,?,00007FF637F9C700,00007FF637D841D5), ref: 00007FF637E74B04

Part of subcall function 00007FF637E74A88: AcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF637F9C700,00007FF637D841D5), ref: 00007FF637E74A98
Part of subcall function 00007FF637E74A88: ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF637F9C700,00007FF637D841D5), ref: 00007FF637E74AD8

AcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,00007FF637E2A889,?,?,0000000100000000,?,00007FF637D12BB0), ref: 00007FF637D1F159

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release
String ID:
API String ID: 1678258262-0
Opcode ID: 9e30dd371fde1d4c07e9a8ac295c88cc2304cd148743aac9e62b2d47b6ed8de2
Instruction ID: 5fe23a0a2cb99814bae82006c259473e7faaa4e80c656c2ccfaa4fcf01a2ad74
Opcode Fuzzy Hash: 9e30dd371fde1d4c07e9a8ac295c88cc2304cd148743aac9e62b2d47b6ed8de2
Instruction Fuzzy Hash: AA412922A0EA43C5EA919F15E95137923A0BF55B90F415335CA9DC77A2DF3CB482E700

Function 00007FF637D85CF0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualFree.KERNELBASE ref: 00007FF637D85DA3
GetLastError.KERNEL32 ref: 00007FF637D85DAD

Strings

bitset reset argument out of range, xrefs: 00007FF637D8674F

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: ErrorFreeLastVirtual
String ID: bitset reset argument out of range
API String ID: 499627090-1934458321
Opcode ID: b343b4b7214d2f290d4a94dc44dc19c41d953008791fd316fc25176f6ddea1b7
Instruction ID: 420b156955bc6ee58a61bb0e01ace8c9fe28ed6552e72e67b5da5b98fa37c8c0
Opcode Fuzzy Hash: b343b4b7214d2f290d4a94dc44dc19c41d953008791fd316fc25176f6ddea1b7
Instruction Fuzzy Hash: 6321D473A1890593E7244B36A9147B932A5FB547B1F184735EB3A877D4EF3CE1629300

Function 00007FF637CEF40D Relevance: 3.0, APIs: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF637CEF479
PrefetchVirtualMemory.KERNEL32 ref: 00007FF637CEF48D

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: CurrentMemoryPrefetchProcessVirtual
String ID:
API String ID: 3768025762-0
Opcode ID: 7b32f26a6f75184eaa581a0ec6ecde3a1c77d3bb364746b3d1f4a2fc705bdf73
Instruction ID: f1f1447ffc3f8a178adeeb4655a57d89cd81b7a87485fcfa6e3d1054222e7e8a
Opcode Fuzzy Hash: 7b32f26a6f75184eaa581a0ec6ecde3a1c77d3bb364746b3d1f4a2fc705bdf73
Instruction Fuzzy Hash: C2018422B1CA5682EB50AB25F95537A63A0FF84BC4F405035EA8EC3F55DE2CE446A740

Function 00007FF637CE1528 Relevance: 1.7, APIs: 1, Instructions: 213
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TryAcquireSRWLockExclusive.KERNEL32 ref: 00007FF637CE1718

Part of subcall function 00007FF637D00C90: TryAcquireSRWLockExclusive.KERNEL32(00000000,00000040,?,00007FF637D837D6), ref: 00007FF637D00CB3

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: AcquireExclusiveLock
String ID:
API String ID: 4021432409-0
Opcode ID: ce130c40fd991c36bfd1cab230077e4c9bf9c07d3af0550505134d5a904bff10
Instruction ID: 549743a48bd12ef4a04d6d3897b4bb3e8870cff582b0c95f91f564a942396dd7
Opcode Fuzzy Hash: ce130c40fd991c36bfd1cab230077e4c9bf9c07d3af0550505134d5a904bff10
Instruction Fuzzy Hash: DF91A132A0CA4A87EB18CF29D4552B863B1FB45B95F445235DE5E837A0DF3CE992E340

Function 00007FF637CEF310 Relevance: 1.3, APIs: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 00007FF637CEF38A

Part of subcall function 00007FF637CED9F0: CreateFileW.KERNELBASE ref: 00007FF637CEDB6A

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: a33337d7b44fe2b0f4ab104502783962a5ae73f19fb2e18fc71c096e34a657ba
Instruction ID: 94c8e8a0aae7b0971c9862f8ded6546500002c0ca178e8a55a05cf50c635ef93
Opcode Fuzzy Hash: a33337d7b44fe2b0f4ab104502783962a5ae73f19fb2e18fc71c096e34a657ba
Instruction Fuzzy Hash: 6EF0A43262C68645FA54DB12AC1677E63E4BB89BD1F815134EE8D87B91CE3CD002EB00

Non-executed Functions

Function 00007FF637CECA50 Relevance: 30.4, APIs: 20, Instructions: 432threadCOMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32 ref: 00007FF637CECB64
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF637CECC36
GetCurrentThreadId.KERNEL32 ref: 00007FF637CECE59
GetCurrentThreadId.KERNEL32 ref: 00007FF637CECE72
GetCurrentThreadId.KERNEL32 ref: 00007FF637CECE89
AcquireSRWLockExclusive.KERNEL32 ref: 00007FF637CECEA3
GetCurrentThreadId.KERNEL32 ref: 00007FF637CECEC9
GetCurrentThreadId.KERNEL32 ref: 00007FF637CECEDA
GetCurrentThreadId.KERNEL32 ref: 00007FF637CECEEB
GetCurrentThreadId.KERNEL32 ref: 00007FF637CECEFC
GetCurrentThreadId.KERNEL32 ref: 00007FF637CECF0D
GetCurrentThreadId.KERNEL32 ref: 00007FF637CECF1E
GetCurrentThreadId.KERNEL32 ref: 00007FF637CECF2F
GetCurrentThreadId.KERNEL32 ref: 00007FF637CECF40
GetCurrentThreadId.KERNEL32 ref: 00007FF637CECF51
GetCurrentThreadId.KERNEL32 ref: 00007FF637CECF68
GetCurrentThreadId.KERNEL32 ref: 00007FF637CECF79
GetCurrentThreadId.KERNEL32 ref: 00007FF637CECF90
GetCurrentThreadId.KERNEL32 ref: 00007FF637CECFB6
GetCurrentThreadId.KERNEL32 ref: 00007FF637CED011

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: CurrentThread$ExclusiveLock$Acquire$Release
String ID:
API String ID: 1097530104-0
Opcode ID: 47e289bcbded7041426487531910301e024ed60df2df424c2d7c26e91ed319a6
Instruction ID: fae9fd152cf35df90e50ed9760c2f204259d7c5baa5676d8f966bbdcacae31c8
Opcode Fuzzy Hash: 47e289bcbded7041426487531910301e024ed60df2df424c2d7c26e91ed319a6
Instruction Fuzzy Hash: D5F1A032A0C68A8AE7748B25D4816B973F1FB54B85F146435DA5E87B90EF3CEC81E340

Function 00007FF637CF4760 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 200fileCOMMON

Download Yara Rule

APIs

CreateFileMappingW.KERNEL32 ref: 00007FF637CF4836
GetLastError.KERNEL32 ref: 00007FF637CF4845
SetLastError.KERNEL32 ref: 00007FF637CF4875
MapViewOfFile.KERNEL32 ref: 00007FF637CF48C5

Strings

GetHandleVerifier, xrefs: 00007FF637CF4B56
..\..\base\files\memory_mapped_file_win.cc, xrefs: 00007FF637CF47B8
ScopedBlockingCall, xrefs: 00007FF637CF4B9E, 00007FF637CF4C00
MapFileRegionToMemory, xrefs: 00007FF637CF47B1

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: ErrorFileLast$CreateMappingView
String ID: ..\..\base\files\memory_mapped_file_win.cc$GetHandleVerifier$MapFileRegionToMemory$ScopedBlockingCall
API String ID: 2231327692-664693454
Opcode ID: 240ab5fc492904e04395b2cb12634975f7cf7eda08ef7f95a3922901c86d9b5c
Instruction ID: 8c21d07bf6919f8643b73a442b773501996f7238bb61f212b948182759b8adbf
Opcode Fuzzy Hash: 240ab5fc492904e04395b2cb12634975f7cf7eda08ef7f95a3922901c86d9b5c
Instruction Fuzzy Hash: F5819C21A1DA8686FB248B25E4457BA63B1FF84B84F405535CE8E937A5DF3CE245E300

Function 00007FF637D44790 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 118filelibraryloaderCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32 ref: 00007FF637D4481E
CreateFileW.KERNEL32 ref: 00007FF637D4486C
GetLastError.KERNEL32 ref: 00007FF637D4487A
SetLastError.KERNEL32 ref: 00007FF637D44892
GetModuleHandleW.KERNEL32 ref: 00007FF637D448FB
GetProcAddress.KERNEL32 ref: 00007FF637D4490B

Strings

PathHasAccess, xrefs: 00007FF637D447CA
GetHandleVerifier, xrefs: 00007FF637D44901
..\..\base\files\file_util_win.cc, xrefs: 00007FF637D447D1
ScopedBlockingCall, xrefs: 00007FF637D4494C

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: ErrorFileLast$AddressAttributesCreateHandleModuleProc
String ID: ..\..\base\files\file_util_win.cc$GetHandleVerifier$PathHasAccess$ScopedBlockingCall
API String ID: 1741195932-2304908607
Opcode ID: d8ec84778e3d3eda416782f5cf2a8ec84c370d57f9b2cd74c909e3c73aaacec5
Instruction ID: 8f0264d032ecd3416eafc55c7641e24da9d3669775078b7cf4c1da84a3771994
Opcode Fuzzy Hash: d8ec84778e3d3eda416782f5cf2a8ec84c370d57f9b2cd74c909e3c73aaacec5
Instruction Fuzzy Hash: 4B519C21A0CA8681FF249B25E8557BA63A1FF84B94F444339D94E877A4DF3CE586F700

Function 00007FF637E07F00 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 478COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32 ref: 00007FF637E07F40
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF637E080D2
AcquireSRWLockExclusive.KERNEL32 ref: 00007FF637E083BF

Strings

33333333, xrefs: 00007FF637E084EA
UUUUUUUU, xrefs: 00007FF637E084D7
UUUUUUUU, xrefs: 00007FF637E07FB2
Scheduling.ThreadController.ActiveIntervalOnCpuPercentage, xrefs: 00007FF637E07F04
33333333, xrefs: 00007FF637E07FC5

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release
String ID: 33333333$33333333$Scheduling.ThreadController.ActiveIntervalOnCpuPercentage$UUUUUUUU$UUUUUUUU
API String ID: 1678258262-1376886642
Opcode ID: 6523680ce9af97afe002f2af579ad397d0b43a040381b9b4a5f8365331b5b09f
Instruction ID: 2352ffaa1559730ddeb015334a09eed87cabc9147fd9b36bd6bb558ba337d3e3
Opcode Fuzzy Hash: 6523680ce9af97afe002f2af579ad397d0b43a040381b9b4a5f8365331b5b09f
Instruction Fuzzy Hash: 86020F61B1EB4A81EE648B27E4113796391BF99BD0F488636DA4ED77D1DE3CE441B300

Function 00007FF637E1E530 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 393COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,7FFFFFFFFFFFFFFF), ref: 00007FF637E1E6D8
ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,7FFFFFFFFFFFFFFF), ref: 00007FF637E1E7CA

Strings

Histogram.TooManyBuckets.1000, xrefs: 00007FF637E1E53B
33333333, xrefs: 00007FF637E1E730
UUUUUUUU, xrefs: 00007FF637E1E71D

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID: 33333333$Histogram.TooManyBuckets.1000$UUUUUUUU
API String ID: 17069307-2370641061
Opcode ID: 6b1c094e08c9c241a2501ba40865f6970006ad1a61234e64fa4b953b83aa7eb7
Instruction ID: de3e6caf15bd2137b98619c1715a201e77f19ac54e81f52f3f5fc0c0f4c0d2dd
Opcode Fuzzy Hash: 6b1c094e08c9c241a2501ba40865f6970006ad1a61234e64fa4b953b83aa7eb7
Instruction Fuzzy Hash: D6F1F132E2D68682FA64CB15D002779A391FF55B96F948135F90E87BD0CF3CE482A701

Function 00007FF637DA1470 Relevance: 10.8, APIs: 7, Instructions: 285memoryCOMMON

Download Yara Rule

APIs

ReleaseSRWLockExclusive.KERNEL32(00000000,00000048,?,?,?,00000000,00007FF637DA10A9), ref: 00007FF637DA14A1
VirtualAlloc.KERNEL32 ref: 00007FF637DA170A
TryAcquireSRWLockExclusive.KERNEL32 ref: 00007FF637DA17A6

Part of subcall function 00007FF637D00C90: TryAcquireSRWLockExclusive.KERNEL32(00000000,00000040,?,00007FF637D837D6), ref: 00007FF637D00CB3

TryAcquireSRWLockExclusive.KERNEL32 ref: 00007FF637DA180C
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF637DA182D
VirtualAlloc.KERNEL32 ref: 00007FF637DA1845
ReleaseSRWLockExclusive.KERNEL32(00000000,00000048,?,?,?,00000000,00007FF637DA10A9), ref: 00007FF637DA18A6

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease$AllocVirtual
String ID:
API String ID: 2092370432-0
Opcode ID: c234175e6059c1995b437abe29bca08c0ff33d067578b7a8f6e271d9d955830f
Instruction ID: e12335c3c2778dfaf783b7a77ea21ab9e1be43b581b763f5daf03c63baaf2ff1
Opcode Fuzzy Hash: c234175e6059c1995b437abe29bca08c0ff33d067578b7a8f6e271d9d955830f
Instruction Fuzzy Hash: ACB10422A0CB8696FB608B25E8103BA27A0FB45B94F444735DE9E877D5DF3DE245E340

Function 00007FF637EA3C5C Relevance: 9.2, APIs: 6, Instructions: 171COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF637E9E074: GetLastError.KERNEL32 ref: 00007FF637E9E083
Part of subcall function 00007FF637E9E074: FlsGetValue.KERNEL32 ref: 00007FF637E9E098
Part of subcall function 00007FF637E9E074: SetLastError.KERNEL32 ref: 00007FF637E9E123

Part of subcall function 00007FF637E9E074: FlsSetValue.KERNEL32 ref: 00007FF637E9E0B9

GetUserDefaultLCID.KERNEL32(?,00000000,00000092,?), ref: 00007FF637EA3DCC

Part of subcall function 00007FF637E9E074: FlsSetValue.KERNEL32 ref: 00007FF637E9E0E6
Part of subcall function 00007FF637E9E074: FlsSetValue.KERNEL32 ref: 00007FF637E9E0F7
Part of subcall function 00007FF637E9E074: FlsSetValue.KERNEL32 ref: 00007FF637E9E108

EnumSystemLocalesW.KERNEL32(?,00000000,00000092,?,?,00000000,?,00007FF637E89591), ref: 00007FF637EA3DB3
IsValidCodePage.KERNEL32 ref: 00007FF637EA3E08
IsValidLocale.KERNEL32 ref: 00007FF637EA3E1E
GetLocaleInfoW.KERNEL32 ref: 00007FF637EA3E7A
GetLocaleInfoW.KERNEL32 ref: 00007FF637EA3E96

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: Value$Locale$ErrorInfoLastValid$CodeDefaultEnumLocalesPageSystemUser
String ID:
API String ID: 1706690794-0
Opcode ID: feda12f3b2b42233492b62ffc7dd6ae587e71e8b6092de7059f4c9b422176a4e
Instruction ID: 021cb96dba64928cc7b7560f7d18308bfe5509cad8e85175a5e587a9bde04afb
Opcode Fuzzy Hash: feda12f3b2b42233492b62ffc7dd6ae587e71e8b6092de7059f4c9b422176a4e
Instruction Fuzzy Hash: 64715522B1C7428AEB919F65D8406B923B0BF48B88F44853ACE1DD7795EF3CE845E350

Function 00007FF637EA047C Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF637EA04F5
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF637EA050D
RtlVirtualUnwind.KERNEL32 ref: 00007FF637EA0548
IsDebuggerPresent.KERNEL32 ref: 00007FF637EA0581
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF637EA058B
UnhandledExceptionFilter.KERNEL32 ref: 00007FF637EA0596

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 12ab464c95b0a98dc3a5704dc8e43b147c88c491596fb506dedf72610804018b
Instruction ID: 3f9628a759e937596d4bbf21418c3a300f2522ccedd483211d119eaa910db685
Opcode Fuzzy Hash: 12ab464c95b0a98dc3a5704dc8e43b147c88c491596fb506dedf72610804018b
Instruction Fuzzy Hash: BB31503261CB8186DB60CF25E8402AE77B4FB89798F54013AEA9D83B95EF3CD145CB40

Function 00007FF637EA4508 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,?,00007FF637EA3DFB), ref: 00007FF637EA455D
GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,?,00007FF637EA3DFB), ref: 00007FF637EA458A
GetACP.KERNEL32(?,?,?,?,?,?,?,00007FF637EA3DFB), ref: 00007FF637EA45A0

Strings

ACP, xrefs: 00007FF637EA4529
OCP, xrefs: 00007FF637EA4539

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: fa4f59abeb990ad3f6c5f9417afaa25fdd72842b6011447266c7811ef31bded6
Instruction ID: 66609362d588a11689de61bf0320ce55495ca7f8f64af8de597abdba73ae539d
Opcode Fuzzy Hash: fa4f59abeb990ad3f6c5f9417afaa25fdd72842b6011447266c7811ef31bded6
Instruction Fuzzy Hash: B1115E22A1C68387FEA4DB16A54097A63B0BF45B84F545435EE4EC3785EF2CE941E740

Function 00007FF637E31BB0 Relevance: 4.6, APIs: 3, Instructions: 75COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32 ref: 00007FF637E31C4D
GetProductInfo.KERNEL32 ref: 00007FF637E31C6F

Part of subcall function 00007FF637E74AF4: AcquireSRWLockExclusive.KERNEL32(?,?,00000180,00007FF637DA053E,?,?,?,?,?,?,?,?,00007FF637F9C700,00007FF637D841D5), ref: 00007FF637E74B04

GetNativeSystemInfo.KERNEL32 ref: 00007FF637E31D08

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: Info$AcquireExclusiveLockNativeProductSystemVersion
String ID:
API String ID: 2776475993-0
Opcode ID: f6ac2f07177ef4b4255cf3544c967aab32a283c48cd91987b3685125b8851bc6
Instruction ID: 65707fa604170195740a6803fc996538f3f33359c195367a8ee1a0b898720f91
Opcode Fuzzy Hash: f6ac2f07177ef4b4255cf3544c967aab32a283c48cd91987b3685125b8851bc6
Instruction Fuzzy Hash: 45414C35A1CA8682F750DF19E9906B93360FB95B50F404239DA4D937A1DF3CF486EB40

Function 00007FF637E3EB60 Relevance: 19.6, APIs: 6, Strings: 5, Instructions: 355synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FF637E3EC43
QueryPerformanceCounter.KERNEL32 ref: 00007FF637E3ECD4
TryAcquireSRWLockExclusive.KERNEL32 ref: 00007FF637E3EEFB
QueryPerformanceCounter.KERNEL32 ref: 00007FF637E3EF32
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF637E3EF99
AcquireSRWLockExclusive.KERNEL32 ref: 00007FF637E3F040

Strings

..\..\base\synchronization\waitable_event.cc, xrefs: 00007FF637E3ED64
enable-background-thread-pool, xrefs: 00007FF637E3F07A
TimedWait, xrefs: 00007FF637E3ED5D
ScopedBlockingCallWithBaseSyncPrimitives, xrefs: 00007FF637E3F114
WaitableEvent::Wait Complete, xrefs: 00007FF637E3F147

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: ExclusiveLock$AcquireCounterPerformanceQuery$ObjectReleaseSingleWait
String ID: ..\..\base\synchronization\waitable_event.cc$ScopedBlockingCallWithBaseSyncPrimitives$TimedWait$WaitableEvent::Wait Complete$enable-background-thread-pool
API String ID: 822189532-807259769
Opcode ID: da4fbd747c4b809cc071e2e5bb37686ba419c65468ba25c8601ebda8ecb0dd64
Instruction ID: 4decfe4492138044e6a4c284ec310e5e4d800e42957c69871484d7a8b2a3291d
Opcode Fuzzy Hash: da4fbd747c4b809cc071e2e5bb37686ba419c65468ba25c8601ebda8ecb0dd64
Instruction Fuzzy Hash: C6F19D21A0CB8685FB60CB15E8503B967A4FF95B94F444136DA8D873B5DF7CE485EB00

Function 00007FF637E2ABE0 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 284COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF637E2AC3F
SetLastError.KERNEL32 ref: 00007FF637E2AC49
SetLastError.KERNEL32 ref: 00007FF637E2AC5D
TryAcquireSRWLockExclusive.KERNEL32 ref: 00007FF637E2AD22
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF637E2AD85
QueryPerformanceCounter.KERNEL32 ref: 00007FF637E2ADB6
AcquireSRWLockExclusive.KERNEL32 ref: 00007FF637E2AE69
TryAcquireSRWLockExclusive.KERNEL32 ref: 00007FF637E2AF82
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF637E2AFA4

Strings

<, xrefs: 00007FF637E2AF71

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: ExclusiveLock$AcquireErrorLast$Release$CounterPerformanceQuery
String ID: <
API String ID: 593636287-4251816714
Opcode ID: c02ec6cc4f225cc347f11462282d17d034abe75ff29b28edaaff8396027e6b13
Instruction ID: 35e05a507c29896dbd6dc1a131a9c13c75e669813d6ac8627f6b08fdded64738
Opcode Fuzzy Hash: c02ec6cc4f225cc347f11462282d17d034abe75ff29b28edaaff8396027e6b13
Instruction Fuzzy Hash: E8C1D022A1CA4381EB66AB21E59037963A1FF45BD4F055236DE5F977A1EF3CE081E700

Function 00007FF637E3E670 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 161COMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32 ref: 00007FF637E3E721
GetLastError.KERNEL32 ref: 00007FF637E3E73C
SetLastError.KERNEL32 ref: 00007FF637E3E75A
UnregisterWaitEx.KERNEL32 ref: 00007FF637E3E77A
GetLastError.KERNEL32 ref: 00007FF637E3E878

Strings

StopWatching, xrefs: 00007FF637E3E697
..\..\base\win\object_watcher.cc, xrefs: 00007FF637E3E69E
E, xrefs: 00007FF637E3E8EC
ScopedAllowBaseSyncPrimitivesOutsideBlockingScope, xrefs: 00007FF637E3E8A8, 00007FF637E3E8C9

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: ErrorLast$CreateEventUnregisterWait
String ID: ..\..\base\win\object_watcher.cc$E$ScopedAllowBaseSyncPrimitivesOutsideBlockingScope$StopWatching
API String ID: 3960733346-3839475703
Opcode ID: 4ea7dc13f00bebd786906ac47957ce7477940105b5c419ec508713af7108e6b0
Instruction ID: 9dc613a090997a9db42ae705e928dbe00ceb13813d2612dcb87821c79df7c48f
Opcode Fuzzy Hash: 4ea7dc13f00bebd786906ac47957ce7477940105b5c419ec508713af7108e6b0
Instruction Fuzzy Hash: 75718D32A0DB8286FB618B24E8503BA73A0FB84754F144235DA9E87BE1DF3DE445E740

Function 00007FF637E63430 Relevance: 14.5, APIs: 6, Strings: 2, Instructions: 472COMMON

Download Yara Rule

APIs

WakeAllConditionVariable.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000008,?,?,?), ref: 00007FF637E6376B
AcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000008,?,?,?), ref: 00007FF637E63988
AcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000008,?,?,?), ref: 00007FF637E63998

Strings

ScheduleAdjustMaxTasks, xrefs: 00007FF637E63891
..\..\base\task\thread_pool\thread_group.cc, xrefs: 00007FF637E63898

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: AcquireExclusiveLock$ConditionVariableWake
String ID: ..\..\base\task\thread_pool\thread_group.cc$ScheduleAdjustMaxTasks
API String ID: 2197706067-4028267251
Opcode ID: 60de05979d65992d86ae3d0e482dee9492d9be6ddc246231f352a9c0c56f1415
Instruction ID: c20f67ea62dfb2a32190ffc8781e3d3af745d81bbc9b13a9b707abb61f7fdcda
Opcode Fuzzy Hash: 60de05979d65992d86ae3d0e482dee9492d9be6ddc246231f352a9c0c56f1415
Instruction Fuzzy Hash: 3012B122A0CA4682EE64CB15E84437967A0FB88BA4F154635DF6E877E5DF3CE641E700

Function 00007FF637E3E930 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 129libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,00000020,00000000,00007FF637D242AC,?,?,0000001E,?,00007FF637D241F9), ref: 00007FF637E3EA5A
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00000020,00000000,00007FF637D242AC,?,?,0000001E,?,00007FF637D241F9), ref: 00007FF637E3EA6A

Strings

~WaitableEvent while Signaled, xrefs: 00007FF637E3EADC
..\..\third_party\perfetto\include\perfetto\tracing\track_event_category_registry.h, xrefs: 00007FF637E3EB1B
GetHandleVerifier, xrefs: 00007FF637E3EA60
PERFETTO_CHECK(false && "A track event used an unknown category. Please add it to " "PERFETTO_DEFINE_CATEGORIES()."), xrefs: 00007FF637E3EB30
%s (errno: %d, %s), xrefs: 00007FF637E3EB3C
wakeup.flow,toplevel.flow, xrefs: 00007FF637E3E9F1

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: %s (errno: %d, %s)$..\..\third_party\perfetto\include\perfetto\tracing\track_event_category_registry.h$GetHandleVerifier$PERFETTO_CHECK(false && "A track event used an unknown category. Please add it to " "PERFETTO_DEFINE_CATEGORIES().")$wakeup.flow,toplevel.flow$~WaitableEvent while Signaled
API String ID: 1646373207-2914896919
Opcode ID: 7dcdef8fc2d8469a16833018401316aab335125a7cc337748f8071478ceeb83f
Instruction ID: 577cfda6aca1b020a476fe90aefdf519b646ed9e7871d293e47978534c5da830
Opcode Fuzzy Hash: 7dcdef8fc2d8469a16833018401316aab335125a7cc337748f8071478ceeb83f
Instruction Fuzzy Hash: EA516C32A1CA8781FA549B14E8903B923A1BF95B94F40523ADA9ED73A1DF3CE545F700

Function 00007FF637E2DD40 Relevance: 13.6, APIs: 9, Instructions: 110threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00007FF637E2DDA0
GetThreadPriority.KERNEL32(?,?,?,?,?,?,?,?,00007FF637CE7D17), ref: 00007FF637E2DDA5
GetCurrentThread.KERNEL32 ref: 00007FF637E2DDAD
SetThreadPriority.KERNEL32(?,?,?,?,?,?,?,?,00007FF637CE7D17), ref: 00007FF637E2DDB7
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,00007FF637CE7D17), ref: 00007FF637E2DE1D
GetCurrentThread.KERNEL32 ref: 00007FF637E2DE26
SetThreadPriority.KERNEL32(?,?,?,?,?,?,?,?,00007FF637CE7D17), ref: 00007FF637E2DE31
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,00007FF637CE7D17), ref: 00007FF637E2DE42
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,00007FF637CE7D17), ref: 00007FF637E2DF10

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: Thread$CurrentPerformancePriorityQuery$Counter$Frequency
String ID:
API String ID: 2845919953-0
Opcode ID: f22e4967ca8d38f132a42b01132e5474b5ddbdd71f894bc6302693665548a810
Instruction ID: f86612bd35f2a36029563c031f957458fa330eaae6ff6925db54bea6bafe0394
Opcode Fuzzy Hash: f22e4967ca8d38f132a42b01132e5474b5ddbdd71f894bc6302693665548a810
Instruction Fuzzy Hash: 96517F21A1CE86C5E611EF25EC5527573A5BF96B90F114339DA4EA33A0DF3CB146E700

Function 00007FF637CEC479 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 328COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32 ref: 00007FF637CEC554
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF637CEC637
AcquireSRWLockExclusive.KERNEL32 ref: 00007FF637CEC645
TryAcquireSRWLockExclusive.KERNEL32 ref: 00007FF637CEC84B
AcquireSRWLockExclusive.KERNEL32 ref: 00007FF637CEC858
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF637CEC861

Strings

..\..\base\task\thread_pool\task_tracker.cc, xrefs: 00007FF637CEC931

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release
String ID: ..\..\base\task\thread_pool\task_tracker.cc
API String ID: 1678258262-2282977664
Opcode ID: a98c6f4088fb86f363b26452da593209552b2ba5ac5ae6e88fe7adc556564007
Instruction ID: 99d29919201470a2852bd998c847162ea28fa55f61f860b08224bd73b25d5c10
Opcode Fuzzy Hash: a98c6f4088fb86f363b26452da593209552b2ba5ac5ae6e88fe7adc556564007
Instruction Fuzzy Hash: 9DE1C332A0CA8589EB618B15E4453BE77B4FB89B85F146035DE8D83B95DF3DD842E700

Function 00007FF637CE80D0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 107COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32(?), ref: 00007FF637CE81C0
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF637CE81E5
AcquireSRWLockExclusive.KERNEL32 ref: 00007FF637CE822A

Strings

WaitNoSyncWork, xrefs: 00007FF637CE8145
E, xrefs: 00007FF637CE828A
..\..\base\task\sequence_manager\work_tracker.cc, xrefs: 00007FF637CE814C
ScopedAllowBaseSyncPrimitivesOutsideBlockingScope, xrefs: 00007FF637CE8240, 00007FF637CE8267

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release
String ID: ..\..\base\task\sequence_manager\work_tracker.cc$E$ScopedAllowBaseSyncPrimitivesOutsideBlockingScope$WaitNoSyncWork
API String ID: 1678258262-2415033031
Opcode ID: 1cb4c1128a410290f10dfe8ab988d81f980b936f64f9a53651d04b755ba91176
Instruction ID: c86e41be7c9e04a68c10231fb26d3a4457d9bd44480a2d4a8156cf688f97c784
Opcode Fuzzy Hash: 1cb4c1128a410290f10dfe8ab988d81f980b936f64f9a53651d04b755ba91176
Instruction Fuzzy Hash: 9D517A31A0CB8A95EB608B25E8513BA33F0FB94784F445036DA8D87B65DF3CE14AE740

Function 00007FF637EABD48 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 88libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000010,00000000,00007FF637EABC6F,?,?,00000000,00007FF637E9A40A,?,?,00000000,00007FF637E78D49), ref: 00007FF637EABDCD
GetLastError.KERNEL32(?,?,00000000,00007FF637E9A40A,?,?,00000000,00007FF637E78D49,?,?,?,?,00007FF637EB1359), ref: 00007FF637EABDDB
LoadLibraryExW.KERNEL32(?,?,00000000,00007FF637E9A40A,?,?,00000000,00007FF637E78D49,?,?,?,?,00007FF637EB1359), ref: 00007FF637EABE05
FreeLibrary.KERNEL32(?,?,00000000,00007FF637E9A40A,?,?,00000000,00007FF637E78D49,?,?,?,?,00007FF637EB1359), ref: 00007FF637EABE73
GetProcAddress.KERNEL32(?,?,00000000,00007FF637E9A40A,?,?,00000000,00007FF637E78D49,?,?,?,?,00007FF637EB1359), ref: 00007FF637EABE7F

Strings

MZx, xrefs: 00007FF637EABD66, 00007FF637EABE16, 00007FF637EABE5C
api-ms-, xrefs: 00007FF637EABDED

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: MZx$api-ms-
API String ID: 2559590344-259127448
Opcode ID: 7f66e61c9afb89d239a8a4b3c739e3d0a4f27b6044b03b835e106e2d954d1aed
Instruction ID: d40832954d70ea8dfcd8382b1afcba01373f2e536290f12ffe3b305c782a9c24
Opcode Fuzzy Hash: 7f66e61c9afb89d239a8a4b3c739e3d0a4f27b6044b03b835e106e2d954d1aed
Instruction Fuzzy Hash: 3431B421B2E68695EEA19B02A80057523F4FF58BA4F494539DE1DCB790EF3CE485EB00

Function 00007FF637D244B0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69synchronizationthreadCOMMON

Download Yara Rule

APIs

GetThreadId.KERNEL32 ref: 00007FF637D244CF
WaitForSingleObject.KERNEL32 ref: 00007FF637D24573
CloseHandle.KERNEL32 ref: 00007FF637D24580
GetLastError.KERNEL32 ref: 00007FF637D245AF

Strings

ScopedBlockingCallWithBaseSyncPrimitives, xrefs: 00007FF637D245CF
..\..\base\threading\platform_thread_win.cc, xrefs: 00007FF637D2452B
Join, xrefs: 00007FF637D24524

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: CloseErrorHandleLastObjectSingleThreadWait
String ID: ..\..\base\threading\platform_thread_win.cc$Join$ScopedBlockingCallWithBaseSyncPrimitives
API String ID: 813778123-1135135018
Opcode ID: 8be779e11d13ea329a991947a293a1ae0a822d55de3997cc897ebf576ed0efab
Instruction ID: 5ccfa2f13c5314dc9b5200704cbfab7a2dd931eec19e0e4c73a13b0f98730902
Opcode Fuzzy Hash: 8be779e11d13ea329a991947a293a1ae0a822d55de3997cc897ebf576ed0efab
Instruction Fuzzy Hash: 89316B21A0CAC694FA209B25F8013FA73A0FF84794F405235DA8D87795EF3CE54AEB00

Function 00007FF637CEFC00 Relevance: 12.1, APIs: 8, Instructions: 112threadCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32 ref: 00007FF637CEFCB1
TryAcquireSRWLockExclusive.KERNEL32 ref: 00007FF637CEFD13
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF637CEFD28
AcquireSRWLockExclusive.KERNEL32 ref: 00007FF637CEFD57
GetCurrentThreadId.KERNEL32 ref: 00007FF637CEFD5F
GetCurrentThreadId.KERNEL32 ref: 00007FF637CEFD70
GetCurrentThreadId.KERNEL32 ref: 00007FF637CEFD81
GetCurrentThreadId.KERNEL32 ref: 00007FF637CEFD92

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: CurrentThread$ExclusiveLock$Acquire$CounterPerformanceQueryRelease
String ID:
API String ID: 1818721922-0
Opcode ID: 09eb9a39eb12b69f7212781b769c30db86572854262bc89db184cc5432e401c0
Instruction ID: b134c1692456dad12212183a46dab96f40661e9ff3e1938f9e595cda92ea4be8
Opcode Fuzzy Hash: 09eb9a39eb12b69f7212781b769c30db86572854262bc89db184cc5432e401c0
Instruction Fuzzy Hash: EA417126A0DB4AC6EBA48F15E48133967B1FB84BD1F156435CA4E83BA0DF3CE585E700

Function 00007FF637E9E074 Relevance: 10.6, APIs: 7, Instructions: 62COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF637E9E083
FlsGetValue.KERNEL32 ref: 00007FF637E9E098
FlsSetValue.KERNEL32 ref: 00007FF637E9E0B9
FlsSetValue.KERNEL32 ref: 00007FF637E9E0E6
FlsSetValue.KERNEL32 ref: 00007FF637E9E0F7
FlsSetValue.KERNEL32 ref: 00007FF637E9E108
SetLastError.KERNEL32 ref: 00007FF637E9E123

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: ce639fc7a39008192c90cbc1f6a4d761acf4f7c598f75af7b858d0719e96e9d9
Instruction ID: c0eeb039a2631ea0a3f0ab69644d6def5a5a16b9a1dc47fe9dce581e4d2ab465
Opcode Fuzzy Hash: ce639fc7a39008192c90cbc1f6a4d761acf4f7c598f75af7b858d0719e96e9d9
Instruction Fuzzy Hash: 29219323F0C24681FA69A732595593952827F567F4F144B38DA3ECBBD6DE6CB801B200

Function 00007FF637EAE504 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF637EAE535
GetLastError.KERNEL32 ref: 00007FF637EAE541
CloseHandle.KERNEL32 ref: 00007FF637EAE559
CreateFileW.KERNEL32 ref: 00007FF637EAE584
WriteConsoleW.KERNEL32 ref: 00007FF637EAE5A3

Strings

CONOUT$, xrefs: 00007FF637EAE565

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 4bffcdf01e6d4199f7e145456358a536238d225e3f36f7e24c2195bae8fff193
Instruction ID: 84b2b5c4086150730cba4b73a1b57bfed298e5979ae0ad8c2d036e3480fe3e28
Opcode Fuzzy Hash: 4bffcdf01e6d4199f7e145456358a536238d225e3f36f7e24c2195bae8fff193
Instruction Fuzzy Hash: 11116021B1CA8286E7908B56F85532963E4FB88FE4F444238EA5EC77A4DF3CD404D740

Function 00007FF637CE2C29 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 341COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF637CE2FA2
OutputDebugStringA.KERNEL32 ref: 00007FF637CE3052

Strings

LOG_FATAL, xrefs: 00007FF637CE3273
W, xrefs: 00007FF637CE2F1D
LogMessage, xrefs: 00007FF637CE3223

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: DebugErrorLastOutputString
String ID: LOG_FATAL$LogMessage$W
API String ID: 4132100945-2234279591
Opcode ID: 406c79a61a2068ba0e720a9e2479bb229360b9f04f4b74495eaf43d52b5cf491
Instruction ID: 4433af97290e6050822b024b8c387f6ff55f7fee705ec7523ede3da964d1953e
Opcode Fuzzy Hash: 406c79a61a2068ba0e720a9e2479bb229360b9f04f4b74495eaf43d52b5cf491
Instruction Fuzzy Hash: 0CE1B032A1DA969AEB11DB14E4423B967B0FF45B81F442039DA8D87BA5DF3CF445EB00

Function 00007FF637E93718 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF637E93797
WriteFile.KERNEL32 ref: 00007FF637E93A5F
WriteFile.KERNEL32 ref: 00007FF637E93AA5
GetLastError.KERNEL32 ref: 00007FF637E93B5B

Strings

MZx, xrefs: 00007FF637E9376E, 00007FF637E937EF, 00007FF637E938A4

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID: MZx
API String ID: 2718003287-2575928145
Opcode ID: a310130c89eb4b93d489484feccd40f8be7dbae77ce2e5a45b018318b922440b
Instruction ID: 170adf93dc3e79eb2e646d61e5e4636ebdaef082f214fae5ba0822524c3bd04e
Opcode Fuzzy Hash: a310130c89eb4b93d489484feccd40f8be7dbae77ce2e5a45b018318b922440b
Instruction Fuzzy Hash: 8DD1F033B0CA8589E721CF69D4402AC37B1FB6AB98B144236DE5E97B99DE3CD446D340

Function 00007FF637D23FC0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 188libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,-00000010,?,?,?,?,00007FF637D2DCAB), ref: 00007FF637D24209
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,-00000010,?,?,?,?,00007FF637D2DCAB), ref: 00007FF637D24219

Strings

..\..\third_party\perfetto\src\protozero\static_buffer.cc, xrefs: 00007FF637D24163
GetHandleVerifier, xrefs: 00007FF637D2420F
Static buffer too small (errno: %d, %s), xrefs: 00007FF637D24178

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: ..\..\third_party\perfetto\src\protozero\static_buffer.cc$GetHandleVerifier$Static buffer too small (errno: %d, %s)
API String ID: 1646373207-1950129055
Opcode ID: 7955d692a534052ed4fb4520a2cbcf5fbd0abd7beaaec7b1974af328fb2897b3
Instruction ID: 6b243cb2498471ba8707ac8a3cfc9e9e3a0f679a70b683a1246cb0b9e66fdd2f
Opcode Fuzzy Hash: 7955d692a534052ed4fb4520a2cbcf5fbd0abd7beaaec7b1974af328fb2897b3
Instruction Fuzzy Hash: 9B71F222B0CA8681EB109B25E9443BD67A1FB45BC8F544635EE4D87B99DF3CE486E300

Function 00007FF637DE3EF0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 183libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 00007FF637DE3F0F
GetProcAddress.KERNEL32 ref: 00007FF637DE3F24

Strings

bcryptprimitives.dll, xrefs: 00007FF637DE3F08
ProcessPrng, xrefs: 00007FF637DE3F1A
xn--, xrefs: 00007FF637DE40E4

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: ProcessPrng$bcryptprimitives.dll$xn--
API String ID: 2574300362-110522026
Opcode ID: cc897619130d974a35ac36fb9a132ce2f9b2edf325e74b49fba86f08d67fd25a
Instruction ID: 73eb2572cccf263499ed43fc1445d44b38538a098434e2989c8ace8f88c81106
Opcode Fuzzy Hash: cc897619130d974a35ac36fb9a132ce2f9b2edf325e74b49fba86f08d67fd25a
Instruction Fuzzy Hash: 4351CE10F1D28A81FE569B2699443799280AF89BD0F049739ED0DDBFD6EE3DE446E300

Function 00007FF637ED9130 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 134windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32 ref: 00007FF637ED917F
LocalFree.KERNEL32 ref: 00007FF637ED91F0

Part of subcall function 00007FF637E10C10: GetLastError.KERNEL32 ref: 00007FF637E10CA2
Part of subcall function 00007FF637E10C10: SetLastError.KERNEL32 ref: 00007FF637E10CAE
Part of subcall function 00007FF637E10C10: SetLastError.KERNEL32 ref: 00007FF637E10D89

GetLastError.KERNEL32 ref: 00007FF637ED934F

Strings

(0x%lX), xrefs: 00007FF637ED9202
Error (0x%lX) while retrieving error. (0x%lX), xrefs: 00007FF637ED9355

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: ErrorLast$FormatFreeLocalMessage
String ID: (0x%lX)$Error (0x%lX) while retrieving error. (0x%lX)
API String ID: 2740663437-3206765257
Opcode ID: d4f852195ba537edc8ef173cd94e8ca0dfd319ebaeb145ebdd4610fc31453421
Instruction ID: 466ec5538f0a28d173cb4e6acc540c5e1cf40b06ee5185575d9c617cfeba82ee
Opcode Fuzzy Hash: d4f852195ba537edc8ef173cd94e8ca0dfd319ebaeb145ebdd4610fc31453421
Instruction Fuzzy Hash: CB517122A0CBC685EB21CB21E8503AAA7A4FFC5B84F444135DA8D87B95EF7CE145DB00

Function 00007FF637D212F0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 108COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32 ref: 00007FF637D2138D
GetLongPathNameW.KERNEL32 ref: 00007FF637D213CC

Strings

MakeLongFilePath, xrefs: 00007FF637D21334
..\..\base\files\file_util_win.cc, xrefs: 00007FF637D2133B
ScopedBlockingCall, xrefs: 00007FF637D21484

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: LongNamePath
String ID: ..\..\base\files\file_util_win.cc$MakeLongFilePath$ScopedBlockingCall
API String ID: 82841172-2989128051
Opcode ID: bf4abaf70e832986b01e121af92e148d41dfee86a62295964aa6aa2c82ccd2b7
Instruction ID: 2e2bbfc1a091e2a9432f24d87f189545cafa586d7a0df42c241676be7b5bab79
Opcode Fuzzy Hash: bf4abaf70e832986b01e121af92e148d41dfee86a62295964aa6aa2c82ccd2b7
Instruction Fuzzy Hash: 8741BF22A1CBC291FB21CB25F4407EA6360FF95784F449236EA8D87755EF3DE2869740

Function 00007FF637D24320 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 96COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,00000020,00000000,00007FF637D24280,?,?,0000001E), ref: 00007FF637D2437D
ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,00000020,00000000,00007FF637D24280,?,?,0000001E), ref: 00007FF637D243B4
AcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,00000020,00000000,00007FF637D24280,?,?,0000001E), ref: 00007FF637D24482

Strings

StopSoon, xrefs: 00007FF637D2441B
..\..\base\threading\thread.cc, xrefs: 00007FF637D24422

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release
String ID: ..\..\base\threading\thread.cc$StopSoon
API String ID: 1678258262-4240870308
Opcode ID: 40b91253b4347b184bf65b64b6bac2cc768e3bc2c1515902b57bee1bd331dab6
Instruction ID: f3536b2b5ba30aa2cf89dea978fdfbf4578f3924f7c2d83826511f3655274206
Opcode Fuzzy Hash: 40b91253b4347b184bf65b64b6bac2cc768e3bc2c1515902b57bee1bd331dab6
Instruction Fuzzy Hash: 1B418B31B0DB4685EB049B25E8402A973A4FB88FE4F484636DE4D837A4DF7CE456E340

Function 00007FF637E887F4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF637E88819
GetProcAddress.KERNEL32 ref: 00007FF637E8882F
FreeLibrary.KERNEL32 ref: 00007FF637E88856

Strings

CorExitProcess, xrefs: 00007FF637E88828
mscoree.dll, xrefs: 00007FF637E88810

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 9dfa096fba17ece0b8a72d67492ea9c4bfabe24b5e85fa13686e8088c1d0ebb1
Instruction ID: b8cd3ded4519900e59897be4d09439e9e0607960a141c5d1329b03f1de6e1875
Opcode Fuzzy Hash: 9dfa096fba17ece0b8a72d67492ea9c4bfabe24b5e85fa13686e8088c1d0ebb1
Instruction Fuzzy Hash: 8EF06261A2EA4281FA108B24E8443796360FF89BA1F94063DCA6DCA3E4CF2DD045F700

Function 00007FF637CE1E80 Relevance: 7.8, APIs: 5, Instructions: 298COMMON

Download Yara Rule

APIs

ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF637CE233B

Part of subcall function 00007FF637D853B0: TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000180), ref: 00007FF637D85406

TryAcquireSRWLockExclusive.KERNEL32 ref: 00007FF637CE20D2
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF637CE2190
TryAcquireSRWLockExclusive.KERNEL32 ref: 00007FF637CE21C9
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF637CE2280

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID:
API String ID: 17069307-0
Opcode ID: 6c982f9e74e0d424c55bc1db26fc36b308763869d4441e71d59acd8f1be4597c
Instruction ID: a7f43fc59c6ca287415ec44141e2b078638a2e53590e8f5bbbec71e8fcefb909
Opcode Fuzzy Hash: 6c982f9e74e0d424c55bc1db26fc36b308763869d4441e71d59acd8f1be4597c
Instruction Fuzzy Hash: 3AD1A832A08A8A8AEB54CB15E84436A77B0FB48BD4F444135DB5E83BA4DF3DE545E300

Function 00007FF637D82760 Relevance: 7.8, APIs: 5, Instructions: 292COMMON

Download Yara Rule

APIs

ReleaseSRWLockExclusive.KERNEL32(?,?,00000180,00007FF637F9C700,00007FF637F9C700,?,?,00000000,?,00007FF637D841E5), ref: 00007FF637D82BFE

Part of subcall function 00007FF637D853B0: TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000180), ref: 00007FF637D85406

TryAcquireSRWLockExclusive.KERNEL32 ref: 00007FF637D82995
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF637D82A53
TryAcquireSRWLockExclusive.KERNEL32 ref: 00007FF637D82A8C
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF637D82B43

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID:
API String ID: 17069307-0
Opcode ID: caa57e4fab2fccbc1fe688bbe65e1164e85f1da677c2d06c453998c40db9fbfb
Instruction ID: 75f6e3d33c8a8e2b2e42a71036e6cc75bb2b881160efab2354c88aec7ad23837
Opcode Fuzzy Hash: caa57e4fab2fccbc1fe688bbe65e1164e85f1da677c2d06c453998c40db9fbfb
Instruction Fuzzy Hash: 6AD1BB72A0CA8696EB54CB15E84437A3BA0FB48BC4F454235DE9E837A4DF3DE545E300

Function 00007FF637E9E2B4 Relevance: 7.6, APIs: 5, Instructions: 54COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF637EA06F3,?,?,00000000,00007FF637EA060A), ref: 00007FF637E9E2D3
FlsSetValue.KERNEL32(?,?,?,00007FF637EA06F3,?,?,00000000,00007FF637EA060A), ref: 00007FF637E9E2F2
FlsSetValue.KERNEL32(?,?,?,00007FF637EA06F3,?,?,00000000,00007FF637EA060A), ref: 00007FF637E9E31A
FlsSetValue.KERNEL32(?,?,?,00007FF637EA06F3,?,?,00000000,00007FF637EA060A), ref: 00007FF637E9E32B
FlsSetValue.KERNEL32(?,?,?,00007FF637EA06F3,?,?,00000000,00007FF637EA060A), ref: 00007FF637E9E33C

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 8f2dabbcba746bedc0e8ee8736a5933fe6ddd3e77df7c9839628b9bde0899552
Instruction ID: 6fabdb1ab3f13d07d0bef54738f0cfae782530d52432511aceab5c33a6754f05
Opcode Fuzzy Hash: 8f2dabbcba746bedc0e8ee8736a5933fe6ddd3e77df7c9839628b9bde0899552
Instruction Fuzzy Hash: D8116313F0C34241FA58E732A54197D22826F567B0F185738EA3ECA7D6DE6CF802A200

Function 00007FF637DE6E20 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 192COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32(Medium,?,00000000,?,00007FF637E62E76), ref: 00007FF637DE6E5E
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF637DE6EFE
AcquireSRWLockExclusive.KERNEL32 ref: 00007FF637DE6FBA

Strings

Medium, xrefs: 00007FF637DE6E25

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release
String ID: Medium
API String ID: 1678258262-3252633729
Opcode ID: 5279ee2f005dbeff30e775ce1fc9acbe9a9dc2c94bb35f498593029af960a223
Instruction ID: 0cb25fbe7e2fb9bb7197ab8e55c76013b29fc5317d8fa0b94ddb8ac1778aab34
Opcode Fuzzy Hash: 5279ee2f005dbeff30e775ce1fc9acbe9a9dc2c94bb35f498593029af960a223
Instruction Fuzzy Hash: AD718331B1D64A82EA629B26E844279B3A1FB44BA4F105735DA9EC7FD4DF3CF541A300

Function 00007FF637EE14B0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 159COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,00000000,00000064,-0000000400000000,?,00000170,?,00000000,?,00007FF637E2B739), ref: 00007FF637EE1678
ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,00000000,00000064,-0000000400000000,?,00000170,?,00000000,?,00007FF637E2B739), ref: 00007FF637EE169A
AcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,00000000,00000064,-0000000400000000,?,00000170,?,00000000,?,00007FF637E2B739), ref: 00007FF637EE16AC

Strings

<, xrefs: 00007FF637EE1667

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release
String ID: <
API String ID: 1678258262-4251816714
Opcode ID: 1e3f42963342553342fe9c4e5ff189342a99d49b12180d070879fe9096c5f90f
Instruction ID: 52ef9c663efa739fc00a7892f41b70328d8602a1dbd619740a7881788df3ce4f
Opcode Fuzzy Hash: 1e3f42963342553342fe9c4e5ff189342a99d49b12180d070879fe9096c5f90f
Instruction Fuzzy Hash: 06513A21A1CA8A84EA16DF359500279A361BF55BD4F145732ED1FA7B91EF3CE0C3E200

Function 00007FF637D86490 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 79COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32 ref: 00007FF637D8649D
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF637D86586

Part of subcall function 00007FF637D00C90: TryAcquireSRWLockExclusive.KERNEL32(00000000,00000040,?,00007FF637D837D6), ref: 00007FF637D00CB3

Strings

bitset set argument out of range, xrefs: 00007FF637D865A3
bitset test argument out of range, xrefs: 00007FF637D86597

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release
String ID: bitset set argument out of range$bitset test argument out of range
API String ID: 1678258262-1976194836
Opcode ID: 077267a610cdc2f0fd84cb138ae864d5506008c81831ae6a0c53f8334b06ce76
Instruction ID: ceb84686dc9bdb46d84d49967a8c4e0d0a90d5094242a5017f2633924e11ba1b
Opcode Fuzzy Hash: 077267a610cdc2f0fd84cb138ae864d5506008c81831ae6a0c53f8334b06ce76
Instruction Fuzzy Hash: CF2126A1B0D68A52FDA48715F6107F91311EB50BE4F802734CF4E83B86EE6CE085E304

Function 00007FF637E1A010 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

SleepConditionVariableSRW.KERNEL32 ref: 00007FF637E1A0DA

Strings

..\..\base\synchronization\condition_variable_win.cc, xrefs: 00007FF637E1A076
TimedWait, xrefs: 00007FF637E1A06F
ScopedBlockingCallWithBaseSyncPrimitives, xrefs: 00007FF637E1A134

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: ConditionSleepVariable
String ID: ..\..\base\synchronization\condition_variable_win.cc$ScopedBlockingCallWithBaseSyncPrimitives$TimedWait
API String ID: 1382704212-1641630961
Opcode ID: f11a63276f1953454c9df886b57be0fd3688b4ca4d89b1e0aa48165475faac09
Instruction ID: 2e6087bbc1735d1091c416bada7139b316e41839b3000ad69a7bf2aeb95045d9
Opcode Fuzzy Hash: f11a63276f1953454c9df886b57be0fd3688b4ca4d89b1e0aa48165475faac09
Instruction Fuzzy Hash: 3831AE32A0C6C294FB718B28F4053EA67A0BF95354F404135DACC83B96DF2DD18AEB00

Function 00007FF637D865B0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32 ref: 00007FF637D865C2
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF637D8665E

Part of subcall function 00007FF637D00C90: TryAcquireSRWLockExclusive.KERNEL32(00000000,00000040,?,00007FF637D837D6), ref: 00007FF637D00CB3

Strings

bitset set argument out of range, xrefs: 00007FF637D8667C
bitset test argument out of range, xrefs: 00007FF637D86670

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release
String ID: bitset set argument out of range$bitset test argument out of range
API String ID: 1678258262-1976194836
Opcode ID: 86041cc35360d33204063cef1d4c069069f497be9c792471a6c934b882590ffa
Instruction ID: 2be04bc765b2952f6fd4a62302e4246ec9500192aa9456c02becb6949c7450d0
Opcode Fuzzy Hash: 86041cc35360d33204063cef1d4c069069f497be9c792471a6c934b882590ffa
Instruction Fuzzy Hash: 2E11E751B0D68E92FD449B05EA5A3B95222AF50BE0F406774CD0F87796DD6CB486A304

Function 00007FF637CF3DD5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49filelibraryloaderCOMMON

Download Yara Rule

APIs

UnmapViewOfFile.KERNEL32 ref: 00007FF637CF3DD8
GetModuleHandleW.KERNEL32 ref: 00007FF637CF3E40
GetProcAddress.KERNEL32 ref: 00007FF637CF3E50

Strings

GetHandleVerifier, xrefs: 00007FF637CF3E46

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: AddressFileHandleModuleProcUnmapView
String ID: GetHandleVerifier
API String ID: 3224599007-1090674830
Opcode ID: a2dbc0936620245b3ce1c66ff2c9846662c49d90a7dae466e3edbebad59c5a32
Instruction ID: 47b670c15c8bab3314409556cb49702690fb67dfccdf2f1cc010c17ad004bd83
Opcode Fuzzy Hash: a2dbc0936620245b3ce1c66ff2c9846662c49d90a7dae466e3edbebad59c5a32
Instruction Fuzzy Hash: 59113A25A1CA0682EB249B25E49933923A1FF89B94F044639CA0FC73A0DF3DE085F300

Function 00007FF637E50D10 Relevance: 6.3, APIs: 4, Instructions: 272threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF637E50F28
TryAcquireSRWLockExclusive.KERNEL32 ref: 00007FF637E51004
ReleaseSRWLockExclusive.KERNEL32 ref: 00007FF637E51027

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThread
String ID:
API String ID: 135963836-0
Opcode ID: 72142dbca20f34169d0ae6ed8360e776c5e63e8bf0aafd4b964ffd7a1b65e22d
Instruction ID: 658fb7dc65ec08ac96f7fcda943354922c773768b75dd494d4d1a005642d4417
Opcode Fuzzy Hash: 72142dbca20f34169d0ae6ed8360e776c5e63e8bf0aafd4b964ffd7a1b65e22d
Instruction Fuzzy Hash: 95B18C32B0DB8E81EE158F25E4903A87361FB48BA5F548535DA5D877A0DF3DE492E300

Function 00007FF637E932F0 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF637E93703,?), ref: 00007FF637E9340C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF637E93703,?), ref: 00007FF637E93497

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 59329d6e557d37f84ed2d91e471823ed785ee9a0e51eeb9b37fb9d013c58d891
Instruction ID: 20c200db9edc513f4dd1351f93895962c3e9615288e1bb13dda56845d93e38e5
Opcode Fuzzy Hash: 59329d6e557d37f84ed2d91e471823ed785ee9a0e51eeb9b37fb9d013c58d891
Instruction Fuzzy Hash: 2891A273F0C65295F761CF6598402BD2BA0BB6AB88F544139DE0E97795DE3CE441E700

Function 00007FF637D86690 Relevance: 6.2, APIs: 4, Instructions: 204COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,?,?,?,?,?,?,?), ref: 00007FF637D866B1

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: b88dabcebcb70336f7ddefc6c37c6d9c43a270e3c60a2c3ec1af937fe89f2cae
Instruction ID: bcafcf2066d22000753983ec8b338899d605be5744cf98942cb513ba3a78795d
Opcode Fuzzy Hash: b88dabcebcb70336f7ddefc6c37c6d9c43a270e3c60a2c3ec1af937fe89f2cae
Instruction Fuzzy Hash: C381EF72B0CA89A5EA14CB16E85437977A0FB88BE0F444235DE5E877A0EF3CE455E300

Function 00007FF637D0CAD0 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,000016E6E96BAF31,-0000000400000000,00007FF637D004E7,?,?,000016E6E96BAF31,-0000000400000000,00007FF637E50F61,?,?,?,000000B3CABFF438,?), ref: 00007FF637D0CAEC
TryAcquireSRWLockExclusive.KERNEL32(?,000016E6E96BAF31,-0000000400000000,00007FF637D004E7,?,?,000016E6E96BAF31,-0000000400000000,00007FF637E50F61,?,?,?,000000B3CABFF438,?), ref: 00007FF637D0CB29
ReleaseSRWLockExclusive.KERNEL32(?,?,000016E6E96BAF31,-0000000400000000,00007FF637E50F61,?,?,?,000000B3CABFF438,?), ref: 00007FF637D0CB93
AcquireSRWLockExclusive.KERNEL32(?,?,000016E6E96BAF31,-0000000400000000,00007FF637E50F61,?,?,?,000000B3CABFF438,?), ref: 00007FF637D0CBFC

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: ExclusiveLock$Acquire$ReleaseValue
String ID:
API String ID: 2488027873-0
Opcode ID: ad9f9b2430ee1dcaf3b9bb47b30e0c6910179a03baac067407a7ac2fc1e060e2
Instruction ID: 2383fd23f956d849179dfc2f0eb975963391e0bbeb9cb6a11a743eecac3f29f9
Opcode Fuzzy Hash: ad9f9b2430ee1dcaf3b9bb47b30e0c6910179a03baac067407a7ac2fc1e060e2
Instruction Fuzzy Hash: 6D314732A0C6078AEB549F15E8907B837A1FB54790F155239DA8EC33A0DF3CA895EB00

Function 00007FF637D0C5D0 Relevance: 6.1, APIs: 4, Instructions: 62COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(?,?,00000000), ref: 00007FF637D0C5F9
ReleaseSRWLockExclusive.KERNEL32(?,?,00000000), ref: 00007FF637D0C634
AcquireSRWLockExclusive.KERNEL32(?,?,00000000), ref: 00007FF637D0C650
ReleaseSRWLockExclusive.KERNEL32(?,?,00000000), ref: 00007FF637D0C660

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID:
API String ID: 17069307-0
Opcode ID: 81a432325fb1fd7cb6a5a8b6f2f368b9a9e85f3b6fc75067a896ccc9fc6baa18
Instruction ID: 9000f673554a903ab47a1fa863997c06c3adb1bc681b954d4e2d2725c94c544c
Opcode Fuzzy Hash: 81a432325fb1fd7cb6a5a8b6f2f368b9a9e85f3b6fc75067a896ccc9fc6baa18
Instruction Fuzzy Hash: 2F211836A1DA8694EA62CF15ED441B823E4BB56BF4F414335CD6D833E0DE3CA18AE300

Function 00007FF637E93DB0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF637E93EC7
GetLastError.KERNEL32 ref: 00007FF637E93EE9

Strings

U, xrefs: 00007FF637E93E73

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 114fdf3fc91748d6bb12e85a151d79e50c1e4de7bd6aac44a659bdf6cbbfd712
Instruction ID: adce71b8387cf71f519a86aaa3321174125b97993319ba6d88e7193cdde06192
Opcode Fuzzy Hash: 114fdf3fc91748d6bb12e85a151d79e50c1e4de7bd6aac44a659bdf6cbbfd712
Instruction Fuzzy Hash: B7419E23A1CB8596DB20CF25E8443AA67A1FB99B94F444035EE4EC7B98EF7CD441DB40

Function 00007FF637D25840 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF637D25925
GetProcAddress.KERNEL32 ref: 00007FF637D25935

Strings

GetHandleVerifier, xrefs: 00007FF637D2592B

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetHandleVerifier
API String ID: 1646373207-1090674830
Opcode ID: a1c1d19f65d98023b0d1733b43932b65f78ed4e73884b6d6b55237372642bde8
Instruction ID: 8fa7a477f0970c80d19561620388e12bb0a45b149183a44c9d972e7bd2d49728
Opcode Fuzzy Hash: a1c1d19f65d98023b0d1733b43932b65f78ed4e73884b6d6b55237372642bde8
Instruction Fuzzy Hash: D2316931A0DA4681FE299B16E8807796360EF84B94F548776CA0FC37A1DE6EE442F300

Function 00007FF637CF4C30 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

GetFileSizeEx.KERNEL32 ref: 00007FF637CF4CB5

Part of subcall function 00007FF637E2ABE0: GetLastError.KERNEL32 ref: 00007FF637E2AC3F
Part of subcall function 00007FF637E2ABE0: SetLastError.KERNEL32 ref: 00007FF637E2AC49
Part of subcall function 00007FF637E2ABE0: SetLastError.KERNEL32 ref: 00007FF637E2AC5D

Strings

GetLength, xrefs: 00007FF637CF4C6C
..\..\base\files\file_win.cc, xrefs: 00007FF637CF4C73

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: ErrorLast$FileSize
String ID: ..\..\base\files\file_win.cc$GetLength
API String ID: 3064237074-1822068241
Opcode ID: 4acf2d05e2c2e2df04f390b0e0af49383e5e69769b9bbe6cf6c08999b4035172
Instruction ID: d135f090f558f560b9d60bafc8eb19ca91a7f7a515683c49c48914674bf25a9c
Opcode Fuzzy Hash: 4acf2d05e2c2e2df04f390b0e0af49383e5e69769b9bbe6cf6c08999b4035172
Instruction Fuzzy Hash: BA11913171C98691FA259B29E815BE963E4FF84B88F405031DE8D97B15EE3DD18BD700

Function 00007FF637E77B7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF637EB1291), ref: 00007FF637E77BCC
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF637EB1291), ref: 00007FF637E77C0D

Strings

csm, xrefs: 00007FF637E77BFA

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 9b9de20c10d3c5e3f6976e467822eb8683335a3fd586c5e76c78db5e328fcf60
Instruction ID: d5772b9c8ae89a7a4a443f536ca063a877ca65d878032d26267a04cb13e21c6c
Opcode Fuzzy Hash: 9b9de20c10d3c5e3f6976e467822eb8683335a3fd586c5e76c78db5e328fcf60
Instruction Fuzzy Hash: 47115B3260CB8182EB608B15E4402697BE5FB88B98F584238DE8C47769EF3CC551DB00

Function 00007FF637ED75E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32 ref: 00007FF637ED75FD
AcquireSRWLockExclusive.KERNEL32 ref: 00007FF637ED7633

Strings

Histogram.TooManyBuckets.1000, xrefs: 00007FF637ED75E4

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: AcquireExclusiveLock
String ID: Histogram.TooManyBuckets.1000
API String ID: 4021432409-786474106
Opcode ID: e0ad7599376e42d109c30f743091da294e06a3b3a3d285ef7790238826bd813d
Instruction ID: 0726cee65cb8f1c364a3a09e96d0f66bb3bb3d9c8be364c9fda6e89ac1662fd5
Opcode Fuzzy Hash: e0ad7599376e42d109c30f743091da294e06a3b3a3d285ef7790238826bd813d
Instruction Fuzzy Hash: 3BF0F017B5DA1581EA169F1BAC4186816A4BF88FF2F598034CD0E83390DE3DE887E740

Function 00007FF637E62C10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF637E62C43
GetProcAddress.KERNEL32 ref: 00007FF637E62C53

Strings

GetHandleVerifier, xrefs: 00007FF637E62C49

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetHandleVerifier
API String ID: 1646373207-1090674830
Opcode ID: ec8ecec705cc256cb222fbaef8cd4141e7e619794cfb1312209cc8df9590ad45
Instruction ID: e1fdca904a175c62391e58098d56058fb01b72b77bf9549d90efcd2936c265d1
Opcode Fuzzy Hash: ec8ecec705cc256cb222fbaef8cd4141e7e619794cfb1312209cc8df9590ad45
Instruction Fuzzy Hash: 76013C24E0EA47C1FE188B65A8942792394BF58B94F008539CA0FC73A4DE2CA145F300

Function 00007FF637D00370 Relevance: 5.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,000016E6E96BAF31,-0000000400000000,00007FF637E50F61,?,?,?,000000B3CABFF438,?), ref: 00007FF637D003A1
TlsGetValue.KERNEL32(?,?,000016E6E96BAF31,-0000000400000000,00007FF637E50F61,?,?,?,000000B3CABFF438,?), ref: 00007FF637D003EA
TlsGetValue.KERNEL32(?,?,000016E6E96BAF31,-0000000400000000,00007FF637E50F61,?,?,?,000000B3CABFF438,?), ref: 00007FF637D00421
TlsGetValue.KERNEL32(?,?,000016E6E96BAF31,-0000000400000000,00007FF637E50F61,?,?,?,000000B3CABFF438,?), ref: 00007FF637D0046A

Memory Dump Source

Source File: 00000018.00000002.17583760031.00007FF637CE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF637CE0000, based on PE: true

Associated: 00000018.00000002.17583611620.00007FF637CE0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584352488.00007FF637F3B000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584438657.00007FF637F89000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584468751.00007FF637F8A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584519536.00007FF637F8B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584558924.00007FF637F97000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584609328.00007FF637F98000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FA3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584646468.00007FF637FB3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584750588.00007FF637FBA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584800002.00007FF637FBB000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000018.00000002.17584846015.00007FF637FBC000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_7ff637ce0000_onestart.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 3e9d133a10e24af19a7408fc11926cbbdb022d4cc999d575b978eee7a1d6806c
Instruction ID: 321047568f77f1605ad6bbf9498bc9adb2432e05cb97822fbb6ef51eb999b02d
Opcode Fuzzy Hash: 3e9d133a10e24af19a7408fc11926cbbdb022d4cc999d575b978eee7a1d6806c
Instruction Fuzzy Hash: E7410221A0CA4696EA61DB18E8916782361BB807B0F505739C53EC7BE4CF7CF852E754

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report pdfguruhub.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Cryptography

Compliance

Spreading

Networking

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\79f3f9.rbs

C:\Program Files\chrome_Unpacker_BeginUnzipping8756_1450361068\LICENSE

C:\Program Files\chrome_Unpacker_BeginUnzipping8756_1450361068\_metadata\verified_contents.json

C:\Program Files\chrome_Unpacker_BeginUnzipping8756_1450361068\_platform_specific\win_x64\widevinecdm.dll

C:\Program Files\chrome_Unpacker_BeginUnzipping8756_1450361068\_platform_specific\win_x64\widevinecdm.dll.sig

C:\Program Files\chrome_Unpacker_BeginUnzipping8756_1450361068\manifest.fingerprint

C:\Program Files\chrome_Unpacker_BeginUnzipping8756_1450361068\manifest.json

C:\Program Files\chrome_url_fetcher_8756_811520105\oimompecagnajdejgnnjijobebaeigek_4.10.2830.0_win64_dldxogwi36sxwpr57ta4lg57z4.crx3

C:\Program Files\chromium_installer.log

C:\Program Files\scoped_dir3236_1079717512\Favicons

C:\Program Files\scoped_dir3236_1079717512\History

C:\Users\user\AppData\LocalLow\Intel\ShaderCache\d8c6ae4c33664fdd6a6a6fd7a4b90579babd05307e64a853668c87454a58f5e8

C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

C:\Users\user\AppData\Local\Google\Chrome\User Data\NotificationHelperMetrics\56821d5b-dd6d-4e3d-b815-b8a2785eaa05.tmp

C:\Users\user\AppData\Local\Google\Chrome\User Data\NotificationHelperMetrics\8552_13375909792972402.pma (copy)

C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\ONESTART.PACKED.7Z

C:\Users\user\AppData\Local\OneStart.ai\OneStart Installer\CR_B7E4F.tmp\SETUP.EX_

Windows Analysis Report
pdfguruhub.msi

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre